Scenario

Palo Alto's Unit42 recently conducted research on an UltraVNC campaign, wherein attackers utilized a backdoored version of UltraVNC to maintain access to systems. This lab is inspired by that campaign and guides participants through the initial access stage of the campaign.

https://app.hackthebox.com/sherlocks/Unit42

1- How many Event logs are there with Event ID 11?

56

no explanation needed just filter with event code 11 (file creation) using filter current log

2- Whenever a process is created in memory, an event with Event ID 1 is recorded with details such as command line, hashes, process path, parent process path, etc. This information is very useful for an analyst because it allows us to see all programs executed on a system, which means we can spot any malicious processes being executed. What is the malicious process that infected the victim's system?

C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe

we can see a suspicious executable with 2 .exe extension and was executed from the downloads directory so we search its hash on VirusTotal we confirm that this executable is malicious and its reported as UltraVNC RAT

3- Which Cloud drive was used to distribute the malware?