# Imports

In [1]:
import json
import pandas as pd
from pandas import option_context

# Config

## Paths

In [2]:
current_malware = "Cerber"

In [3]:
project_root = "/home/jevenari/PycharmProjects/ForensicalAnalysis"

In [4]:
config_path = "/home/jevenari/PycharmProjects/ForensicalAnalysis/config/config.json"
config = json.load(open(config_path, "r"))
config = config[current_malware]

In [5]:
procmon_path = f"{config['Dynamic']}/{config['ProcessMonitor']}"

In [6]:
regshot_path = f"{project_root}/data/{current_malware}/{config['Regshot']}"

## Pandas

In [7]:
pd.set_option('display.min_rows', 1000)
pd.set_option("display.max_rows", 10000)

# Process Monitor Analysis

## Load data

In [8]:
df_procmon = pd.read_csv(procmon_path)

## Get unique operations

In [9]:
sorted(list(df_procmon["Operation"].unique()))

['CloseFile',
 'CreateFile',
 'CreateFileMapping',
 'FileSystemControl',
 'FlushBuffersFile',
 'Load Image',
 'Process Create',
 'Process Exit',
 'Process Start',
 'QueryAttributeTagFile',
 'QueryBasicInformationFile',
 'QueryDirectory',
 'QueryFullSizeInformationVolume',
 'QueryNameInformationFile',
 'QueryNetworkOpenInformationFile',
 'QueryRemoteProtocolInformation',
 'QuerySecurityFile',
 'QuerySizeInformationVolume',
 'QueryStandardInformationFile',
 'ReadFile',
 'RegCloseKey',
 'RegCreateKey',
 'RegEnumKey',
 'RegEnumValue',
 'RegOpenKey',
 'RegQueryKey',
 'RegQueryKeySecurity',
 'RegQueryValue',
 'RegSetInfoKey',
 'RegSetValue',
 'SetBasicInformationFile',
 'SetRenameInformationFile',
 'Thread Create',
 'Thread Exit',
 'UDP Send',
 'WriteFile']

## Get Process Create/Process Exit/Process Start events)

In [12]:
df_process_create = df_procmon.query("Operation == 'Process Create'")

In [13]:
df_process_create_display = df_process_create[["Time of Day", "Process Name", "PID", "Operation", "Result", "Detail"]]

In [14]:
with option_context('display.max_colwidth', 400):
    display(df_process_create_display)

Unnamed: 0,Time of Day,Process Name,PID,Operation,Result,Detail
5549,"14:44:42,2144876",sodinokibi.exe,8376,Process Create,SUCCESS,"PID: 800, Command line: ""C:\Users\Cuckoo\Downloads\sodinokibi.exe"""
6032,"14:44:42,4886000",sodinokibi.exe,8376,Process Create,SUCCESS,"PID: 4176, Command line: C:\Windows\SysWOW64\WerFault.exe -u -p 8376 -s 536"
6180,"14:44:43,0715903",sodinokibi.exe,800,Process Create,SUCCESS,"PID: 1112, Command line: C:\Windows\SysWOW64\WerFault.exe -u -p 800 -s 516"


In [15]:
df_process_start = df_procmon.query("Operation == 'Process Start'")

In [16]:
with option_context('display.max_colwidth', 400):
    display(df_process_start)

Unnamed: 0,Time of Day,Process Name,PID,Operation,Path,Result,Detail
0,"14:44:39,5659553",sodinokibi.exe,8376,Process Start,,SUCCESS,"Parent PID: 3640, Command line: ""C:\Users\Cuckoo\Downloads\sodinokibi.exe"" , Current directory: C:\Users\Cuckoo\Downloads\, Environment: \r;\t=::=::\\r;\tALLUSERSPROFILE=C:\ProgramData\r;\tAPPDATA=C:\Users\Cuckoo\AppData\Roaming\r;\tCommonProgramFiles=C:\Program Files\Common Files\r;\tCommonProgramFiles(x86)=C:\Program Files (x86)\Common Files\r;\tCommonProgramW6432=C:\Program Files\Common Fil..."
5550,"14:44:42,2145558",sodinokibi.exe,800,Process Start,,SUCCESS,"Parent PID: 8376, Command line: ""C:\Users\Cuckoo\Downloads\sodinokibi.exe"" , Current directory: C:\Users\Cuckoo\Downloads\, Environment: \r;\tALLUSERSPROFILE=C:\ProgramData\r;\tAPPDATA=C:\Users\Cuckoo\AppData\Roaming\r;\tCommonProgramFiles=C:\Program Files\Common Files\r;\tCommonProgramFiles(x86)=C:\Program Files (x86)\Common Files\r;\tCommonProgramW6432=C:\Program Files\Common Files\r;\tCOMPU..."


In [17]:
df_process_exit = df_procmon.query("Operation == 'Process Exit'")

In [18]:
with option_context('display.max_colwidth', 400):
    display(df_process_exit)

Unnamed: 0,Time of Day,Process Name,PID,Operation,Path,Result,Detail
6182,"14:44:45,3698748",sodinokibi.exe,8376,Process Exit,,SUCCESS,"Exit Status: -1073741819, User Time: 0.5156250 seconds, Kernel Time: 0.3125000 seconds, Private Bytes: 4.571.136, Peak Private Bytes: 4.612.096, Working Set: 17.825.792, Peak Working Set: 17.854.464"
6237,"14:44:45,5651100",sodinokibi.exe,800,Process Exit,,SUCCESS,"Exit Status: -1073741819, User Time: 0.5468750 seconds, Kernel Time: 0.0312500 seconds, Private Bytes: 2.355.200, Peak Private Bytes: 2.400.256, Working Set: 7.352.320, Peak Working Set: 7.356.416"


## Get Thread Create/Thread Exit

In [19]:
df_thread_create = df_procmon.query("Operation == 'Thread Create'")

In [20]:
df_thread_create.count()

Time of Day     14
Process Name    14
PID             14
Operation       14
Path             0
Result          14
Detail          14
dtype: int64

In [21]:
df_thread_create

Unnamed: 0,Time of Day,Process Name,PID,Operation,Path,Result,Detail
1,"14:44:39,5659676",sodinokibi.exe,8376,Thread Create,,SUCCESS,Thread ID: 1500
61,"14:44:39,5980542",sodinokibi.exe,8376,Thread Create,,SUCCESS,Thread ID: 3012
66,"14:44:39,5991348",sodinokibi.exe,8376,Thread Create,,SUCCESS,Thread ID: 4532
68,"14:44:39,5994481",sodinokibi.exe,8376,Thread Create,,SUCCESS,Thread ID: 6332
418,"14:44:40,1448793",sodinokibi.exe,8376,Thread Create,,SUCCESS,Thread ID: 7576
2445,"14:44:40,2284224",sodinokibi.exe,8376,Thread Create,,SUCCESS,Thread ID: 4908
2471,"14:44:40,2296935",sodinokibi.exe,8376,Thread Create,,SUCCESS,Thread ID: 2592
2664,"14:44:40,2376239",sodinokibi.exe,8376,Thread Create,,SUCCESS,Thread ID: 408
2665,"14:44:40,2382165",sodinokibi.exe,8376,Thread Create,,SUCCESS,Thread ID: 8748
2666,"14:44:40,2385394",sodinokibi.exe,8376,Thread Create,,SUCCESS,Thread ID: 5896


In [22]:
df_thread_exit = df_procmon.query("Operation == 'Thread Exit'")

In [23]:
df_thread_exit

Unnamed: 0,Time of Day,Process Name,PID,Operation,Path,Result,Detail
5689,"14:44:42,2651834",sodinokibi.exe,8376,Thread Exit,,SUCCESS,"Thread ID: 7576, User Time: 0.0312500, Kernel ..."
5695,"14:44:42,2655203",sodinokibi.exe,8376,Thread Exit,,SUCCESS,"Thread ID: 5896, User Time: 0.0000000, Kernel ..."
5697,"14:44:42,2656986",sodinokibi.exe,8376,Thread Exit,,SUCCESS,"Thread ID: 5436, User Time: 0.0000000, Kernel ..."
5700,"14:44:42,2683167",sodinokibi.exe,8376,Thread Exit,,SUCCESS,"Thread ID: 8748, User Time: 0.0000000, Kernel ..."
5703,"14:44:42,2706809",sodinokibi.exe,8376,Thread Exit,,SUCCESS,"Thread ID: 408, User Time: 0.0000000, Kernel T..."
5704,"14:44:42,2710318",sodinokibi.exe,8376,Thread Exit,,SUCCESS,"Thread ID: 2592, User Time: 0.0000000, Kernel ..."
5707,"14:44:42,2713850",sodinokibi.exe,8376,Thread Exit,,SUCCESS,"Thread ID: 4908, User Time: 0.0000000, Kernel ..."
5714,"14:44:42,2728941",sodinokibi.exe,8376,Thread Exit,,SUCCESS,"Thread ID: 6332, User Time: 0.0000000, Kernel ..."
5716,"14:44:42,2729427",sodinokibi.exe,8376,Thread Exit,,SUCCESS,"Thread ID: 4532, User Time: 0.0156250, Kernel ..."
5717,"14:44:42,2729664",sodinokibi.exe,8376,Thread Exit,,SUCCESS,"Thread ID: 3012, User Time: 0.0000000, Kernel ..."


## Get RegCreateKey/RegSetValue data

In [24]:
df_reg_key_create = df_procmon.query("Operation == 'RegCreateKey'")

In [25]:
df_reg_key_create.count()

Time of Day     1
Process Name    1
PID             1
Operation       1
Path            1
Result          1
Detail          1
dtype: int64

In [26]:
with option_context('display.max_colwidth', 400):
    display(df_reg_key_create)

Unnamed: 0,Time of Day,Process Name,PID,Operation,Path,Result,Detail
3541,"14:44:40,2888817",sodinokibi.exe,8376,RegCreateKey,HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\,SUCCESS,"Desired Access: Read/Write, Disposition: REG_OPENED_EXISTING_KEY"


In [27]:
df_reg_value_set = df_procmon.query("Operation == 'RegSetValue'")

In [28]:
df_reg_value_set.count()

Time of Day     8
Process Name    8
PID             8
Operation       8
Path            8
Result          8
Detail          8
dtype: int64

In [29]:
with option_context('display.max_colwidth', 400):
    display(df_reg_value_set)

Unnamed: 0,Time of Day,Process Name,PID,Operation,Path,Result,Detail
3698,"14:44:40,2953453",sodinokibi.exe,8376,RegSetValue,HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass,SUCCESS,"Type: REG_DWORD, Length: 4, Data: 1"
3699,"14:44:40,2953931",sodinokibi.exe,8376,RegSetValue,HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName,SUCCESS,"Type: REG_DWORD, Length: 4, Data: 1"
3700,"14:44:40,2954116",sodinokibi.exe,8376,RegSetValue,HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet,SUCCESS,"Type: REG_DWORD, Length: 4, Data: 1"
3701,"14:44:40,2954296",sodinokibi.exe,8376,RegSetValue,HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect,SUCCESS,"Type: REG_DWORD, Length: 4, Data: 0"
3846,"14:44:40,2980154",sodinokibi.exe,8376,RegSetValue,HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass,SUCCESS,"Type: REG_DWORD, Length: 4, Data: 1"
3847,"14:44:40,2980524",sodinokibi.exe,8376,RegSetValue,HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName,SUCCESS,"Type: REG_DWORD, Length: 4, Data: 1"
3848,"14:44:40,2980759",sodinokibi.exe,8376,RegSetValue,HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet,SUCCESS,"Type: REG_DWORD, Length: 4, Data: 1"
3849,"14:44:40,2980948",sodinokibi.exe,8376,RegSetValue,HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect,SUCCESS,"Type: REG_DWORD, Length: 4, Data: 0"


## Get RegQueryKey/RegQueryValue data

In [30]:
df_reg_key_query = df_procmon.query("Operation == 'RegQueryKey'") 

In [31]:
df_reg_key_query.count()

Time of Day     2146
Process Name    2146
PID             2146
Operation       2146
Path            2146
Result          2146
Detail          2146
dtype: int64

In [32]:
with option_context('display.max_colwidth', 400):
    display(df_reg_key_query)

Unnamed: 0,Time of Day,Process Name,PID,Operation,Path,Result,Detail
93,"14:44:39,6044341",sodinokibi.exe,8376,RegQueryKey,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options,SUCCESS,"Query: HandleTags, HandleTags: 0x400"
112,"14:44:39,6157980",sodinokibi.exe,8376,RegQueryKey,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options,SUCCESS,"Query: HandleTags, HandleTags: 0x400"
118,"14:44:39,6160176",sodinokibi.exe,8376,RegQueryKey,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options,SUCCESS,"Query: HandleTags, HandleTags: 0x400"
145,"14:44:39,6173971",sodinokibi.exe,8376,RegQueryKey,HKLM,SUCCESS,"Query: HandleTags, HandleTags: 0x0"
146,"14:44:39,6174106",sodinokibi.exe,8376,RegQueryKey,HKLM,SUCCESS,Query: Name
151,"14:44:39,6178367",sodinokibi.exe,8376,RegQueryKey,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options,SUCCESS,"Query: HandleTags, HandleTags: 0x400"
183,"14:44:40,1100774",sodinokibi.exe,8376,RegQueryKey,HKLM,SUCCESS,"Query: HandleTags, HandleTags: 0x0"
184,"14:44:40,1100944",sodinokibi.exe,8376,RegQueryKey,HKLM,SUCCESS,Query: Name
190,"14:44:40,1104916",sodinokibi.exe,8376,RegQueryKey,HKLM,SUCCESS,"Query: HandleTags, HandleTags: 0x0"
191,"14:44:40,1105120",sodinokibi.exe,8376,RegQueryKey,HKLM,SUCCESS,Query: Name


In [33]:
df_reg_value_query = df_procmon.query("Operation == 'RegQueryValue'") 

In [34]:
df_reg_value_query.count()

Time of Day     939
Process Name    939
PID             939
Operation       939
Path            939
Result          939
Detail          939
dtype: int64

In [35]:
with option_context('display.max_colwidth', 400):
    display(df_reg_value_query)

Unnamed: 0,Time of Day,Process Name,PID,Operation,Path,Result,Detail
7,"14:44:39,5795375",sodinokibi.exe,8376,RegQueryValue,HKLM\System\CurrentControlSet\Control\Session Manager\RaiseExceptionOnPossibleDeadlock,NAME NOT FOUND,Length: 80
13,"14:44:39,5797365",sodinokibi.exe,8376,RegQueryValue,HKLM\System\CurrentControlSet\Control\Session Manager\ResourcePolicies,NAME NOT FOUND,Length: 24
23,"14:44:39,5844316",sodinokibi.exe,8376,RegQueryValue,HKLM\SOFTWARE\Microsoft\Wow64\x86\sodinokibi.exe,NAME NOT FOUND,Length: 520
24,"14:44:39,5844515",sodinokibi.exe,8376,RegQueryValue,HKLM\SOFTWARE\Microsoft\Wow64\x86\(Default),SUCCESS,"Type: REG_SZ, Length: 26, Data: wow64cpu.dll"
30,"14:44:39,5852199",sodinokibi.exe,8376,RegQueryValue,HKLM\System\CurrentControlSet\Control\Session Manager\RaiseExceptionOnPossibleDeadlock,NAME NOT FOUND,Length: 80
37,"14:44:39,5854712",sodinokibi.exe,8376,RegQueryValue,HKLM\System\CurrentControlSet\Control\Session Manager\ResourcePolicies,NAME NOT FOUND,Length: 24
42,"14:44:39,5942562",sodinokibi.exe,8376,RegQueryValue,HKLM\System\CurrentControlSet\Control\WMI\Security\3c74afb9-8d82-44e3-b52c-365dbf48382a,NAME NOT FOUND,Length: 528
43,"14:44:39,5946179",sodinokibi.exe,8376,RegQueryValue,HKLM\System\CurrentControlSet\Control\WMI\Security\05f95efe-7f75-49c7-a994-60a55cc09571,NAME NOT FOUND,Length: 528
51,"14:44:39,5971653",sodinokibi.exe,8376,RegQueryValue,HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\TransparentEnabled,NAME NOT FOUND,Length: 80
57,"14:44:39,5973372",sodinokibi.exe,8376,RegQueryValue,HKLM\System\CurrentControlSet\Control\FileSystem\LongPathsEnabled,SUCCESS,"Type: REG_DWORD, Length: 4, Data: 0"


## Get loaded DLLs

In [36]:
df_loaded_dlls = df_procmon.query("Operation == 'Load Image'")

In [37]:
unique_dlls = pd.unique(df_loaded_dlls["Path"])

In [38]:
df_unique_dlls = pd.DataFrame(unique_dlls, columns=["Path"])

In [39]:
df_unique_dlls["DLL"] = df_unique_dlls["Path"].apply(lambda path: path.split("\\")[-1])

In [40]:
df_unique_dlls.count()

Path    62
DLL     62
dtype: int64

In [41]:
df_unique_dlls

Unnamed: 0,Path,DLL
0,C:\Users\Cuckoo\Downloads\sodinokibi.exe,sodinokibi.exe
1,C:\Windows\System32\ntdll.dll,ntdll.dll
2,C:\Windows\SysWOW64\ntdll.dll,ntdll.dll
3,C:\Windows\System32\wow64.dll,wow64.dll
4,C:\Windows\System32\wow64win.dll,wow64win.dll
5,C:\Windows\System32\wow64cpu.dll,wow64cpu.dll
6,C:\Windows\SysWOW64\kernel32.dll,kernel32.dll
7,C:\Windows\SysWOW64\KernelBase.dll,KernelBase.dll
8,C:\Windows\SysWOW64\user32.dll,user32.dll
9,C:\Windows\SysWOW64\win32u.dll,win32u.dll


# Regshot Analysis

## Load data

In [21]:
df_regshot_data = pd.read_csv(regshot_path, delimiter=";")

## Show unique types & operations

In [22]:
sorted(df_regshot_data["Type"].unique())

['File', 'Folder', 'Key', 'Value']

In [23]:
sorted(df_regshot_data["Operation"].unique())

['Added', 'Deleted', 'Modified']

## Files Created

In [24]:
df_files_created = df_regshot_data.query("Type == 'File' & Operation == 'Added'")

In [25]:
df_files_created.count()

Type         246
Operation    246
Path         246
dtype: int64

In [26]:
with option_context('display.max_colwidth', 400):
    display(df_files_created)

Unnamed: 0,Type,Operation,Path
218,File,Added,C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_513ecbb9-bcc5-4ba1-b229-3e141ad4607f.json
219,File,Added,C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_513ecbb9-bcc5-4ba1-b229-3e141ad4607f.json
220,File,Added,C:\Users\Cuckoo\AppData\Local\Mozilla\Firefox\Profiles\s2hic8fl.default-release\cache2\entries\A349ADE9A2EC0F1095704F55740A6BC534D4E064
221,File,Added,C:\Users\Cuckoo\AppData\Local\Mozilla\Firefox\Profiles\s2hic8fl.default-release\startupCache\scriptCache.bin
222,File,Added,C:\Users\Cuckoo\AppData\Local\Temp\2f5d5fff\4eac.tmp
223,File,Added,C:\Users\Cuckoo\AppData\Local\Temp\2f5d5fff\6b7b.tmp
224,File,Added,C:\Users\Cuckoo\AppData\Local\Temp\tmpBA9.bmp
225,File,Added,C:\Users\Cuckoo\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\918e0ecb43d17e23.automaticDestinations-ms
226,File,Added,C:\Users\Cuckoo\AppData\Roaming\Microsoft\Windows\Recent\_R_E_A_D___T_H_I_S___9NE9RZ_.txt.lnk
227,File,Added,C:\Users\Cuckoo\AppData\Roaming\Mozilla\Firefox\Profiles\s2hic8fl.default-release\datareporting\archived\2022-04\1650876812962.1ceb7529-918e-41f9-97c9-662a8d361089.event.jsonlz4


In [50]:
df_files_created.count()

Type         26
Operation    26
Path         26
dtype: int64

## Files modified

In [27]:
df_files_modiefied = df_regshot_data.query("Type == 'File' & Operation == 'Modified'")

In [28]:
df_files_modiefied.count()

Type         766
Operation    766
Path         766
dtype: int64

In [29]:
with option_context('display.max_colwidth', 400):
    display(df_files_modiefied)

Unnamed: 0,Type,Operation,Path
511,File,Modified,C:\ProgramData\Microsoft\Windows\AppRepository\StateRepository-Deployment.srd-wal
512,File,Modified,C:\Users\All Users\Microsoft\Windows\AppRepository\StateRepository-Deployment.srd-wal
513,File,Modified,C:\Users\Cuckoo\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1
514,File,Modified,C:\Users\Cuckoo\AppData\Local\Mozilla\Firefox\Profiles\s2hic8fl.default-release\cache2\entries\00F55BB8FA3912E86908DC0C37311DFC0F8DFFE1
515,File,Modified,C:\Users\Cuckoo\AppData\Local\Mozilla\Firefox\Profiles\s2hic8fl.default-release\cache2\entries\0104AC98726B317782D3D85379EFC73019EB6995
516,File,Modified,C:\Users\Cuckoo\AppData\Local\Mozilla\Firefox\Profiles\s2hic8fl.default-release\cache2\entries\0117E3D6C7C1DEFB7A7A8C3EA62E71FDBC51E730
517,File,Modified,C:\Users\Cuckoo\AppData\Local\Mozilla\Firefox\Profiles\s2hic8fl.default-release\cache2\entries\027EF783BAC4780B0C1DF8F3335CD72F2C5625F9
518,File,Modified,C:\Users\Cuckoo\AppData\Local\Mozilla\Firefox\Profiles\s2hic8fl.default-release\cache2\entries\02843E71644BC96F3695C291DBFD892236EA59A4
519,File,Modified,C:\Users\Cuckoo\AppData\Local\Mozilla\Firefox\Profiles\s2hic8fl.default-release\cache2\entries\028D95BBFC90E79FC0BDD0F7298AE84DF72E0DA2
520,File,Modified,C:\Users\Cuckoo\AppData\Local\Mozilla\Firefox\Profiles\s2hic8fl.default-release\cache2\entries\03028EA73DC6CE1768FE20219E7FCE4FCDFCCB5D


## Files Deleted

In [30]:
df_files_deleted = df_regshot_data.query("Type == 'File' & Operation == 'Deleted'")

In [31]:
df_files_deleted.count()

Type         206
Operation    206
Path         206
dtype: int64

In [32]:
with option_context('display.max_colwidth', 400):
    display(df_files_deleted)

Unnamed: 0,Type,Operation,Path
0,File,Deleted,C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_c4b89580-3c14-4027-80c8-be36f673357c.json
1,File,Deleted,C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_c4b89580-3c14-4027-80c8-be36f673357c.json
2,File,Deleted,C:\Users\Cuckoo\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246
3,File,Deleted,C:\Users\Cuckoo\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1024_768_POS4.jpg
4,File,Deleted,C:\Users\Cuckoo\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpg
5,File,Deleted,C:\Users\Cuckoo\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1600_1200_POS4.jpg
6,File,Deleted,C:\Users\Cuckoo\AppData\Roaming\Mozilla\Firefox\Profiles\s2hic8fl.default-release\saved-telemetry-pings\b11c738d-e9cd-433c-a0bf-60013400dda6
7,File,Deleted,C:\Users\Cuckoo\AppData\Roaming\Mozilla\Firefox\Profiles\s2hic8fl.default-release\saved-telemetry-pings\f2d8525e-8e35-4556-9a61-148614ff1489
8,File,Deleted,C:\Users\Cuckoo\Desktop\Tools\SpyStudio-v2-x64\Deviare32.db
9,File,Deleted,C:\Users\Cuckoo\Desktop\Tools\SpyStudio-v2-x64\Deviare64.db


## Folders Created

In [57]:
df_folders_created = df_regshot_data.query("Type == 'Folder' & Operation == 'Added'")

In [58]:
df_folders_created.count()

Type         12
Operation    12
Path         12
dtype: int64

In [59]:
with option_context('display.max_colwidth', 400):
    display(df_folders_created)

Unnamed: 0,Type,Operation,Path
116,Folder,Added,C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_sodinokibi.exe_bcba6f7f35f4b9fe9b4625a8c529b4062f737e3_7030c000_1926a6dc-0487-41c5-b9ad-67b78ecff60e
117,Folder,Added,C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_sodinokibi.exe_bcba6f7f35f4b9fe9b4625a8c529b4062f737e3_7030c000_40d9d1d6-dc87-4d51-86f6-827855c03262
118,Folder,Added,C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_sodinokibi.exe_bcba6f7f35f4b9fe9b4625a8c529b4062f737e3_7030c000_6644dff5-783e-40e8-87e1-177a8c4a2c07
119,Folder,Added,C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_sodinokibi.exe_bcba6f7f35f4b9fe9b4625a8c529b4062f737e3_7030c000_d31da8d8-8639-4013-8a68-a08dbc495452
120,Folder,Added,C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_sodinokibi.exe_bcba6f7f35f4b9fe9b4625a8c529b4062f737e3_7030c000_dc8b5f1b-9959-4084-9a22-13d4b2d2b654
121,Folder,Added,C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_sodinokibi.exe_bcba6f7f35f4b9fe9b4625a8c529b4062f737e3_7030c000_ddd5d18f-5b08-4773-834d-49d395ad2718
122,Folder,Added,C:\Users\All Users\Microsoft\Windows\WER\ReportQueue\AppCrash_sodinokibi.exe_bcba6f7f35f4b9fe9b4625a8c529b4062f737e3_7030c000_1926a6dc-0487-41c5-b9ad-67b78ecff60e
123,Folder,Added,C:\Users\All Users\Microsoft\Windows\WER\ReportQueue\AppCrash_sodinokibi.exe_bcba6f7f35f4b9fe9b4625a8c529b4062f737e3_7030c000_40d9d1d6-dc87-4d51-86f6-827855c03262
124,Folder,Added,C:\Users\All Users\Microsoft\Windows\WER\ReportQueue\AppCrash_sodinokibi.exe_bcba6f7f35f4b9fe9b4625a8c529b4062f737e3_7030c000_6644dff5-783e-40e8-87e1-177a8c4a2c07
125,Folder,Added,C:\Users\All Users\Microsoft\Windows\WER\ReportQueue\AppCrash_sodinokibi.exe_bcba6f7f35f4b9fe9b4625a8c529b4062f737e3_7030c000_d31da8d8-8639-4013-8a68-a08dbc495452


## Folders modified

In [60]:
df_folders_modified = df_regshot_data.query("Type == 'Folder' & Operation == 'Modified'")

In [61]:
df_folders_modified.count()

Type         0
Operation    0
Path         0
dtype: int64

In [62]:
with option_context('display.max_colwidth', 400):
    display(df_folders_modified)

Unnamed: 0,Type,Operation,Path


## Folders Deleted

In [63]:
df_folders_deleted = df_regshot_data.query("Type == 'Folder' & Operation == 'Deleted'")

In [64]:
df_folders_deleted.count()

Type         0
Operation    0
Path         0
dtype: int64

In [65]:
with option_context('display.max_colwidth', 400):
    display(df_folders_deleted)

Unnamed: 0,Type,Operation,Path


## Registry Keys Created

In [66]:
df_reg_keys_created = df_regshot_data.query("Type == 'Key' & Operation == 'Added'")

In [67]:
df_reg_keys_created.count()

Type         9
Operation    9
Path         9
dtype: int64

In [68]:
with option_context('display.max_colwidth', 400):
    display(df_reg_keys_created)

Unnamed: 0,Type,Operation,Path
0,Key,Added,HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\TiRunning
1,Key,Added,HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\TermReason\1624
2,Key,Added,HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\TermReason\3680
3,Key,Added,HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\TermReason\396
4,Key,Added,HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\TermReason\5576
5,Key,Added,HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\TermReason\8276
6,Key,Added,HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\TermReason\8352
7,Key,Added,HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\TermReason\9144
8,Key,Added,HKU\S-1-5-21-714192414-4250913369-3940896113-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000070352


## Registry Keys modified

In [69]:
df_reg_keys_modfied = df_regshot_data.query("Type == 'Key' & Operation == 'Modified'")

In [70]:
df_reg_keys_modfied.count()

Type         0
Operation    0
Path         0
dtype: int64

In [71]:
with option_context('display.max_colwidth', 400):
    display(df_reg_keys_modfied)

Unnamed: 0,Type,Operation,Path


## Registry Keys Deleted

In [72]:
df_reg_keys_deleted = df_regshot_data.query("Type == 'Value' & Operation == 'Deleted'")

In [73]:
df_reg_keys_deleted.count()

Type         2
Operation    2
Path         2
dtype: int64

In [74]:
with option_context('display.max_colwidth', 400):
    display(df_reg_keys_deleted)

Unnamed: 0,Type,Operation,Path
308,Value,Deleted,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VolatileNotifications\41C64E6DA380F855: 01 00 04 80 44 00 00 00 50 00 00 00 00 00 00 00 14 00 00 00 02 00 30 00 02 00 00 00 00 00 14 00 03 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 14 00 00 00 01 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 20 00 00 00
309,Value,Deleted,"HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\AmiOverridePath: ""C:\Windows\AppCompat\Programs\Amcache.hve.tmp"""


## Registry Values Created
<h4 style="color: red">CAUTION: This part could not be parsed correctly, since the actual values were distributed over multiple lines resulting in a random pattern, that was impossible to parse.</h4>

In [75]:
df_reg_values_created = df_regshot_data.query("Type == 'Value' & Operation == 'Added'")

In [76]:
df_reg_values_created.count()

Type         28
Operation    28
Path         28
dtype: int64

In [77]:
with option_context('display.max_colwidth', 400):
    display(df_reg_values_created)

Unnamed: 0,Type,Operation,Path
35,Value,Added,"HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\TermReason\1624\Terminator: ""HAM"""
36,Value,Added,HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\TermReason\1624\Reason: 0x00000000
37,Value,Added,HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\TermReason\1624\CreationTime: A4 2C CD A3 81 58 D8 01
38,Value,Added,"HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\TermReason\3680\Terminator: ""WerSvcKernelMsgDone"""
39,Value,Added,HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\TermReason\3680\Reason: 0x00000001
40,Value,Added,HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\TermReason\3680\CreationTime: 4C BF B6 67 82 58 D8 01
41,Value,Added,"HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\TermReason\396\Terminator: ""WerSvcKernelMsgDone"""
42,Value,Added,HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\TermReason\396\Reason: 0x00000001
43,Value,Added,HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\TermReason\396\CreationTime: B4 FF B1 67 82 58 D8 01
44,Value,Added,"HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\TermReason\5576\Terminator: ""WerSvcKernelMsgDone"""


## Registry Values modified

In [78]:
df_reg_values_modified = df_regshot_data.query("Type == 'Value' & Operation == 'Modified'")

In [79]:
df_reg_values_modified.count()

Type         180
Operation    180
Path         180
dtype: int64

In [80]:
with option_context('display.max_colwidth', 400):
    display(df_reg_values_modified)

Unnamed: 0,Type,Operation,Path
128,Value,Modified,HKLM\SOFTWARE\Microsoft\Multimedia\Audio\Journal\Render: 53 00 57 00 44 00 5C 00 4D 00 4D 00 44 00 45 00 56 00 41 00 50 00 49 00 5C 00 7B 00 30 00 2E 00 30 00 2E 00 30 00 2E 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 7D 00 2E 00 7B 00 37 00 61 00 64 00 65 00 36 00 62 00 63 00 32 00 2D 00 65 00 35 00 35 00 37 00 2D 00 34 00 34 00 65 00 30 00 2D 00 39 00 33 00 35 00 36 00 2D 00 39 00 34...
129,Value,Modified,00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...
130,Value,Modified,HKLM\SOFTWARE\Microsoft\Multimedia\Audio\Journal\Render: 53 00 57 00 44 00 5C 00 4D 00 4D 00 44 00 45 00 56 00 41 00 50 00 49 00 5C 00 7B 00 30 00 2E 00 30 00 2E 00 30 00 2E 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 7D 00 2E 00 7B 00 37 00 61 00 64 00 65 00 36 00 62 00 63 00 32 00 2D 00 65 00 35 00 35 00 37 00 2D 00 34 00 34 00 65 00 30 00 2D 00 39 00 33 00 35 00 36 00 2D 00 39 00 34...
131,Value,Modified,00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...
132,Value,Modified,HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\SessionIdHigh: 0x01D8587E
133,Value,Modified,HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\SessionIdHigh: 0x01D85882
134,Value,Modified,HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\SessionIdLow: 0xD8DB2020
135,Value,Modified,HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\SessionIdLow: 0x701D64AE
136,Value,Modified,HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\GlobalAssocChangedCounter: 0x00000001
137,Value,Modified,HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\GlobalAssocChangedCounter: 0x00000002


## Registry Values Deleted

In [81]:
df_reg_values_deleted = df_regshot_data.query("Type == 'Value' & Operation == 'Deleted'")

In [82]:
df_reg_values_deleted.count()

Type         2
Operation    2
Path         2
dtype: int64

In [83]:
with option_context('display.max_colwidth', 400):
    display(df_reg_values_deleted)

Unnamed: 0,Type,Operation,Path
308,Value,Deleted,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VolatileNotifications\41C64E6DA380F855: 01 00 04 80 44 00 00 00 50 00 00 00 00 00 00 00 14 00 00 00 02 00 30 00 02 00 00 00 00 00 14 00 03 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 14 00 00 00 01 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 20 00 00 00
309,Value,Deleted,"HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\AmiOverridePath: ""C:\Windows\AppCompat\Programs\Amcache.hve.tmp"""
