There is a folder with suspicious *.exe files on a Win 10 PC, and there are (external) protocols of potentially unlawful actions coming from that PC at a certain time in the past. The first suspicious action was network traffic to a sinkhole IP address typical for the Hupigon trojan, a second one (some days later) was posting an attempted scam on an Internet commerce platform.
The PC in question has been powered off by simply pulling the power cable shortly after the second action has been noticed.
Shortly afterwards, the PC was seized by local authorities (who had been notified about the second action by a potential victim of the scam).
A bootable image of the PC exists that has been pulled of the C: drive after the hard shutdown. The image already has been booted on a similar PC. A Trendmicro AV scan and subsequent Virustotal check has revealed (only) the following.
"Proxygate" folder with executable files:
What is PUP-Proxygate ("Potentially Unwanted Program")
How did I get infected with the ProxyGate adware
Internet Archive http://proxygate.net
Also, I have run a complete system scan of the system drive image of the PC in question, using Autopsy/The Sleuth Kit. However, I have no experience with further analysis using Autopsy, and would require assistance where to start:
I have the following list of event ID's that according to some AV security companies should be checked in the Event Viewer under the "Security" events:
1006, 1007, 1125, 4624, 4625, 4634, 4648, 4670, 4672, 4672, 4688, 4704, 4720, 4722, 4725, 4726, 4728, 4731, 4732, 4733, 4735, 4740, 4756, 4765, 4766, 4767, 4776, 4781, 4782, 4793, 5376, 5377
Is there any other way to look up whether any of the suspicious exe files has been active in any way at that time, and if yes, what it has been doing (e.g. opening files, accessing internet addresses etc.)?
Alternatively, is there a way to see any action of any program at the specific times in question (apart from searching Event Viewer)?