A cyber-incident response analyst is investigating a suspected cryptocurrency miner on a company’s server.

Which of the following is the FIRST step the analyst should take?

A. Create a full disk image of the server’s hard drive to look for the file containing the malware.
B. Run a manual antivirus scan on the machine to look for known malicious software.
C. Take a memory snapshot of the machine to capture volatile information stored in memory.

D. Start packet capturing to look for traffic that could be indicative of command and control from the miner.