There is a folder with suspicious *.exe files on a Win 10 PC, and there are (external) protocols of potentially unlawful actions coming from that PC at a certain time in the past. The first suspicious action was network traffic to a sinkhole IP address typical for the Hupigon trojan, a second one (some days later) was posting an attempted scam on an Internet commerce platform.
The PC in question has been powered off by simply pulling the power cable shortly after the second action has been noticed.
Shortly afterwards, the PC was seized by local authorities (who had been notified about the second action by a potential victim of the scam).
A bootable image of the PC exists that has been pulled of the C: drive after the hard shutdown. The image already has been booted on a similar PC. A Trendmicro AV scan and subsequent Virustotal check has revealed (only) the following.
Trendmicro AV scan result:
"Proxygate" folder with executable files:
What is PUP-Proxygate ("Potentially Unwanted Program")
How did I get infected with the ProxyGate adware
Internet Archive http://proxygate.net
Also, I have run a complete system scan of the system drive image of the PC in question, using Autopsy/The Sleuth Kit. However, I have no experience with further analysis using Autopsy, and would require assistance where to start:
I have the following list of event ID's that according to some AV security companies should be checked in the Event Viewer under the "Security" events:
1006, 1007, 1125, 4624, 4625, 4634, 4648, 4670, 4672, 4672, 4688, 4704, 4720, 4722, 4725, 4726, 4728, 4731, 4732, 4733, 4735, 4740, 4756, 4765, 4766, 4767, 4776, 4781, 4782, 4793, 5376, 5377
Is there any other way to look up whether any of the suspicious exe files has been active in any way at that time, and if yes, what it has been doing (e.g. opening files, accessing internet addresses etc.)?
Alternatively, is there a way to see any action of any program at the specific times in question (apart from searching Event Viewer)?
If you have to ask.. then it probably wont suffice for answering the interesting questions:
There certainly are ways to setup systems so that they stream a fair amount of relevant events to a safe location (such that the logs cannot be retroactively modified), typically involving something like sysmon.
If you did not have that at the suspected time, there still is a chance there is some amount of useful evidence on the affected system itself. Depending on your environment and the skill & intentions of the malicious party, your best bet may be either one of
A tough decision best made by a forensic expert. One you might want to contract anyway, because as you discover more details about this incident, it likely calls for procedures or skills you may not be used to.