# Instance Compare

Aims to answer the question **Are there any unique indicators to malicious samples in terms of specific API Call(s) alone?** in **4.2.6. Dataset Analysis** of the study.

Note that this notebook only makes use of the verified xxxx_SampleHash_Common.csv file which represents a significant majority of the entire Oliveira dataset.  

## Import Libraries/Datasets

In [8]:
import pandas as pd
import time

malicious_df = pd.read_csv('../Clustering/(EDITED)KMeans_SampleHash_Common.csv', low_memory=False) #This should point to a verified <DataClustering>_SampleHash_Common.csv file
benign_df = pd.read_csv('../Clustering/Benign/API_Patterns.csv') #This should point to the API_Patterns.csv file

#Load list of API calls
API_LIST = "../api_calls.txt"
DELIMITER = "NaN"
API_FILE = open(API_LIST,"r")
APIS = API_FILE.readline().split(',')
# APIS.append(DELIMITER) #serves as a label for NaN values for Instance-based datasets
API_FILE.close()

## DataFrame Preview

In [9]:
def list_to_str(ls:list):
    output = ""
    for l in ls:
        output += str(l) + " "
    return output[0:len(output)-1]

def inject_patterns(inner_df:pd.DataFrame):
    patterns = []
    for row in range(inner_df.shape[0]):
        patterns.append(list_to_str(inner_df.iloc[row,2:5].transpose().to_list()))
    inner_df['type_pattern'] = patterns
    return inner_df

malicious_df.replace(to_replace='-',value='_', inplace=True)
malicious_df.drop(malicious_df[(malicious_df['Type 1']=='_')&(malicious_df['Type 2']=='_')&(malicious_df['Type 3']=='_')].index, inplace=True) #Drop row that is falsely labelled.
malicious_df = inject_patterns(malicious_df)

print("Malicious DF")
display(malicious_df)

print("Benign DF")
display(benign_df)

Malicious DF


Unnamed: 0,cluster,hash,Type 1,Type 2,Type 3,pattern,type_pattern
0,0,490d584c7d303ed35c673460b63f3ca8,trojan,dropper,pua,"GetSystemTimeAsFileTime,NtCreateMutant,GetSyst...",trojan dropper pua
1,0,9ab8ea1d2d68a0d4110df413e677976c,trojan,hacktool,_,"GetSystemTimeAsFileTime,NtCreateMutant,GetSyst...",trojan hacktool _
2,0,adbc74815ef2bd1ea4967abad812233d,trojan,_,_,"GetSystemTimeAsFileTime,NtCreateMutant,GetSyst...",trojan _ _
4,0,f5a0ad49337ebc87897698e70d03364e,trojan,dropper,_,"GetSystemTimeAsFileTime,NtCreateMutant,GetSyst...",trojan dropper _
5,0,4c972b447659f1e86769eb43593fd2a5,trojan,downloader,dropper,"GetSystemTimeAsFileTime,NtCreateMutant,GetSyst...",trojan downloader dropper
...,...,...,...,...,...,...,...
1755,198,0226e311ed2648ff399c7902fc113421,adware,trojan,_,"GetSystemTimeAsFileTime,LdrLoadDll,LdrGetProce...",adware trojan _
1756,198,d24b78bd73f17379ed62e4c776b4f66e,trojan,adware,_,"GetSystemTimeAsFileTime,LdrLoadDll,LdrGetProce...",trojan adware _
1757,198,f666dd4b3a53b7fe71f8976fa09bfdfb,trojan,adware,_,"GetSystemTimeAsFileTime,LdrLoadDll,LdrGetProce...",trojan adware _
1759,199,18bce1a594550daf8b3f318de48c1674,trojan,dropper,_,"SetErrorMode,OleInitialize,LdrGetDllHandle,Ldr...",trojan dropper _


Benign DF


Unnamed: 0,hash,t_0,t_1,t_2,t_3,t_4,t_5,t_6,t_7,t_8,...,t_91,t_92,t_93,t_94,t_95,t_96,t_97,t_98,t_99,pattern
0,5b51d65972a349f90a86984c26b12b30,SetErrorMode,OleInitialize,LdrGetDllHandle,LdrLoadDll,LdrGetProcedureAddress,LdrLoadDll,LdrGetProcedureAddress,LdrLoadDll,LdrGetProcedureAddress,...,NtClose,NtQueryDirectoryFile,NtClose,LdrGetProcedureAddress,CoCreateInstance,NtOpenSection,CreateDirectoryW,NtCreateFile,LdrGetProcedureAddress,"SetErrorMode,OleInitialize,LdrGetDllHandle,Ldr..."
1,ceb8cc125478fad641daa4e04e9b2f19,GetSystemInfo,NtAllocateVirtualMemory,NtOpenSection,GetTempPathW,CreateDirectoryW,GetFileAttributesW,FindFirstFileExW,DeleteFileW,NtQueryDirectoryFile,...,NtClose,NtCreateMutant,NtClose,LdrGetDllHandle,LdrGetProcedureAddress,NtClose,NtCreateMutant,NtClose,NtCreateFile,"GetSystemInfo,NtAllocateVirtualMemory,NtOpenSe..."
2,f108600edf46d7c20f6acc522aeba6df,GetSystemTimeAsFileTime,NtProtectVirtualMemory,SetUnhandledExceptionFilter,GetTimeZoneInformation,GetSystemTimeAsFileTime,GetTimeZoneInformation,GetSystemTimeAsFileTime,GetTimeZoneInformation,GetSystemTimeAsFileTime,...,SetErrorMode,GetFileAttributesExW,SetErrorMode,NtAllocateVirtualMemory,SetErrorMode,GetFileAttributesExW,SetErrorMode,FindFirstFileExW,NtQueryDirectoryFile,"GetSystemTimeAsFileTime,NtProtectVirtualMemory..."
3,711be6337cb78a948f04759a0bd210ce,GetSystemTimeAsFileTime,LdrLoadDll,LdrGetProcedureAddress,LdrLoadDll,LdrGetProcedureAddress,LdrLoadDll,LdrGetProcedureAddress,LdrLoadDll,LdrGetProcedureAddress,...,LdrGetProcedureAddress,NtAllocateVirtualMemory,LdrGetProcedureAddress,GetSystemMetrics,LdrLoadDll,LdrGetProcedureAddress,GetSystemMetrics,NtAllocateVirtualMemory,LdrLoadDll,"GetSystemTimeAsFileTime,LdrLoadDll,LdrGetProce..."
4,6de26f67ceb1e3303b889489010f4c3f,SetErrorMode,OleInitialize,LdrGetDllHandle,LdrLoadDll,LdrGetProcedureAddress,LdrLoadDll,LdrGetProcedureAddress,LdrLoadDll,LdrGetProcedureAddress,...,NtClose,NtQueryDirectoryFile,NtClose,LdrGetProcedureAddress,GetSystemWindowsDirectoryW,LoadStringW,GetSystemWindowsDirectoryW,GetSystemDirectoryW,RegOpenKeyExW,"SetErrorMode,OleInitialize,LdrGetDllHandle,Ldr..."
...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...
1074,d282ef96a93986f89825508812958354,SetErrorMode,OleInitialize,LdrGetDllHandle,LdrLoadDll,LdrGetProcedureAddress,LdrLoadDll,LdrGetProcedureAddress,LdrLoadDll,LdrGetProcedureAddress,...,NtClose,LdrGetProcedureAddress,NtAllocateVirtualMemory,LdrGetDllHandle,LdrGetProcedureAddress,LdrGetDllHandle,LdrGetProcedureAddress,LdrGetDllHandle,LdrGetProcedureAddress,"SetErrorMode,OleInitialize,LdrGetDllHandle,Ldr..."
1075,c0389d256f976044adf570f0df908953,GetSystemTimeAsFileTime,SetUnhandledExceptionFilter,GetCursorPos,SetErrorMode,FindResourceW,SetWindowsHookExW,CoInitializeEx,NtDuplicateObject,NtAllocateVirtualMemory,...,NtAllocateVirtualMemory,LdrLoadDll,LdrGetProcedureAddress,NtAllocateVirtualMemory,GetSystemMetrics,RegOpenKeyExW,NtAllocateVirtualMemory,GetSystemMetrics,NtAllocateVirtualMemory,"GetSystemTimeAsFileTime,SetUnhandledExceptionF..."
1076,20316e717de5db169aecbb67377504ce,SetUnhandledExceptionFilter,NtCreateMutant,NtAllocateVirtualMemory,NtClose,NtCreateMutant,NtClose,NtCreateMutant,NtClose,NtAllocateVirtualMemory,...,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,"SetUnhandledExceptionFilter,NtCreateMutant,NtA..."
1077,ce945d424b93ea73fbbedf0254f6bc07,NtClose,NtOpenKey,NtQueryValueKey,NtClose,NtOpenKey,NtQueryValueKey,NtClose,LdrGetDllHandle,LdrGetProcedureAddress,...,LdrLoadDll,LdrGetProcedureAddress,LdrLoadDll,LdrGetProcedureAddress,LdrLoadDll,LdrGetProcedureAddress,LdrGetDllHandle,FindResourceExW,LoadResource,"NtClose,NtOpenKey,NtQueryValueKey,NtClose,NtOp..."


## Extract Unique API Calls

In [10]:
str_output = ""

malicious_apis = []
for i in range(malicious_df.shape[0]): #Only allow those with 
    if not (malicious_df['Type 1'].iloc[i] == '_' and malicious_df['Type 2'].iloc[i] == '_' and malicious_df['Type 3'].iloc[i] == '_'):
        malicious_apis += malicious_df['pattern'].iloc[i].split(',')
malicious_apis = list(pd.Series(malicious_apis).unique())
str_output += f"# of Unique API Calls in Verified Malicious Samples: {len(malicious_apis)}\n"
str_output += str(malicious_apis) + "\n\n"

benign_apis = []
for i in range(benign_df.shape[0]): #Only allow those with 
    benign_apis += benign_df['pattern'].iloc[i].split(',')
benign_apis = list(pd.Series(benign_apis).unique())
str_output += f"# of Unique API Calls in Benign Samples: {len(benign_apis)}\n" 
str_output += str(benign_apis) + "\n\n"

with open('4 Unique_APICalls_MaliciousOnly.txt', 'w') as f:
    f.write(str_output)
    f.flush()
    f.close()
print(str_output)

# of Unique API Calls in Verified Malicious Samples: 154
['GetSystemTimeAsFileTime', 'NtCreateMutant', 'NtOpenKeyEx', 'NtQueryKey', 'LdrLoadDll', 'LdrGetProcedureAddress', 'RegOpenKeyExW', 'RegQueryInfoKeyW', 'RegEnumKeyExW', 'RegEnumValueW', 'RegCloseKey', 'GetFileAttributesW', 'RegQueryValueExW', 'NtOpenFile', 'NtQueryDirectoryFile', 'NtClose', 'NtQuerySystemInformation', 'NtProtectVirtualMemory', 'GetSystemDirectoryW', 'LdrGetDllHandle', 'NtOpenKey', 'NtQueryValueKey', 'NtCreateFile', 'GetFileSize', 'NtCreateSection', 'NtMapViewOfSection', 'GetSystemInfo', 'NtUnmapViewOfSection', 'NtAllocateVirtualMemory', 'NtFreeVirtualMemory', 'SetUnhandledExceptionFilter', 'CryptAcquireContextW', 'CryptCreateHash', 'CryptHashData', 'SetFilePointer', 'NtReadFile', 'CoInitializeEx', 'RegEnumKeyW', 'CreateThread', 'UuidCreate', 'RegCreateKeyExW', 'RegSetValueExW', 'CoCreateInstance', 'FindResourceW', 'SizeofResource', 'LoadResource', 'NtDelayExecution', 'EnumWindows', 'SetErrorMode', 'OleInitialize'

## Identify the Unique API Calls only found in Malicious API Calls.

In [11]:
str_output = ""

unique = []
for m in malicious_apis:
    if m not in benign_apis:
        unique.append(m)
str_output += f"No. of truly unique API Calls only found in Malicious Samples: {len(unique)} ({len(unique)/len(benign_apis)*100:.2f}% Matches API Calls of Benign Samples)\n"
str_output += f"Coverage of 'Malicious-only' API Calls to Official API Calls Oliveira.csv: {(len(unique)/len(APIS))*100:.4f}%\n"
str_output += "Unique API Calls to Verified Malicious Samples only: "+ str(unique) + "\n"

with open('4 Unique_APICalls_MaliciousOnly.txt', 'w') as f:
    f.write(str_output)
    f.flush()
    f.close()
print(str_output)

No. of truly unique API Calls only found in Malicious Samples: 9 (4.50% Matches API Calls of Benign Samples)
Coverage of 'Malicious-only' API Calls to Official API Calls Oliveira.csv: 2.9316%
Unique API Calls to Verified Malicious Samples only: ['CryptDecrypt', 'getaddrinfo', 'InternetOpenA', 'InternetConnectA', 'HttpOpenRequestA', 'NtSuspendThread', 'connect', 'GetDiskFreeSpaceW', 'SetFileTime']



**Fun Fact:** You might see on the results of item #5 that it will contain some Crypt (e.g., `CryptDecrypt`) related API calls. According to the talk of Sir Mantua (during his 4th hr. talk), it is a possible key indicator that a ransomware is in the system. This is supported by the fact that some malicious samples are ransomware as seen in the `Type 2` & `Type 3` malware types.

In [12]:
str_output = ""
for u in unique:
    str_output += u + "\n\n"
    str_output += str(malicious_df[malicious_df['pattern'].str.contains(u)]['type_pattern'].value_counts())
    str_output += "\n=====================================================================\n"

with open('4 APICalls_MalwareTypes_MaliciousOnly.txt', 'w') as f:
    f.write(str_output)
    f.flush()
    f.close()
print(str_output)

CryptDecrypt

type_pattern
trojan adware _             87
trojan adware virus         16
trojan _ _                  13
downloader adware trojan     9
trojan downloader adware     4
adware trojan _              3
trojan adware dropper        3
adware trojan virus          1
adware downloader trojan     1
trojan dropper _             1
Name: count, dtype: int64
getaddrinfo

type_pattern
adware trojan virus         12
adware trojan downloader     7
adware downloader trojan     1
Name: count, dtype: int64
InternetOpenA

type_pattern
trojan downloader adware    3
Name: count, dtype: int64
InternetConnectA

type_pattern
trojan downloader adware    3
Name: count, dtype: int64
HttpOpenRequestA

type_pattern
trojan downloader adware    3
Name: count, dtype: int64
NtSuspendThread

type_pattern
trojan _ _    10
Name: count, dtype: int64
connect

type_pattern
adware trojan virus         8
adware trojan downloader    2
Name: count, dtype: int64
GetDiskFreeSpaceW

type_pattern
trojan dropper _     

## Identify the Same API Calls found in both Malicious and Benign Samples.

*Apparently, due to the proliferation of trojan-like malware, it could be possible that there are more API Calls that can be found the same between Malicious and Benign Samples.*

In [13]:
str_output = ""
same = []
for m in malicious_apis:
    if m in benign_apis:
        same.append(m)
str_output += f"No. of API Calls in Malicious Samples that is found in API Calls in Benign Samples: {len(same)} ({len(same)/len(benign_apis)*100:.2f}% Matches API Calls of Benign Samples)\n"
str_output += f"Coverage of 'Same-to-Malicious-Benign-Samples' API Calls to Official API Calls Oliveira.csv: {(len(same)/len(APIS))*100:.4f}%\n"
str_output += "Unique API Calls to both Verified Malicious and Benign Samples: "+ str(same) + "\n"

with open('4 Unique_APICalls_MaliciousBenign.txt', 'w') as f:
    f.write(str_output)
    f.flush()
    f.close()
print(str_output)

No. of API Calls in Malicious Samples that is found in API Calls in Benign Samples: 145 (72.50% Matches API Calls of Benign Samples)
Coverage of 'Same-to-Malicious-Benign-Samples' API Calls to Official API Calls Oliveira.csv: 47.2313%
Unique API Calls to both Verified Malicious and Benign Samples: ['GetSystemTimeAsFileTime', 'NtCreateMutant', 'NtOpenKeyEx', 'NtQueryKey', 'LdrLoadDll', 'LdrGetProcedureAddress', 'RegOpenKeyExW', 'RegQueryInfoKeyW', 'RegEnumKeyExW', 'RegEnumValueW', 'RegCloseKey', 'GetFileAttributesW', 'RegQueryValueExW', 'NtOpenFile', 'NtQueryDirectoryFile', 'NtClose', 'NtQuerySystemInformation', 'NtProtectVirtualMemory', 'GetSystemDirectoryW', 'LdrGetDllHandle', 'NtOpenKey', 'NtQueryValueKey', 'NtCreateFile', 'GetFileSize', 'NtCreateSection', 'NtMapViewOfSection', 'GetSystemInfo', 'NtUnmapViewOfSection', 'NtAllocateVirtualMemory', 'NtFreeVirtualMemory', 'SetUnhandledExceptionFilter', 'CryptAcquireContextW', 'CryptCreateHash', 'CryptHashData', 'SetFilePointer', 'NtReadFi

In [7]:
for s in same:
    display(s, malicious_df[malicious_df['pattern'].str.contains(s)]['type_pattern'].value_counts()[0:10])

    str_output = ""
for s in same:
    str_output += s + "\n\n"
    str_output += str(malicious_df[malicious_df['pattern'].str.contains(s)]['type_pattern'].value_counts())
    str_output += "\n=====================================================================\n"

with open('4 APICalls_MalwareTypes_MaliciousBenign.txt', 'w') as f:
    f.write(str_output)
    f.flush()
    f.close()
print(str_output)

'GetSystemTimeAsFileTime'

type_pattern
trojan adware _             322
trojan adware pua           112
trojan _ _                   95
trojan adware virus          77
trojan adware downloader     42
downloader adware trojan     37
adware trojan virus          35
trojan dropper _             27
adware trojan downloader     24
trojan downloader adware     22
Name: count, dtype: int64

'NtCreateMutant'

type_pattern
trojan adware _             104
trojan _ _                   65
trojan dropper _             24
trojan adware virus          20
adware trojan virus          19
adware trojan pua            11
ransomware trojan _          11
trojan downloader adware     10
adware trojan _              10
adware trojan downloader     10
Name: count, dtype: int64

'NtOpenKeyEx'

type_pattern
trojan adware _              99
trojan _ _                   39
trojan dropper _             18
trojan adware virus          18
adware trojan virus           9
trojan downloader adware      9
trojan downloader dropper     5
trojan downloader pua         5
trojan pua _                  4
trojan dropper pua            3
Name: count, dtype: int64

'NtQueryKey'

type_pattern
trojan dropper _             9
trojan _ _                   7
trojan banker spyware        5
trojan spyware _             4
trojan dropper pua           2
trojan downloader dropper    2
trojan spyware banker        2
trojan hacktool _            1
trojan miner _               1
trojan worm _                1
Name: count, dtype: int64

'LdrLoadDll'

type_pattern
trojan adware _             514
trojan _ _                  279
trojan adware pua           126
trojan adware virus          76
trojan adware downloader     55
trojan dropper _             50
adware trojan virus          50
adware trojan downloader     44
downloader adware trojan     39
adware trojan _              32
Name: count, dtype: int64

'LdrGetProcedureAddress'

type_pattern
trojan adware _             517
trojan _ _                  294
trojan adware pua           126
trojan adware virus          80
trojan adware downloader     57
trojan dropper _             54
adware trojan virus          51
adware trojan downloader     44
downloader adware trojan     39
adware trojan _              33
Name: count, dtype: int64

'RegOpenKeyExW'

type_pattern
trojan adware _             401
trojan _ _                  149
trojan adware pua           122
trojan adware downloader     52
trojan adware virus          43
adware trojan downloader     40
downloader adware trojan     38
adware trojan _              30
trojan dropper _             28
trojan adware dropper        23
Name: count, dtype: int64

'RegQueryInfoKeyW'

type_pattern
trojan adware pua            98
trojan adware _              94
trojan _ _                   29
trojan adware downloader     14
trojan dropper _             13
trojan adware dropper        13
trojan downloader dropper     5
trojan adware virus           3
trojan dropper pua            2
adware trojan _               2
Name: count, dtype: int64

'RegEnumKeyExW'

type_pattern
trojan adware pua            98
trojan adware _              94
trojan _ _                   29
trojan adware downloader     14
trojan dropper _             13
trojan adware dropper        13
trojan downloader dropper     5
trojan adware virus           3
trojan dropper pua            2
adware trojan _               2
Name: count, dtype: int64

'RegEnumValueW'

type_pattern
trojan _ _                   29
trojan dropper _             13
trojan downloader dropper     5
trojan dropper pua            2
trojan hacktool _             1
downloader _ _                1
trojan worm _                 1
trojan dropper virus          1
trojan miner dropper          1
trojan pua _                  1
Name: count, dtype: int64

'RegCloseKey'

type_pattern
trojan adware _             404
trojan _ _                  160
trojan adware pua           126
trojan adware virus          57
trojan adware downloader     52
adware trojan downloader     41
downloader adware trojan     38
adware trojan virus          36
adware trojan _              30
trojan adware dropper        23
Name: count, dtype: int64

'GetFileAttributesW'

type_pattern
trojan _ _                   145
trojan dropper _              31
downloader adware trojan      11
trojan spyware _              10
trojan pua _                   9
trojan miner _                 9
trojan downloader adware       8
adware trojan downloader       7
trojan downloader dropper      6
trojan dropper downloader      6
Name: count, dtype: int64

'RegQueryValueExW'

type_pattern
trojan adware _             399
trojan _ _                  128
trojan adware pua           122
trojan adware virus          41
downloader adware trojan     36
adware trojan downloader     34
trojan adware downloader     33
adware trojan _              24
trojan adware dropper        23
trojan dropper _             21
Name: count, dtype: int64

'NtOpenFile'

type_pattern
adware trojan virus          13
adware trojan downloader     11
ransomware trojan _          11
trojan _ _                    9
trojan dropper _              9
trojan ransomware _           7
adware trojan _               6
ransomware trojan dropper     6
trojan adware pua             5
trojan dropper pua            2
Name: count, dtype: int64

'NtQueryDirectoryFile'

type_pattern
trojan _ _                   18
downloader trojan _           8
trojan dropper _              5
trojan dropper pua            2
trojan downloader dropper     2
adware trojan _               2
downloader trojan adware      2
adware _ _                    1
trojan spyware _              1
trojan adware _               1
Name: count, dtype: int64

'NtClose'

type_pattern
trojan adware _             517
trojan _ _                  279
trojan adware pua           126
trojan adware virus          80
trojan adware downloader     57
trojan dropper _             54
adware trojan virus          51
adware trojan downloader     44
downloader adware trojan     39
adware trojan _              33
Name: count, dtype: int64

'NtQuerySystemInformation'

type_pattern
trojan adware _             116
trojan _ _                   39
trojan adware virus          21
trojan dropper _             18
adware trojan virus          12
ransomware trojan _          11
adware trojan _               8
trojan adware downloader      7
trojan downloader adware      6
trojan banker _               6
Name: count, dtype: int64

'NtProtectVirtualMemory'

type_pattern
trojan adware _             349
trojan _ _                  203
trojan adware virus          68
trojan dropper _             43
adware trojan virus          34
trojan pua _                 18
trojan adware downloader     16
trojan downloader adware     15
adware trojan _              13
trojan ransomware _          10
Name: count, dtype: int64

'GetSystemDirectoryW'

type_pattern
trojan adware _             214
trojan _ _                  113
trojan adware virus          44
trojan dropper _             24
adware trojan virus          18
downloader trojan _          18
trojan adware pua            17
adware trojan _              17
trojan adware downloader     15
trojan downloader adware     15
Name: count, dtype: int64

'LdrGetDllHandle'

type_pattern
trojan adware _             517
trojan _ _                  289
trojan adware pua           126
trojan adware virus          80
trojan adware downloader     57
trojan dropper _             54
adware trojan virus          51
adware trojan downloader     44
downloader adware trojan     39
adware trojan _              33
Name: count, dtype: int64

'NtOpenKey'

type_pattern
trojan adware _             424
trojan _ _                  250
trojan adware pua           126
trojan adware virus          58
trojan adware downloader     53
trojan dropper _             45
adware trojan downloader     41
adware trojan virus          39
adware trojan _              28
trojan adware dropper        22
Name: count, dtype: int64

'NtQueryValueKey'

type_pattern
trojan adware _             422
trojan _ _                  250
trojan adware pua           126
trojan adware downloader     53
trojan dropper _             45
adware trojan downloader     41
trojan adware virus          34
adware trojan _              28
adware trojan virus          27
trojan adware dropper        22
Name: count, dtype: int64

'NtCreateFile'

type_pattern
trojan _ _                  153
trojan adware pua           122
trojan adware _             115
trojan dropper _             40
trojan adware downloader     37
adware trojan downloader     27
adware trojan _              21
downloader trojan _          18
adware trojan virus          18
trojan adware dropper        15
Name: count, dtype: int64

'GetFileSize'

type_pattern
trojan adware pua           110
trojan adware _             103
trojan _ _                   75
trojan adware downloader     32
trojan dropper _             22
trojan adware dropper        15
ransomware trojan _          11
downloader trojan adware      8
trojan ransomware _           7
adware downloader trojan      6
Name: count, dtype: int64

'NtCreateSection'

type_pattern
trojan _ _                  153
trojan dropper _             40
adware trojan downloader     24
trojan adware downloader     21
downloader trojan _          18
trojan adware _              17
trojan adware pua            15
adware trojan virus          15
downloader adware trojan     14
trojan ransomware _          13
Name: count, dtype: int64

'NtMapViewOfSection'

type_pattern
trojan _ _                  163
trojan dropper _             40
trojan adware _              33
adware trojan downloader     25
trojan adware downloader     21
downloader trojan _          18
adware trojan virus          17
trojan adware pua            16
trojan downloader adware     16
adware trojan _              15
Name: count, dtype: int64

'GetSystemInfo'

type_pattern
trojan adware _             396
trojan _ _                  183
trojan adware virus          70
trojan dropper _             30
adware trojan virus          29
adware trojan downloader     22
trojan adware downloader     16
adware trojan _              15
trojan downloader adware     14
miner trojan pua             12
Name: count, dtype: int64

'NtUnmapViewOfSection'

type_pattern
trojan _ _                   37
trojan dropper _             26
downloader adware trojan      9
miner trojan pua              6
trojan downloader dropper     5
trojan miner _                4
trojan worm downloader        3
trojan dropper pua            2
trojan worm _                 2
trojan miner dropper          1
Name: count, dtype: int64

'NtAllocateVirtualMemory'

type_pattern
trojan adware _             512
trojan _ _                  249
trojan adware pua           115
trojan adware virus          79
trojan adware downloader     57
adware trojan virus          50
adware trojan downloader     43
downloader adware trojan     39
trojan dropper _             35
adware trojan _              28
Name: count, dtype: int64

'NtFreeVirtualMemory'

type_pattern
trojan _ _                  213
trojan adware _             194
trojan adware virus          68
adware trojan virus          47
downloader adware trojan     38
trojan dropper _             29
trojan adware downloader     27
adware trojan downloader     26
trojan downloader adware     25
adware trojan _              21
Name: count, dtype: int64

'SetUnhandledExceptionFilter'

type_pattern
trojan adware _             322
trojan adware pua           112
trojan adware virus          77
trojan _ _                   75
trojan adware downloader     42
downloader adware trojan     37
adware trojan virus          35
adware trojan downloader     24
trojan downloader adware     22
trojan adware dropper        21
Name: count, dtype: int64

'CryptAcquireContextW'

type_pattern
trojan adware _              195
trojan adware pua            109
trojan _ _                    50
trojan adware virus           21
trojan adware dropper         19
trojan adware downloader      15
ransomware trojan _           11
downloader adware trojan       9
ransomware trojan dropper      6
trojan spyware _               6
Name: count, dtype: int64

'CryptCreateHash'

type_pattern
trojan adware pua           108
trojan adware _             102
trojan adware downloader     15
trojan adware dropper        15
downloader adware trojan      9
trojan _ _                    5
trojan spyware _              5
trojan adware virus           3
adware trojan _               2
adware trojan downloader      2
Name: count, dtype: int64

'CryptHashData'

type_pattern
trojan adware pua           108
trojan adware _             102
trojan adware downloader     15
trojan adware dropper        15
downloader adware trojan      9
trojan _ _                    5
trojan spyware _              5
trojan adware virus           3
adware trojan _               2
adware trojan downloader      2
Name: count, dtype: int64

'SetFilePointer'

type_pattern
trojan adware pua           119
trojan adware _             104
trojan _ _                   56
trojan adware downloader     32
trojan adware dropper        15
trojan dropper _             12
downloader trojan adware      8
adware downloader trojan      7
trojan ransomware _           7
adware trojan downloader      7
Name: count, dtype: int64

'NtReadFile'

type_pattern
trojan adware pua           119
trojan adware _             104
trojan adware downloader     32
trojan _ _                   25
trojan adware dropper        15
adware trojan downloader     11
trojan dropper _             10
downloader trojan adware      8
trojan ransomware _           7
adware downloader trojan      7
Name: count, dtype: int64

'CoInitializeEx'

type_pattern
trojan adware _             248
trojan adware pua           118
trojan _ _                   52
trojan adware downloader     35
trojan adware virus          34
adware trojan downloader     20
trojan adware dropper        20
adware trojan virus          16
adware trojan _              15
trojan downloader adware     13
Name: count, dtype: int64

'RegEnumKeyW'

type_pattern
trojan adware _             114
trojan adware pua           107
trojan adware downloader     16
downloader trojan _          15
trojan adware dropper        13
trojan adware virus          10
trojan downloader adware      6
trojan _ _                    6
adware trojan _               4
downloader trojan adware      3
Name: count, dtype: int64

'CreateThread'

type_pattern
trojan adware _             201
trojan adware pua           108
trojan _ _                   31
trojan adware virus          27
adware trojan downloader     23
trojan adware dropper        20
adware trojan virus          19
trojan adware downloader     16
adware trojan _              15
ransomware trojan _          11
Name: count, dtype: int64

'UuidCreate'

type_pattern
trojan adware pua           106
trojan adware _              97
trojan adware downloader     15
trojan adware dropper        13
adware trojan downloader     12
trojan _ _                    4
adware trojan _               3
trojan adware virus           3
adware _ _                    2
trojan downloader adware      2
Name: count, dtype: int64

'RegCreateKeyExW'

type_pattern
trojan adware pua           107
trojan adware _              98
trojan adware downloader     30
trojan adware dropper        13
adware trojan downloader      9
downloader trojan adware      8
adware downloader trojan      4
adware trojan virus           4
trojan downloader adware      3
downloader adware trojan      3
Name: count, dtype: int64

'RegSetValueExW'

type_pattern
trojan adware pua           107
trojan adware _              98
trojan adware downloader     30
trojan adware dropper        13
downloader trojan adware      8
adware trojan downloader      4
adware downloader trojan      3
trojan downloader adware      3
downloader adware trojan      3
trojan adware virus           3
Name: count, dtype: int64

'CoCreateInstance'

type_pattern
trojan adware pua           99
trojan adware _             98
trojan adware downloader    16
trojan adware dropper       15
adware trojan downloader    15
trojan _ _                   8
trojan banker spyware        5
trojan adware virus          3
trojan spyware _             3
adware trojan pua            2
Name: count, dtype: int64

'FindResourceW'

type_pattern
trojan adware pua           100
trojan adware _              97
adware trojan downloader     21
trojan adware downloader     18
trojan _ _                   14
trojan adware dropper        13
trojan dropper _              6
adware trojan pua             5
adware virus _                5
adware downloader trojan      5
Name: count, dtype: int64

'SizeofResource'

type_pattern
trojan adware _             107
trojan adware pua           100
trojan _ _                   31
trojan adware downloader     18
adware trojan downloader     18
trojan adware dropper        13
adware trojan _              11
adware trojan virus          10
trojan dropper _              9
trojan miner _                8
Name: count, dtype: int64

'LoadResource'

type_pattern
trojan adware _             242
trojan _ _                  169
trojan adware pua           100
trojan adware downloader     46
adware trojan downloader     40
trojan dropper _             26
trojan adware dropper        17
adware trojan virus          14
adware trojan _              14
trojan pua _                 12
Name: count, dtype: int64

'NtDelayExecution'

type_pattern
trojan adware pua            66
trojan adware _              49
trojan _ _                   30
trojan adware virus          29
adware trojan virus          24
ransomware trojan _          11
trojan adware downloader      9
adware trojan downloader      7
ransomware trojan dropper     6
trojan adware dropper         6
Name: count, dtype: int64

'EnumWindows'

type_pattern
trojan adware pua           65
trojan adware _             45
trojan adware downloader     6
trojan adware dropper        6
trojan _ _                   6
trojan adware virus          3
adware virus _               1
Name: count, dtype: int64

'SetErrorMode'

type_pattern
trojan adware _             185
trojan _ _                  133
adware trojan downloader     24
adware trojan _              22
downloader trojan _          18
trojan adware downloader     17
trojan dropper _             15
adware trojan pua            13
trojan ransomware _          12
adware trojan virus          12
Name: count, dtype: int64

'OleInitialize'

type_pattern
trojan adware _             152
trojan _ _                  135
downloader trojan _          18
adware trojan downloader     17
trojan adware downloader     17
trojan dropper _             15
adware trojan _              14
trojan downloader adware     10
trojan miner _               10
adware trojan pua             8
Name: count, dtype: int64

'NtOpenSection'

type_pattern
trojan _ _                  34
downloader trojan _         18
downloader adware trojan     9
adware trojan _              9
trojan downloader adware     8
adware trojan pua            8
trojan adware _              7
trojan banker spyware        5
trojan downloader pua        5
adware trojan virus          4
Name: count, dtype: int64

'GetSystemWindowsDirectoryW'

type_pattern
trojan adware _             226
trojan _ _                  137
trojan adware virus          48
trojan adware downloader     27
adware trojan virus          27
trojan downloader adware     22
trojan dropper _             21
adware trojan _              19
downloader trojan _          18
downloader adware trojan     15
Name: count, dtype: int64

'RegOpenKeyExA'

type_pattern
trojan _ _                  202
trojan adware _             132
downloader adware trojan     34
trojan adware virus          29
adware trojan virus          23
adware trojan _              21
downloader trojan _          18
trojan downloader adware     16
trojan dropper _             16
trojan ransomware _          13
Name: count, dtype: int64

'CreateActCtxW'

type_pattern
trojan adware _             222
trojan _ _                   80
trojan adware virus          45
downloader trojan _          18
adware trojan virus          15
adware trojan _              14
trojan downloader adware     13
trojan dropper _             13
trojan adware downloader      7
trojan spyware _              6
Name: count, dtype: int64

'GetVolumeNameForVolumeMountPointW'

type_pattern
downloader trojan _         18
trojan _ _                  12
adware trojan _              7
adware trojan virus          3
downloader trojan adware     3
trojan downloader adware     2
adware _ _                   2
trojan adware pua            2
trojan adware downloader     2
adware trojan pua            2
Name: count, dtype: int64

'NtDuplicateObject'

type_pattern
trojan adware _             92
trojan _ _                  33
trojan adware virus         19
downloader trojan _         18
adware trojan _             14
adware trojan downloader    10
trojan downloader adware     8
miner trojan pua             6
trojan adware dropper        5
trojan adware downloader     5
Name: count, dtype: int64

'LoadStringW'

type_pattern
trojan adware _             182
trojan _ _                   25
downloader trojan _          18
adware trojan downloader     17
trojan adware downloader     15
adware trojan _              14
trojan ransomware _          11
adware trojan pua            11
adware virus _                8
miner trojan pua              6
Name: count, dtype: int64

'GetNativeSystemInfo'

type_pattern
trojan adware _             182
trojan _ _                   29
adware trojan downloader     17
trojan adware downloader     15
adware trojan _              13
trojan adware pua            12
trojan miner _               10
adware trojan pua            10
adware virus _                7
miner trojan pua              6
Name: count, dtype: int64

'FindFirstFileExW'

type_pattern
trojan adware _             181
trojan _ _                   38
adware trojan downloader     25
trojan dropper _             15
trojan adware downloader     13
trojan adware pua            10
trojan miner _                8
adware trojan _               5
trojan adware dropper         4
trojan downloader _           3
Name: count, dtype: int64

'NtQueryAttributesFile'

type_pattern
trojan _ _             71
trojan adware _        11
trojan miner _         10
adware trojan pua       9
trojan pua _            9
trojan dropper _        8
trojan downloader _     8
adware virus _          7
trojan spyware _        7
trojan ransomware _     6
Name: count, dtype: int64

'LoadStringA'

type_pattern
trojan _ _                  147
trojan dropper _             14
trojan adware _              11
trojan pua _                  8
trojan spyware _              7
trojan downloader _           5
adware trojan virus           4
trojan dropper pua            3
adware trojan downloader      2
adware trojan _               2
Name: count, dtype: int64

'GetSystemMetrics'

type_pattern
trojan adware _             329
trojan _ _                  202
trojan adware virus          56
trojan adware downloader     28
trojan dropper _             24
adware trojan downloader     24
adware trojan virus          22
adware trojan _              19
downloader trojan adware     14
trojan adware pua            14
Name: count, dtype: int64

'FindResourceExW'

type_pattern
trojan adware _             192
trojan _ _                  152
trojan adware downloader     28
adware trojan downloader     21
trojan dropper _             19
trojan pua _                 10
trojan adware pua            10
trojan downloader _           8
trojan miner _                8
trojan spyware _              8
Name: count, dtype: int64

'DrawTextExW'

type_pattern
trojan _ _                  95
trojan adware _             73
trojan adware pua           10
trojan dropper _            10
trojan pua _                 6
trojan spyware _             6
adware trojan downloader     5
trojan adware dropper        5
trojan adware downloader     4
trojan dropper pua           3
Name: count, dtype: int64

'FindResourceA'

type_pattern
trojan _ _                  38
trojan dropper _            12
trojan adware _             10
adware trojan virus          7
adware trojan downloader     6
trojan spyware _             5
trojan downloader _          4
trojan pua _                 4
adware trojan _              2
adware _ _                   1
Name: count, dtype: int64

'RegQueryValueExA'

type_pattern
trojan adware _             121
trojan _ _                   66
downloader adware trojan     33
trojan adware virus          29
adware trojan virus          14
adware trojan _              14
trojan spyware _             10
trojan downloader adware      8
adware downloader trojan      8
downloader trojan adware      7
Name: count, dtype: int64

'NtOpenProcess'

type_pattern
downloader adware trojan    24
trojan adware virus         24
adware trojan virus         12
downloader trojan adware     7
adware downloader trojan     7
trojan adware _              5
trojan adware pua            1
adware downloader virus      1
adware trojan pua            1
Name: count, dtype: int64

'GetTimeZoneInformation'

type_pattern
trojan adware _             130
trojan adware downloader      8
trojan adware hacktool        1
trojan adware virus           1
Name: count, dtype: int64

'LookupAccountSidW'

type_pattern
trojan adware _             113
adware trojan downloader     15
trojan adware downloader     12
adware trojan _               4
trojan adware dropper         4
trojan _ _                    3
trojan downloader adware      1
trojan adware virus           1
pua trojan _                  1
syncopate _ _                 1
Name: count, dtype: int64

'GetFileType'

type_pattern
trojan adware _             123
trojan _ _                   49
adware trojan virus          10
trojan miner _                7
trojan adware virus           6
adware trojan dropper         5
adware trojan downloader      4
trojan adware downloader      3
trojan downloader _           3
trojan dropper _              3
Name: count, dtype: int64

'NtDeviceIoControlFile'

type_pattern
adware trojan virus         9
trojan adware _             5
trojan adware pua           4
trojan adware virus         4
trojan adware downloader    2
adware pua trojan           1
trojan pua adware           1
trojan pua _                1
trojan _ _                  1
pua adware trojan           1
Name: count, dtype: int64

'NtOpenDirectoryObject'

type_pattern
trojan adware _             203
trojan _ _                   41
trojan adware virus          41
adware trojan virus          12
trojan downloader adware      9
adware trojan _               7
miner trojan pua              6
trojan adware dropper         6
trojan downloader pua         5
trojan pua _                  3
Name: count, dtype: int64

'WSAStartup'

type_pattern
trojan adware _             145
trojan _ _                   31
trojan adware virus          29
adware trojan virus          16
trojan downloader adware     11
adware trojan downloader      8
adware trojan _               7
miner trojan pua              6
trojan downloader pua         5
trojan adware dropper         5
Name: count, dtype: int64

'IsDebuggerPresent'

type_pattern
trojan _ _                  41
trojan adware downloader    16
trojan adware _             14
trojan adware virus         11
downloader trojan adware     8
trojan miner _               7
adware trojan downloader     5
adware trojan virus          5
trojan dropper _             5
trojan downloader _          5
Name: count, dtype: int64

'SearchPathW'

type_pattern
trojan _ _                90
trojan dropper _           7
trojan spyware _           2
adware virus _             1
trojan pua _               1
trojan spyware dropper     1
trojan dropper spyware     1
trojan virus _             1
Name: count, dtype: int64

'SetWindowsHookExA'

type_pattern
trojan _ _                90
trojan dropper _           7
trojan spyware _           2
trojan downloader _        2
adware virus _             1
trojan pua _               1
trojan spyware dropper     1
trojan dropper spyware     1
techjoydown _ _            1
adware downloader _        1
Name: count, dtype: int64

'FindResourceExA'

type_pattern
trojan _ _             21
adware trojan _         6
trojan dropper _        4
adware trojan virus     3
adware virus _          1
adware trojan pua       1
trojan downloader _     1
Name: count, dtype: int64

'__exception__'

type_pattern
trojan _ _                  37
trojan dropper _             8
trojan banker spyware        5
trojan spyware _             3
trojan downloader _          2
trojan ransomware _          2
trojan adware dropper        2
trojan downloader adware     2
trojan spyware banker        2
adware virus _               1
Name: count, dtype: int64

'NtEnumerateKey'

type_pattern
trojan adware _        30
trojan adware virus    11
trojan _ _              9
adware trojan virus     8
trojan dropper _        7
trojan miner _          1
trojan spyware _        1
trojan worm _           1
trojan virus _          1
adware trojan _         1
Name: count, dtype: int64

'NtEnumerateValueKey'

type_pattern
trojan adware _        30
trojan adware virus    11
trojan _ _              9
adware trojan virus     8
trojan dropper _        7
trojan miner _          1
trojan spyware _        1
trojan worm _           1
trojan virus _          1
adware trojan _         1
Name: count, dtype: int64

'SHGetFolderPathW'

type_pattern
adware trojan downloader     14
trojan adware pua            10
adware trojan _               8
adware trojan virus           7
trojan _ _                    6
trojan dropper downloader     6
trojan spyware _              5
adware trojan dropper         5
adware _ _                    2
trojan worm downloader        2
Name: count, dtype: int64

'GetSystemDirectoryA'

type_pattern
trojan dropper _            9
trojan _ _                  5
adware trojan virus         5
trojan ransomware _         4
trojan downloader adware    3
adware trojan _             3
trojan downloader _         2
trojan adware downloader    2
trojan downloader virus     1
trojan miner dropper        1
Name: count, dtype: int64

'GetTempPathW'

type_pattern
trojan _ _                   41
ransomware trojan _          11
trojan dropper _              7
trojan ransomware _           7
ransomware trojan dropper     6
adware trojan downloader      5
trojan downloader adware      4
trojan pua _                  3
adware trojan virus           3
ransomware trojan pua         2
Name: count, dtype: int64

'SetEndOfFile'

type_pattern
trojan _ _                  43
trojan pua _                 3
adware _ _                   3
adware trojan virus          3
trojan dropper _             2
adware trojan downloader     2
adware pua _                 2
trojan spyware _             2
hacktool pua trojan          1
trojan downloader _          1
Name: count, dtype: int64

'GlobalMemoryStatus'

type_pattern
trojan _ _                  31
adware trojan _              6
trojan adware _              6
trojan adware downloader     4
adware trojan virus          3
trojan miner _               3
trojan dropper _             2
trojan adware virus          2
trojan adware dropper        2
trojan pua _                 1
Name: count, dtype: int64

'NtQueryInformationFile'

type_pattern
trojan _ _                   33
ransomware trojan _          11
adware trojan downloader      9
trojan adware virus           9
trojan dropper _              7
trojan ransomware _           7
ransomware trojan dropper     6
adware trojan _               6
adware trojan virus           6
trojan banker _               6
Name: count, dtype: int64

'NtOpenMutant'

type_pattern
trojan _ _                  20
trojan adware pua           10
downloader trojan adware     7
adware _ _                   2
trojan pua _                 1
trojan adware _              1
adware trojan _              1
adware trojan downloader     1
adware downloader trojan     1
downloader adware trojan     1
Name: count, dtype: int64

'GetUserNameW'

type_pattern
trojan adware _             85
trojan adware virus         16
trojan _ _                  13
trojan downloader adware     4
adware trojan _              3
trojan adware dropper        3
trojan dropper _             1
Name: count, dtype: int64

'NtCreateThreadEx'

type_pattern
trojan adware _             80
trojan adware virus         16
trojan _ _                  12
adware trojan _              9
adware trojan downloader     9
trojan adware dropper        5
trojan downloader adware     4
adware trojan virus          3
trojan adware downloader     2
adware trojan pua            1
Name: count, dtype: int64

'NtResumeThread'

type_pattern
trojan adware _             80
trojan _ _                  22
trojan adware virus         16
adware trojan downloader    10
adware trojan _              9
trojan adware dropper        5
trojan downloader adware     4
adware trojan virus          3
trojan adware downloader     2
adware trojan pua            1
Name: count, dtype: int64

'DeviceIoControl'

type_pattern
adware trojan virus         12
adware trojan downloader     9
adware trojan _              6
trojan adware _              5
trojan adware pua            4
trojan adware virus          4
trojan adware downloader     3
adware trojan pua            1
adware pua trojan            1
trojan pua adware            1
Name: count, dtype: int64

'GetAdaptersInfo'

type_pattern
adware trojan downloader    9
adware trojan _             6
adware trojan virus         3
adware trojan pua           1
trojan adware downloader    1
Name: count, dtype: int64

'GetComputerNameA'

type_pattern
adware trojan _        6
adware trojan virus    3
adware trojan pua      1
Name: count, dtype: int64

'GlobalMemoryStatusEx'

type_pattern
adware trojan _             6
trojan adware _             6
trojan adware downloader    4
adware trojan virus         3
trojan miner _              3
trojan adware virus         2
trojan adware dropper       2
adware trojan pua           1
trojan adware pua           1
Name: count, dtype: int64

'LdrUnloadDll'

type_pattern
trojan _ _                  17
trojan miner _              12
trojan dropper _            10
adware trojan downloader     9
miner trojan pua             6
adware trojan _              6
adware trojan virus          5
trojan adware downloader     4
trojan downloader _          4
trojan pua _                 2
Name: count, dtype: int64

'GetFileSizeEx'

type_pattern
trojan _ _          7
trojan dropper _    2
trojan miner _      1
Name: count, dtype: int64

'GetFileVersionInfoSizeW'

type_pattern
trojan adware _             41
trojan _ _                  12
adware trojan downloader    10
trojan adware virus          9
trojan spyware _             5
trojan dropper _             2
trojan downloader adware     2
adware trojan _              2
adware downloader trojan     1
trojan adware downloader     1
Name: count, dtype: int64

'GetFileVersionInfoW'

type_pattern
trojan adware _             32
trojan _ _                  11
adware trojan downloader    10
trojan adware virus          9
trojan spyware _             5
trojan dropper _             2
trojan downloader adware     2
adware trojan _              2
adware downloader trojan     1
trojan adware downloader     1
Name: count, dtype: int64

'GetCursorPos'

type_pattern
trojan _ _             20
trojan adware pua       4
trojan dropper _        3
dropper trojan _        3
trojan pua _            2
trojan downloader _     2
adware pua trojan       1
trojan pua adware       1
pua adware trojan       1
trojan adware _         1
Name: count, dtype: int64

'DrawTextExA'

type_pattern
trojan spyware _    5
trojan _ _          4
trojan dropper _    1
Name: count, dtype: int64

'OutputDebugStringA'

type_pattern
adware trojan downloader    9
adware trojan dropper       5
trojan adware pua           4
adware pua trojan           1
trojan pua adware           1
trojan pua _                1
trojan _ _                  1
pua adware trojan           1
trojan adware _             1
adware trojan _             1
Name: count, dtype: int64

'GetForegroundWindow'

type_pattern
trojan adware downloader    16
downloader trojan adware     8
trojan _ _                   8
trojan dropper _             8
adware downloader trojan     3
trojan downloader adware     3
downloader adware trojan     3
trojan downloader _          3
trojan worm downloader       3
adware trojan downloader     2
Name: count, dtype: int64

'RegCreateKeyExA'

type_pattern
adware trojan virus         9
adware trojan downloader    6
adware _ _                  2
trojan adware _             1
trojan _ _                  1
adware trojan _             1
adware trojan pua           1
Name: count, dtype: int64

'socket'

type_pattern
adware trojan virus         12
adware trojan downloader     8
miner trojan pua             6
adware _ _                   2
adware downloader trojan     2
trojan miner _               2
trojan adware _              1
trojan _ _                   1
adware trojan _              1
miner trojan adware          1
Name: count, dtype: int64

'CreateDirectoryW'

type_pattern
trojan _ _                   12
trojan dropper downloader     6
trojan downloader pua         5
trojan dropper _              5
adware trojan virus           5
trojan downloader adware      4
trojan pua _                  3
adware _ _                    3
adware pua _                  2
trojan adware _               2
Name: count, dtype: int64

'NtWriteFile'

type_pattern
adware trojan downloader     15
trojan _ _                   12
trojan dropper downloader     6
adware trojan virus           6
trojan dropper _              5
adware trojan dropper         5
trojan downloader adware      4
trojan adware downloader      3
trojan pua _                  3
adware _ _                    3
Name: count, dtype: int64

'CreateProcessInternalW'

type_pattern
trojan _ _                  22
adware _ _                   3
adware trojan virus          3
adware trojan downloader     2
trojan pua _                 2
hacktool pua trojan          1
trojan downloader _          1
adware pua _                 1
opencandy candyopen _        1
trojan spyware _             1
Name: count, dtype: int64

'DeleteFileW'

type_pattern
trojan _ _                  6
adware trojan downloader    2
adware _ _                  2
trojan pua _                2
hacktool pua trojan         1
trojan downloader _         1
adware pua _                1
opencandy candyopen _       1
trojan spyware _            1
msil _ _                    1
Name: count, dtype: int64

'RemoveDirectoryA'

type_pattern
trojan dropper _            5
trojan _ _                  4
trojan pua _                3
adware trojan virus         3
adware trojan downloader    2
hacktool pua trojan         1
trojan downloader _         1
msil _ _                    1
adware _ _                  1
downloader _ _              1
Name: count, dtype: int64

'GetSystemWindowsDirectoryA'

type_pattern
trojan ransomware _      7
trojan _ _               2
trojan pua ransomware    1
Name: count, dtype: int64

'RegEnumKeyExA'

type_pattern
trojan _ _               12
trojan ransomware _       7
trojan pua ransomware     1
Name: count, dtype: int64

'RegEnumValueA'

type_pattern
trojan ransomware _      7
trojan _ _               2
trojan pua ransomware    1
Name: count, dtype: int64

'SetWindowsHookExW'

type_pattern
trojan adware _             4
dropper trojan _            3
trojan dropper _            2
trojan _ _                  2
trojan adware dropper       2
dropper _ _                 1
trojan dropper adware       1
trojan adware pua           1
trojan adware downloader    1
Name: count, dtype: int64

'WriteConsoleA'

type_pattern
trojan adware _    20
Name: count, dtype: int64

'SetFileAttributesW'

type_pattern
trojan dropper downloader    6
trojan adware _              2
trojan worm downloader       2
trojan adware pua            1
trojan downloader dropper    1
Name: count, dtype: int64

'WriteProcessMemory'

type_pattern
trojan _ _                  10
adware trojan downloader     5
adware trojan virus          4
adware downloader trojan     1
Name: count, dtype: int64

'CreateToolhelp32Snapshot'

type_pattern
adware trojan downloader    9
trojan _ _                  6
adware trojan virus         5
adware downloader trojan    1
adware trojan pua           1
trojan miner _              1
trojan pua _                1
trojan ransomware _         1
trojan dropper worm         1
Name: count, dtype: int64

'Process32FirstW'

type_pattern
adware trojan downloader    9
adware trojan virus         5
adware downloader trojan    1
adware trojan pua           1
Name: count, dtype: int64

'Process32NextW'

type_pattern
adware trojan downloader    9
adware trojan virus         5
adware downloader trojan    1
adware trojan pua           1
Name: count, dtype: int64

'RemoveDirectoryW'

type_pattern
trojan _ _               2
adware pua _             1
opencandy candyopen _    1
trojan spyware _         1
adware _ _               1
Name: count, dtype: int64

'InternetSetOptionA'

type_pattern
trojan downloader adware    3
Name: count, dtype: int64

'ReadProcessMemory'

type_pattern
trojan _ _                  10
trojan downloader adware     3
Name: count, dtype: int64

'NtCreateKey'

type_pattern
trojan downloader adware    3
Name: count, dtype: int64

'NtSetValueKey'

type_pattern
trojan downloader adware    3
Name: count, dtype: int64

'NtOpenThread'

type_pattern
trojan downloader adware    2
Name: count, dtype: int64

'CoUninitialize'

type_pattern
trojan _ _       3
pua trojan _     1
syncopate _ _    1
Name: count, dtype: int64

'GetFileAttributesExW'

type_pattern
adware trojan dropper    5
adware trojan _          1
Name: count, dtype: int64

'closesocket'

type_pattern
miner trojan pua       6
trojan miner _         2
miner trojan adware    1
miner trojan _         1
Name: count, dtype: int64

'GetShortPathNameW'

type_pattern
trojan _ _                   19
trojan dropper downloader     6
trojan worm downloader        2
trojan downloader dropper     1
trojan spyware _              1
Name: count, dtype: int64

'RegSetValueExA'

type_pattern
adware trojan virus         9
adware trojan downloader    6
adware trojan pua           1
Name: count, dtype: int64

'LookupPrivilegeValueW'

type_pattern
trojan _ _    10
Name: count, dtype: int64

'GetUserNameA'

type_pattern
trojan _ _    10
Name: count, dtype: int64

'ioctlsocket'

type_pattern
adware trojan virus         8
adware trojan downloader    2
Name: count, dtype: int64

'select'

type_pattern
adware trojan virus         8
adware trojan downloader    2
Name: count, dtype: int64

'NtTerminateProcess'

type_pattern
trojan _ _      2
trojan pua _    1
msil _ _        1
Name: count, dtype: int64

'NtSetInformationFile'

type_pattern
trojan dropper _       5
adware trojan virus    2
downloader _ _         1
trojan pua _           1
Name: count, dtype: int64

'OpenSCManagerW'

type_pattern
adware trojan downloader    9
trojan adware downloader    1
Name: count, dtype: int64

'OpenServiceW'

type_pattern
adware trojan downloader    9
trojan adware downloader    1
Name: count, dtype: int64

'CoInitializeSecurity'

type_pattern
adware trojan downloader    9
trojan adware downloader    1
Name: count, dtype: int64

'CoCreateInstanceEx'

type_pattern
adware trojan downloader    9
trojan adware downloader    1
Name: count, dtype: int64

'GetComputerNameW'

type_pattern
adware trojan downloader    9
trojan adware downloader    1
Name: count, dtype: int64

'CoGetClassObject'

type_pattern
adware trojan downloader    9
trojan adware downloader    1
Name: count, dtype: int64

'IWbemServices_ExecQuery'

type_pattern
adware trojan downloader    9
trojan adware downloader    1
Name: count, dtype: int64

'Module32FirstW'

type_pattern
trojan _ _             6
trojan miner _         1
trojan pua _           1
trojan ransomware _    1
trojan dropper worm    1
Name: count, dtype: int64

'Module32NextW'

type_pattern
trojan _ _             6
trojan miner _         1
trojan pua _           1
trojan ransomware _    1
trojan dropper worm    1
Name: count, dtype: int64

GetSystemTimeAsFileTime

type_pattern
trojan adware _              322
trojan adware pua            112
trojan _ _                    95
trojan adware virus           77
trojan adware downloader      42
downloader adware trojan      37
adware trojan virus           35
trojan dropper _              27
adware trojan downloader      24
trojan downloader adware      22
trojan adware dropper         21
adware trojan _               17
downloader trojan adware      16
trojan miner _                15
miner trojan pua              12
adware downloader trojan      12
trojan ransomware _           10
trojan pua _                   8
trojan downloader _            6
trojan downloader pua          5
adware trojan dropper          5
trojan downloader dropper      5
adware trojan pua              4
dropper trojan _               3
trojan dropper pua             3
trojan miner downloader        2
trojan miner pua               2
adware _ _                     2
downloader _ _                 2
troja