Maria most likely used fileless malware, because the scenario explicitly describes malicious activity that does not write a payload executable to disk and instead executes entirely in memory using PowerShell and process injection. In CEH-aligned malware classifications, fileless malware is characterized by leveraging legitimate system tools (often called “living off the land” utilities) such as PowerShell, WMI, cmd.exe, or scripting engines to execute attacker-controlled code without creating traditional malware files on the filesystem. Since many legacy antivirus solutions depend heavily on signature-based scanning of files on disk, purely memory-resident execution can reduce or eliminate typical AV detections and leave minimal artifacts in standard AV logs.

The description also mentions that after a reboot the system returns to normal, which strongly supports fileless behavior: if the attacker did not establish persistence (for example via registry run keys, scheduled tasks, services, or WMI event subscriptions), then the in-memory code and injected instructions would be cleared when memory is reset. The “abnormal spikes in resource usage” are consistent with malicious scripts running inside a trusted process context, where attackers may inject or reflectively load code to blend into normal operating activity and evade straightforward monitoring.

Why the other options are incorrect: a rootkit primarily focuses on stealth through deep system-level hiding (often kernel/driver-level) and is commonly associated with persistent concealment rather than “no disk footprint” PowerShell-only execution. A trojan is typically a malicious program masquerading as legitimate software and usually involves a delivered executable or application. Ransomware is defined by encrypting data and extorting payment, which is not described here.

Thus, the technique most consistent with the test is fileless malware executed via PowerShell and memory-only injection.