An analyst identifies multiple instances of node-to-node communication between several endpoints within the 10.200.2.0/24 network and a user machine at the IP address 10.200.2.5. This user machine at the IP address 10.200.2.5 is also identified as initiating outbound communication during atypical business hours with several IP addresses that have recently appeared on threat feeds.
Which of the following can be inferred from this activity?
A . 10.200.2.0/24 is infected with ransomware.
B . 10.200.2.0/24 is not routable address space.
C . 10.200.2.5 is a rogue endpoint.
D . 10.200.2.5 is exfiltrating data.
Answer: D