SY0-501 Question #204: Real Exam Question with Answer & Explanation

Question

A technician suspects that a system has been compromised. The technician reviews the following log entry: WARNING- hash mismatch: C:\Window\SysWOW64\user32.dll WARNING- hash mismatch: C:\Window\SysWOW64\kernel32.dll Based solely ono the above information, which of the following types of malware is MOST likely installed on the system?

Options

• ARootkit
• BRansomware
• CTrojan
• DBackdoor

Explanation

Rootkit is the correct answer because hash mismatches on core Windows system files like user32.dll and kernel32.dll are a hallmark indicator of rootkit activity - rootkits modify or replace legitimate OS files to hide their presence and maintain persistent, low-level control of the system.

Why the others are wrong:

• Ransomware (B) encrypts user data files (documents, images) and demands payment - it doesn't typically tamper with system DLLs
• Trojan (C) disguises itself as legitimate software to trick users into installing it, but doesn't specifically target system-level library files for modification
• Backdoor (D) creates unauthorized remote access channels; while sometimes installed by rootkits, a backdoor alone doesn't explain DLL hash mismatches

Memory tip: Think "root = deep." A rootkit operates at the deepest level of the OS (the "root"), so it modifies the most fundamental files - system DLLs like kernel32.dll. Hash mismatches on system files = something is hiding in the roots of the OS = rootkit.

No community discussion yet for this question.