In case if the traditional forensics/IR tool fails to identify a malware. This is one of the good methods to run the image/mounted volume though density scout and get a list of suspicious binaries with lower score, run and MD5 and check in Virus total.
In case if you don't have forensic tools on your machine or you are using a Mac machine. You can use a SIFT docker container to perform the action.
Docker SIFT Image: https://hub.docker.com/r/gourav5660/sans_sift_forensics
Once you have docker image pulled run following command: