Cisco Conducting Threat Hunting and Defending using Cisco Technologies for Cybersecurity 300-220 CBRTHD 300-220 Question # 9 Topic 1 Discussion

300-220 Exam Topic 1 Question 9 Discussion:

Question #: 9

Topic #: 1

Refer to the exhibit.
A security engineer notices that a Windows Batch script includes calls to suspicious APIs. How will the script affect the system when it is executed?

The internet connection is disabled.

The host version is retrieved.

The host is put in sleep mode.

Files are encrypted.

Get Premium 300-220 Questions

Explanation

The correct answer isFiles are encrypted. The exhibit shows a collection of API calls and strings that strongly indicatecryptographic operations associated with file encryption, a common behavior in ransomware and data-encrypting malware.

Key indicators in the script include multiple Windows Cryptographic API function calls such as:

CryptAcquireContextW

CryptCreateHash

CryptHashData

CryptDeriveKey

CryptEncrypt

CryptDecrypt

CryptDestroyKey

CryptReleaseContext

These APIs are part of theWindows CryptoAPI, which is explicitly used to generate cryptographic keys, hash data, and encrypt or decrypt content. The presence of ADVAPI32.dll further confirms cryptographic functionality, as this library provides access to Windows security and encryption services.

Additionally, registry-related APIs such as RegSetValueExA, RegOpenKeyExA, and references to:

Software\Microsoft\Windows\CurrentVersion\Run

indicate that the script may also establishpersistence, ensuring the encryption routine executes again after reboot. However, persistence is secondary; the primary functional behavior shown is encryption.

Option A is incorrect because there are no APIs related to disabling networking (such as InternetSetOption or firewall manipulation). Option B is incorrect because retrieving host version information would involve system query APIs like GetVersionEx, which are not present. Option C is incorrect because although the word sleep appears, it is commonly used by malware to delay execution or evade sandboxes—not to place the system into sleep mode.

From a threat hunting and malware analysis perspective, the combination ofCryptoAPI usage, registry modification, and internet-related APIs (InternetReadFile, InternetQueryDataAvailable) is a classic ransomware pattern: retrieve data or keys, encrypt local files, and possibly communicate with command-and-control infrastructure.

Professional defenders recognize these API patterns ashigh-confidence malicious indicators, often mapped toMITRE ATT&CK – Impact: Data Encrypted for Impact (T1486). Detecting such behavior early is critical to prevent widespread data loss and operational disruption.

In summary, the script’s API usage clearly indicates thatits execution results in file encryption, makingOption Dthe correct answer.

Actual exam question for Cisco 300-220 exam by Onyx20940 at Feb 4, 2026, 4:44:29 AM

Contribute your Thoughts:

Chosen Answer: A B C D
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.

Pre-Winter Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: pass65

Cisco Conducting Threat Hunting and Defending using Cisco Technologies for Cybersecurity 300-220 CBRTHD 300-220 Question # 9 Topic 1 Discussion

Cisco Conducting Threat Hunting and Defending using Cisco Technologies for Cybersecurity 300-220 CBRTHD 300-220 Question # 9 Topic 1 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Pre-Winter Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: pass65

Cisco Conducting Threat Hunting and Defending using Cisco Technologies for Cybersecurity 300-220 CBRTHD 300-220 Question # 9 Topic 1 Discussion

Cisco Conducting Threat Hunting and Defending using Cisco Technologies for Cybersecurity 300-220 CBRTHD 300-220 Question # 9 Topic 1 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Awaiting moderator approval