# Imports

In [1]:
import json
import pandas as pd

# Config

## Paths

In [2]:
current_malware = "Cerber"

In [3]:
project_root = "/home/jevenari/PycharmProjects/ForensicalAnalysis"

In [4]:
config_path = "/home/jevenari/PycharmProjects/ForensicalAnalysis/config/config.json"
config = json.load(open(config_path, "r"))
config = config[current_malware]

In [5]:
procmon_path = f"{config['Dynamic']}/{config['ProcessMonitor']}"

In [6]:
regshot_path = f"{project_root}/data/{current_malware}/{config['Regshot']}"

## Pandas

In [7]:
pd.set_option('display.min_rows', 1000)
pd.set_option("display.max_rows", 10000)

# Process Monitor Analysis

## Load data

In [8]:
df_procmon = pd.read_csv(procmon_path)

In [9]:
df_procmon

Unnamed: 0,Time of Day,Process Name,PID,Operation,Path,Result,Detail
0,"10:56:46,5360831",cerber.exe,1348,Process Start,,SUCCESS,"Parent PID: 3640, Command line: ""C:\Users\Cuck..."
1,"10:56:46,5360984",cerber.exe,1348,Thread Create,,SUCCESS,Thread ID: 5468
2,"10:56:46,5708875",cerber.exe,1348,Load Image,C:\Users\Cuckoo\Downloads\cerber.exe,SUCCESS,"Image Base: 0x400000, Image Size: 0x9a000"
3,"10:56:46,5711260",cerber.exe,1348,Load Image,C:\Windows\System32\ntdll.dll,SUCCESS,"Image Base: 0x7ffffb750000, Image Size: 0x1f5000"
4,"10:56:46,5713257",cerber.exe,1348,Load Image,C:\Windows\SysWOW64\ntdll.dll,SUCCESS,"Image Base: 0x77660000, Image Size: 0x1a3000"
5,"10:56:46,5720900",cerber.exe,1348,CreateFile,C:\Windows\Prefetch\CERBER.EXE-95538FA7.pf,NAME NOT FOUND,"Desired Access: Generic Read, Disposition: Ope..."
6,"10:56:46,5726308",cerber.exe,1348,RegOpenKey,HKLM\System\CurrentControlSet\Control\Session ...,REPARSE,Desired Access: Query Value
7,"10:56:46,5726987",cerber.exe,1348,RegOpenKey,HKLM\System\CurrentControlSet\Control\Session ...,SUCCESS,Desired Access: Query Value
8,"10:56:46,5727420",cerber.exe,1348,RegQueryValue,HKLM\System\CurrentControlSet\Control\Session ...,NAME NOT FOUND,Length: 80
9,"10:56:46,5727714",cerber.exe,1348,RegCloseKey,HKLM\System\CurrentControlSet\Control\Session ...,SUCCESS,


## Get unique operations

In [13]:
sorted(list(df_procmon["Operation"].unique()))

['CloseFile',
 'CreateFile',
 'CreateFileMapping',
 'FileSystemControl',
 'FlushBuffersFile',
 'Load Image',
 'Process Create',
 'Process Exit',
 'Process Start',
 'QueryAttributeTagFile',
 'QueryBasicInformationFile',
 'QueryDirectory',
 'QueryFullSizeInformationVolume',
 'QueryNameInformationFile',
 'QueryNetworkOpenInformationFile',
 'QueryRemoteProtocolInformation',
 'QuerySecurityFile',
 'QuerySizeInformationVolume',
 'QueryStandardInformationFile',
 'ReadFile',
 'RegCloseKey',
 'RegCreateKey',
 'RegEnumKey',
 'RegEnumValue',
 'RegOpenKey',
 'RegQueryKey',
 'RegQueryKeySecurity',
 'RegQueryValue',
 'RegSetInfoKey',
 'RegSetValue',
 'SetBasicInformationFile',
 'SetRenameInformationFile',
 'Thread Create',
 'Thread Exit',
 'UDP Send',
 'WriteFile']

## Get Process Create/Process Exit/Process Start events)

In [14]:
df_process_create = df_procmon.query("Operation == 'Process Create'")

In [15]:
df_process_create

Unnamed: 0,Time of Day,Process Name,PID,Operation,Path,Result,Detail
30196,"10:57:11,4542148",cerber.exe,1348,Process Create,C:\Windows\SysWOW64\mshta.exe,SUCCESS,"PID: 4596, Command line: ""C:\Windows\SysWOW64\..."
35276,"10:57:11,7214640",cerber.exe,1348,Process Create,C:\Windows\SysWOW64\NOTEPAD.EXE,SUCCESS,"PID: 4328, Command line: ""C:\Windows\system32\..."
35663,"10:57:16,4482194",cerber.exe,1348,Process Create,C:\Windows\SysWOW64\cmd.exe,SUCCESS,"PID: 9424, Command line: ""C:\Windows\system32\..."


In [16]:
df_process_start = df_procmon.query("Operation == 'Process Start'")

In [17]:
df_process_start

Unnamed: 0,Time of Day,Process Name,PID,Operation,Path,Result,Detail
0,"10:56:46,5360831",cerber.exe,1348,Process Start,,SUCCESS,"Parent PID: 3640, Command line: ""C:\Users\Cuck..."


In [18]:
df_process_exit = df_procmon.query("Operation == 'Process Exit'")

In [19]:
df_process_exit

Unnamed: 0,Time of Day,Process Name,PID,Operation,Path,Result,Detail
35719,"10:57:16,4675664",cerber.exe,1348,Process Exit,,SUCCESS,"Exit Status: 0, User Time: 1.8281250 seconds, ..."


## Get Thread Create/Thread Exit

In [20]:
df_thread_create = df_procmon.query("Operation == 'Thread Create'")

In [21]:
df_thread_create

Unnamed: 0,Time of Day,Process Name,PID,Operation,Path,Result,Detail
1,"10:56:46,5360984",cerber.exe,1348,Thread Create,,SUCCESS,Thread ID: 5468
218,"10:56:46,6228580",cerber.exe,1348,Thread Create,,SUCCESS,Thread ID: 8352
223,"10:56:46,6247730",cerber.exe,1348,Thread Create,,SUCCESS,Thread ID: 7732
225,"10:56:46,6253407",cerber.exe,1348,Thread Create,,SUCCESS,Thread ID: 8760
1410,"10:56:47,2702980",cerber.exe,1348,Thread Create,,SUCCESS,Thread ID: 5868
2889,"10:57:01,6703990",cerber.exe,1348,Thread Create,,SUCCESS,Thread ID: 5104
2945,"10:57:01,6734051",cerber.exe,1348,Thread Create,,SUCCESS,Thread ID: 8960
13539,"10:57:02,9567396",cerber.exe,1348,Thread Create,,SUCCESS,Thread ID: 8900
14360,"10:57:03,5539585",cerber.exe,1348,Thread Create,,SUCCESS,Thread ID: 6264
14361,"10:57:03,5541388",cerber.exe,1348,Thread Create,,SUCCESS,Thread ID: 6856


In [22]:
df_thread_exit = df_procmon.query("Operation == 'Thread Exit'")

In [23]:
df_thread_exit

Unnamed: 0,Time of Day,Process Name,PID,Operation,Path,Result,Detail
14359,"10:57:03,5534160",cerber.exe,1348,Thread Exit,,SUCCESS,"Thread ID: 8900, User Time: 0.0468750, Kernel ..."
17593,"10:57:05,0141165",cerber.exe,1348,Thread Exit,,SUCCESS,"Thread ID: 6264, User Time: 0.0312500, Kernel ..."
17594,"10:57:05,0145119",cerber.exe,1348,Thread Exit,,SUCCESS,"Thread ID: 6856, User Time: 0.0937500, Kernel ..."
17842,"10:57:05,6063843",cerber.exe,1348,Thread Exit,,SUCCESS,"Thread ID: 5900, User Time: 0.0625000, Kernel ..."
17860,"10:57:05,6228817",cerber.exe,1348,Thread Exit,,SUCCESS,"Thread ID: 9148, User Time: 0.0625000, Kernel ..."
30397,"10:57:11,4791720",cerber.exe,1348,Thread Exit,,SUCCESS,"Thread ID: 6896, User Time: 0.0781250, Kernel ..."
35480,"10:57:11,7914459",cerber.exe,1348,Thread Exit,,SUCCESS,"Thread ID: 5660, User Time: 0.0468750, Kernel ..."
35628,"10:57:16,4327778",cerber.exe,1348,Thread Exit,,SUCCESS,"Thread ID: 5868, User Time: 0.0000000, Kernel ..."
35709,"10:57:16,4632753",cerber.exe,1348,Thread Exit,,SUCCESS,"Thread ID: 5468, User Time: 1.3906250, Kernel ..."
35710,"10:57:16,4633724",cerber.exe,1348,Thread Exit,,SUCCESS,"Thread ID: 7952, User Time: 0.0156250, Kernel ..."


## Get RegCreateKey/RegSetValue data

In [24]:
df_reg_value_set = df_procmon.query("Operation == 'RegCreateKey'")

In [25]:
df_reg_value_set

Unnamed: 0,Time of Day,Process Name,PID,Operation,Path,Result,Detail
20162,"10:57:10,8253359",cerber.exe,1348,RegCreateKey,HKCU\Software\Microsoft\Windows\CurrentVersion...,SUCCESS,"Desired Access: Query Value, Set Value, Dispos..."
20324,"10:57:10,8348872",cerber.exe,1348,RegCreateKey,HKCU\Software\Classes\Local Settings,SUCCESS,"Desired Access: Maximum Allowed, Granted Acces..."
20327,"10:57:10,8349898",cerber.exe,1348,RegCreateKey,HKCU\Software\Classes\Local Settings,SUCCESS,"Desired Access: Maximum Allowed, Granted Acces..."
21056,"10:57:10,8760870",cerber.exe,1348,RegCreateKey,HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion...,NAME NOT FOUND,Desired Access: Set Value
21058,"10:57:10,8762516",cerber.exe,1348,RegCreateKey,HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion...,SUCCESS,"Desired Access: Maximum Allowed, Granted Acces..."
21060,"10:57:10,8765917",cerber.exe,1348,RegCreateKey,HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion...,SUCCESS,"Desired Access: Set Value, Disposition: REG_CR..."
21066,"10:57:10,8771813",cerber.exe,1348,RegCreateKey,HKLM\SOFTWARE\WOW6432Node\RegisteredApplications,REPARSE,Desired Access: Read
21067,"10:57:10,8773663",cerber.exe,1348,RegCreateKey,HKLM\SOFTWARE\RegisteredApplications,SUCCESS,"Desired Access: Read, Disposition: REG_OPENED_..."
21072,"10:57:10,8775793",cerber.exe,1348,RegCreateKey,HKCU\SOFTWARE\RegisteredApplications,SUCCESS,"Desired Access: Read, Disposition: REG_OPENED_..."
21134,"10:57:10,9716399",cerber.exe,1348,RegCreateKey,HKCU\Software\Microsoft\Windows\CurrentVersion...,SUCCESS,"Desired Access: Read/Write, Disposition: REG_C..."


In [26]:
df_reg_value_set = df_procmon.query("Operation == 'RegSetValue'")

In [27]:
df_reg_value_set.count()

Time of Day     15
Process Name    15
PID             15
Operation       15
Path            15
Result          15
Detail          15
dtype: int64

In [28]:
df_reg_value_set

Unnamed: 0,Time of Day,Process Name,PID,Operation,Path,Result,Detail
17966,"10:57:06,1032799",cerber.exe,1348,RegSetValue,HKCU\Control Panel\Desktop\Wallpaper,SUCCESS,"Type: REG_SZ, Length: 94, Data: C:\Users\Cucko..."
20165,"10:57:10,8256330",cerber.exe,1348,RegSetValue,HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion...,SUCCESS,"Type: REG_DWORD, Length: 4, Data: 0"
20746,"10:57:10,8665655",cerber.exe,1348,RegSetValue,HKCU\Software\Classes\Local Settings\Software\...,SUCCESS,"Type: REG_SZ, Length: 72, Data: Microsoft (R) ..."
20751,"10:57:10,8669246",cerber.exe,1348,RegSetValue,HKCU\Software\Classes\Local Settings\Software\...,SUCCESS,"Type: REG_SZ, Length: 44, Data: Microsoft Corp..."
21062,"10:57:10,8767527",cerber.exe,1348,RegSetValue,HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion...,SUCCESS,"Type: REG_NONE, Length: 0"
24399,"10:57:11,1257474",cerber.exe,1348,RegSetValue,HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion...,SUCCESS,"Type: REG_NONE, Length: 0"
28204,"10:57:11,2772984",cerber.exe,1348,RegSetValue,HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion...,SUCCESS,"Type: REG_DWORD, Length: 4, Data: 1"
28205,"10:57:11,2773549",cerber.exe,1348,RegSetValue,HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion...,SUCCESS,"Type: REG_DWORD, Length: 4, Data: 1"
28206,"10:57:11,2773846",cerber.exe,1348,RegSetValue,HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion...,SUCCESS,"Type: REG_DWORD, Length: 4, Data: 1"
28207,"10:57:11,2774076",cerber.exe,1348,RegSetValue,HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion...,SUCCESS,"Type: REG_DWORD, Length: 4, Data: 0"


## Get loaded DLLs

In [29]:
df_loaded_dlls = df_procmon.query("Operation == 'Load Image'")

In [30]:
unique_dlls = pd.unique(df_loaded_dlls["Path"])

In [31]:
df_unique_dlls = pd.DataFrame(unique_dlls, columns=["Path"])

In [32]:
df_unique_dlls["DLL"] = df_unique_dlls["Path"].apply(lambda path: path.split("\\")[-1])

In [33]:
df_unique_dlls

Unnamed: 0,Path,DLL
0,C:\Users\Cuckoo\Downloads\cerber.exe,cerber.exe
1,C:\Windows\System32\ntdll.dll,ntdll.dll
2,C:\Windows\SysWOW64\ntdll.dll,ntdll.dll
3,C:\Windows\System32\wow64.dll,wow64.dll
4,C:\Windows\System32\wow64win.dll,wow64win.dll
5,C:\Windows\System32\wow64cpu.dll,wow64cpu.dll
6,C:\Windows\SysWOW64\kernel32.dll,kernel32.dll
7,C:\Windows\SysWOW64\KernelBase.dll,KernelBase.dll
8,C:\Windows\SysWOW64\apphelp.dll,apphelp.dll
9,C:\Windows\SysWOW64\user32.dll,user32.dll


# Regshot Analysis

## Load data

In [42]:
df_regshot_data = pd.read_csv(regshot_path, delimiter=";")

## Show unique types & operations

In [50]:
sorted(df_regshot_data["Type"].unique())

['File', 'Folder', 'Key', 'Value']

In [51]:
sorted(df_regshot_data["Operation"].unique())

['Added', 'Deleted', 'Modified']

## Files Created

In [46]:
df_operation_query = df_regshot_data.query("Type == 'File' & Operation == 'Deleted'")

In [47]:
df_operation_query

Unnamed: 0,Type,Operation,Path
0,File,Deleted,C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864...
1,File,Deleted,C:\Users\All Users\Mozilla-1de4eec8-1241-4177-...
2,File,Deleted,C:\Users\Cuckoo\AppData\Local\Mozilla\Firefox\...
3,File,Deleted,C:\Users\Cuckoo\AppData\Roaming\Microsoft\Wind...
4,File,Deleted,C:\Users\Cuckoo\AppData\Roaming\Microsoft\Wind...
5,File,Deleted,C:\Users\Cuckoo\AppData\Roaming\Microsoft\Wind...
6,File,Deleted,C:\Users\Cuckoo\AppData\Roaming\Mozilla\Firefo...
7,File,Deleted,C:\Users\Cuckoo\AppData\Roaming\Mozilla\Firefo...
8,File,Deleted,C:\Users\Cuckoo\Desktop\Tools\SpyStudio-v2-x64...
9,File,Deleted,C:\Users\Cuckoo\Desktop\Tools\SpyStudio-v2-x64...


In [49]:
df_operation_query.count()

Type         206
Operation    206
Path         206
dtype: int64

## Files modified

In [52]:
df_operation_query = df_regshot_data.query("Type == 'File' & Operation == 'Modified'")

In [53]:
df_operation_query

Unnamed: 0,Type,Operation,Path
511,File,Modified,C:\ProgramData\Microsoft\Windows\AppRepository...
512,File,Modified,C:\Users\All Users\Microsoft\Windows\AppReposi...
513,File,Modified,C:\Users\Cuckoo\AppData\Local\Microsoft\Window...
514,File,Modified,C:\Users\Cuckoo\AppData\Local\Mozilla\Firefox\...
515,File,Modified,C:\Users\Cuckoo\AppData\Local\Mozilla\Firefox\...
516,File,Modified,C:\Users\Cuckoo\AppData\Local\Mozilla\Firefox\...
517,File,Modified,C:\Users\Cuckoo\AppData\Local\Mozilla\Firefox\...
518,File,Modified,C:\Users\Cuckoo\AppData\Local\Mozilla\Firefox\...
519,File,Modified,C:\Users\Cuckoo\AppData\Local\Mozilla\Firefox\...
520,File,Modified,C:\Users\Cuckoo\AppData\Local\Mozilla\Firefox\...


In [54]:
df_operation_query.count()

Type         766
Operation    766
Path         766
dtype: int64

## Files Deleted

In [79]:
df_operation_query = df_regshot_data.query("Type == 'File' & Operation == 'Deleted'")

In [80]:
df_operation_query

Unnamed: 0,Type,Operation,Path
0,File,Deleted,C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864...
1,File,Deleted,C:\Users\All Users\Mozilla-1de4eec8-1241-4177-...
2,File,Deleted,C:\Users\Cuckoo\AppData\Local\Mozilla\Firefox\...
3,File,Deleted,C:\Users\Cuckoo\AppData\Roaming\Microsoft\Wind...
4,File,Deleted,C:\Users\Cuckoo\AppData\Roaming\Microsoft\Wind...
5,File,Deleted,C:\Users\Cuckoo\AppData\Roaming\Microsoft\Wind...
6,File,Deleted,C:\Users\Cuckoo\AppData\Roaming\Mozilla\Firefo...
7,File,Deleted,C:\Users\Cuckoo\AppData\Roaming\Mozilla\Firefo...
8,File,Deleted,C:\Users\Cuckoo\Desktop\Tools\SpyStudio-v2-x64...
9,File,Deleted,C:\Users\Cuckoo\Desktop\Tools\SpyStudio-v2-x64...


In [81]:
df_operation_query.count()

Type         206
Operation    206
Path         206
dtype: int64

## Folders Created

In [58]:
df_operation_query = df_regshot_data.query("Type == 'Folder' & Operation == 'Deleted'")

In [59]:
df_operation_query

Unnamed: 0,Type,Operation,Path


In [60]:
df_operation_query.count()

Type         0
Operation    0
Path         0
dtype: int64

## Folders modified

In [61]:
df_operation_query = df_regshot_data.query("Type == 'Folder' & Operation == 'Modified'")

In [62]:
df_operation_query

Unnamed: 0,Type,Operation,Path
464,Folder,Modified,C:
465,Folder,Modified,C:\Users\Cuckoo\Desktop
466,Folder,Modified,C:\Users\Cuckoo\Desktop\Tools
467,Folder,Modified,C:\Users\Cuckoo\Desktop\Tools\Results
468,Folder,Modified,C:\Users\Cuckoo\Desktop\Tools\Results\Regshot
469,Folder,Modified,C:\Users\Cuckoo\Desktop\Tools\SpyStudio-v2-x64
470,Folder,Modified,C:\Users\Cuckoo\Documents
471,Folder,Modified,C:\Users\Cuckoo\Documents\Images
472,Folder,Modified,C:\Users\Cuckoo\Documents\Open Office
473,Folder,Modified,C:\Users\Cuckoo\Documents\PDFs


In [64]:
df_operation_query.count()

Type         19
Operation    19
Path         19
dtype: int64

## Folders Deleted

In [76]:
df_operation_query = df_regshot_data.query("Type == 'Folder' & Operation == 'Deleted'")

In [77]:
df_operation_query

Unnamed: 0,Type,Operation,Path


In [78]:
df_operation_query.count()

Type         0
Operation    0
Path         0
dtype: int64

## Registry Keys Created

In [67]:
df_operation_query = df_regshot_data.query("Type == 'Key' & Operation == 'Deleted'")

In [68]:
df_operation_query

Unnamed: 0,Type,Operation,Path
1414,Key,Deleted,HKU\S-1-5-21-714192414-4250913369-3940896113-1...
1415,Key,Deleted,HKU\S-1-5-21-714192414-4250913369-3940896113-1...


In [69]:
df_operation_query.count()

Type         2
Operation    2
Path         2
dtype: int64

## Registry Keys modified

In [70]:
df_operation_query = df_regshot_data.query("Type == 'Key' & Operation == 'Modified'")

In [71]:
df_operation_query

Unnamed: 0,Type,Operation,Path


In [72]:
df_operation_query.count()

Type         0
Operation    0
Path         0
dtype: int64

## Registry Keys Deleted

In [73]:
df_operation_query = df_regshot_data.query("Type == 'Value' & Operation == 'Deleted'")

In [75]:
df_operation_query

Unnamed: 0,Type,Operation,Path
1416,Value,Deleted,HKU\S-1-5-21-714192414-4250913369-3940896113-1...
1417,Value,Deleted,HKU\S-1-5-21-714192414-4250913369-3940896113-1...


In [74]:
df_operation_query.count()

Type         2
Operation    2
Path         2
dtype: int64

## Registry Values Created
<h4 style="color: red">CAUTION: This part could not be parsed correctly, since the actual values were distributed over multiple lines resulting in a random pattern, that was impossible to parse.</h4>

In [46]:
df_operation_query = df_regshot_data.query("Type == 'Value' & Operation == 'Deleted'")

In [47]:
df_operation_query

Unnamed: 0,Type,Operation,Path
0,File,Deleted,C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864...
1,File,Deleted,C:\Users\All Users\Mozilla-1de4eec8-1241-4177-...
2,File,Deleted,C:\Users\Cuckoo\AppData\Local\Mozilla\Firefox\...
3,File,Deleted,C:\Users\Cuckoo\AppData\Roaming\Microsoft\Wind...
4,File,Deleted,C:\Users\Cuckoo\AppData\Roaming\Microsoft\Wind...
5,File,Deleted,C:\Users\Cuckoo\AppData\Roaming\Microsoft\Wind...
6,File,Deleted,C:\Users\Cuckoo\AppData\Roaming\Mozilla\Firefo...
7,File,Deleted,C:\Users\Cuckoo\AppData\Roaming\Mozilla\Firefo...
8,File,Deleted,C:\Users\Cuckoo\Desktop\Tools\SpyStudio-v2-x64...
9,File,Deleted,C:\Users\Cuckoo\Desktop\Tools\SpyStudio-v2-x64...


In [49]:
df_operation_query.count()

Type         206
Operation    206
Path         206
dtype: int64

## Registry Values modified

In [52]:
df_operation_query = df_regshot_data.query("Type == 'Value' & Operation == 'Modified'")

In [53]:
df_operation_query

Unnamed: 0,Type,Operation,Path
511,File,Modified,C:\ProgramData\Microsoft\Windows\AppRepository...
512,File,Modified,C:\Users\All Users\Microsoft\Windows\AppReposi...
513,File,Modified,C:\Users\Cuckoo\AppData\Local\Microsoft\Window...
514,File,Modified,C:\Users\Cuckoo\AppData\Local\Mozilla\Firefox\...
515,File,Modified,C:\Users\Cuckoo\AppData\Local\Mozilla\Firefox\...
516,File,Modified,C:\Users\Cuckoo\AppData\Local\Mozilla\Firefox\...
517,File,Modified,C:\Users\Cuckoo\AppData\Local\Mozilla\Firefox\...
518,File,Modified,C:\Users\Cuckoo\AppData\Local\Mozilla\Firefox\...
519,File,Modified,C:\Users\Cuckoo\AppData\Local\Mozilla\Firefox\...
520,File,Modified,C:\Users\Cuckoo\AppData\Local\Mozilla\Firefox\...


In [54]:
df_operation_query.count()

Type         766
Operation    766
Path         766
dtype: int64

## Registry Values Deleted

In [55]:
df_operation_query = df_regshot_data.query("Type == 'Value' & Operation == 'Deleted'")

In [56]:
df_operation_query.count()

Type         206
Operation    206
Path         206
dtype: int64