A user downloads a patch from an unknown repository to update their device. After applying the patch, the system becomes unresponsive. An incident response team receives alerts sent by an FIM platform and indicates that the hashes of the operating system files have changed. Which of the following attacks most likely occurred?

A logic bomb is a piece of malicious code that activates under specific conditions. While it can cause system disruption, it typically does not involve simultaneous hash changes across multiple files. The scenario describes an immediate and widespread impact, which aligns more closely with the stealthy behavior of a rootkit than the triggered nature of a logic bomb.

Keyloggers are designed to capture keystrokes to gather sensitive information, such as passwords. Although they can be malicious, they do not typically alter system files or their hashes. Their primary function is to monitor user activities rather than disrupt system functionality, making them an unlikely cause for the observed symptoms.

Ransomware encrypts files and demands payment for decryption, often causing system unresponsiveness. However, it usually results in specific file changes (such as encryption indicators) rather than simultaneous hash changes across various files. Therefore, while ransomware can cause issues, it does not fit the scenario of simultaneous hash alterations as precisely as a rootkit does.