Is there a (forensic) way to list past events/actions of a certain *.exe malware program (PUP-Proxygate, possibly a Trojan)?
Solution 1:
If you have to ask.. then it probably wont suffice for answering the interesting questions:
- are additional systems compromised?
- how & when did the original compromise happen, before the particular event that raised your suspicions?
There certainly are ways to setup systems so that they stream a fair amount of relevant events to a safe location (such that the logs cannot be retroactively modified), typically involving something like sysmon.
If you did not have that at the suspected time, there still is a chance there is some amount of useful evidence on the affected system itself. Depending on your environment and the skill & intentions of the malicious party, your best bet may be either one of
- powering off the machine to prevent evidence to be destroyed or
- prevent powering off the machine to prevent evidence to be destroyed.
A tough decision best made by a forensic expert. One you might want to contract anyway, because as you discover more details about this incident, it likely calls for procedures or skills you may not be used to.