Qakbot

Reserves, commits or both a region of virtual memory in a target process.

Changes the protection on a region of committed virtual memory in a target process.

Writes a buffer from the caller into the virtual address space of a target process.

Reads bytes from the virtual address space of a target process into a caller-supplied buffer.

Opens a handle to an existing process with a requested access mask.

Queues a user-mode asynchronous procedure call (APC) to a target thread.

Creates a new user-mode process and its initial thread from an executable image.

Decrements the suspend count of a thread, resuming execution when the count reaches zero.

Writes a property on an access token — integrity level, session id, owner, default DACL, audit policy, linked token.

Retrieves a class of information about a process — the universal back-end of GetProcessInformation and the workhorse of anti-debug checks.

Reads a property from a thread via the THREADINFOCLASS enum — TEB pointer, hide-from-debugger flag, times, exit status.

Sets a property on a thread via the THREADINFOCLASS enum — most famously ThreadHideFromDebugger.

Returns the zero-based logical-processor index the calling thread is currently executing on.

Waits until a dispatcher object becomes signaled or the optional timeout expires.

Creates or opens a named or unnamed mutant (mutex) object and optionally takes initial ownership.

Creates or opens a registry key — the kernel-level primitive behind every persistence beacon written to the registry.

Writes a named value into an open registry key — the workhorse for Run-key and IFEO persistence.

Closes a kernel object handle (file, key, event, process, thread, section, etc.).

Creates or opens a file, directory, device, or named pipe — every dropper's first call to disk.