BlackCat / ALPHV
Attributions are based on open-source threat reports. A family appearing here means at least one syscall record cites it; absence does not imply non-use.
8 syscalls cited
- NtOpenProcessToken
Opens the access token associated with a process and returns a handle to it.
- NtAdjustPrivilegesToken
Enables or disables privileges in a specified access token.
- NtDuplicateToken
Creates a new access token that duplicates an existing token, optionally changing its type and impersonation level.
- NtCreateNamedPipeFile
Creates the server end of a named pipe in the \Device\NamedPipe device namespace.
- NtDeleteKey
Deletes a registry key when the handle is closed — used to wipe persistence and audit-key artefacts post-execution.
- NtQueryVolumeInformationFile
Retrieves filesystem and volume properties (label, size, device type, attributes) for the volume backing a file handle.
- NtSetSystemPowerState
Transitions the system into the requested sleep, hibernate or working power state.
- NtInitiatePowerAction
Requests the power manager to perform a system-wide power action (sleep, hibernate, shutdown, reboot).