Is there a (forensic) way to list past events/actions of a certain *.exe malware program (PUP-Proxygate, possibly a Trojan)?

malware log-files forensic-analysis

Solution 1:

If you have to ask.. then it probably wont suffice for answering the interesting questions:

  1. are additional systems compromised?
  2. how & when did the original compromise happen, before the particular event that raised your suspicions?

There certainly are ways to setup systems so that they stream a fair amount of relevant events to a safe location (such that the logs cannot be retroactively modified), typically involving something like sysmon.

If you did not have that at the suspected time, there still is a chance there is some amount of useful evidence on the affected system itself. Depending on your environment and the skill & intentions of the malicious party, your best bet may be either one of

  • powering off the machine to prevent evidence to be destroyed or
  • prevent powering off the machine to prevent evidence to be destroyed.

A tough decision best made by a forensic expert. One you might want to contract anyway, because as you discover more details about this incident, it likely calls for procedures or skills you may not be used to.

Related

GitLab self-hosted instances data sharing
LVS TCP connection timeouts - lingering connections
How does update management works for virtual machines in Azure?
GidNumber Powershell?
How do you use regex flags in postfix?
k8s loadbalancer service with externalTrafficPolicy=local passes through client ip on IPv4, hides it on IPv6
GCP: Can I list permissions assigned to custom role using gcloud?
How to build a driver disk for an anaconda install (CentOS 6)
Can't PING domains with ipv6 address
Getting SENDMAIL (as a client) to use AUTH LOGIN
Getting "Must enable billing on Google Cloud Project"
Royally messed up my Windows Server 2008 R2