https://book.hacktricks.xyz/reversing-and-exploiting/common-api-used-in-malware
Hooking: unhookwindowshookex
Network: dnsquery, getaddrinfo, httpopenrequest, httpsendrequest, internetclosehandle, internetconnect, internetopen, internetopenurl, internetreadfile, internetwritefile
Windows: findwindow, findwindowex
Process: createprocessinternal, exitprocess, ntallocatevirtualmemory, ntcreateprocess, ntcreateprocessex, ntcreatesection, ntcreateuserprocess, ntfreevirtualmemory, ntopenprocess, ntopensection, ntprotectvirtualmemory, ntreadvirtualmemory, ntterminateprocess, ntwritevirtualmemory, readprocessmemory, shellexecuteexw, system, virtualfreeex, virtualprotectex, writeprocessmemory, zwmapviewofsection
Misc: getcursorpos, getsystemmetrics
System: exitwindowsex, isdebuggerpresent, ldrgetdllhandle, ldrgetprocedureaddress, ldrloaddll, lookupprivilegevalue, ntclose, ntdelayexecution, setwindowshookex, writeconsole
Threading: createremotethread, createthread, exitthread, ntgetcontextthread, ntcreatethread, ntopenthread, ntresumethread, ntsetcontextthread, ntsuspendthread, ntterminatethread, rtlcreateuserthread
Synchronisation: ntcreatemutant, ntcreatenamedpipefile, ntopenmutant
Device: deviceiocontrol
Registry: ntcreatekey, ntdeletekey, ntdeletevaluekey, ntenumeratekey, ntenumeratevaluekey, ntloadkey, ntopenkey, ntquerykey, ntquerymultiplevaluekey, ntqueryvaluekey, ntrenamekey, ntreplacekey, ntsavekey, ntsetvaluekey, regclosekey, regcreatekeyex, regdeletekey, regdeletevalue, regenumkeyex, regenumkey, regenumvalue, regopenkeyex, regqueryinfokey, regqueryvalueex, regsetvalueex
Filesystem: createdirectory, removedirectory, findfirstfile, deletefile, ntcreatefile, ntopenfile, ntreadfile, ntwritefile, ntdeviceiocontrolfile, ntquerydirectoryfile, ntqueryinformationfile, ntsetinformationfile, ntopendirectoryobject, ntcreatedirectoryobject, movefilewithprogress, copyfile, ntdeletefile
Services: controlservice, createservice, deleteservice, openscmanager, openservice, startservice
Socket: accept, bind, closesocket, connect, gethostbyname, ioctlsocket, listen, recv, recvfrom, select, send, sendto, setsockopt, shutdown, socket, transmitfile, wsarecv, wsarecvfrom