BumbleBee
Attributions are based on open-source threat reports. A family appearing here means at least one syscall record cites it; absence does not imply non-use.
11 syscalls cited
- NtAllocateVirtualMemoryEx
Reserves or commits virtual memory with extended parameters (preferred NUMA node, CFG, address requirements).
- NtProtectVirtualMemory
Changes the protection on a region of committed virtual memory in a target process.
- NtFreeVirtualMemory
Decommits or releases a region of virtual memory in a target process.
- NtQueryVirtualMemory
Retrieves information about pages in a target process's virtual address space.
- NtCreateSection
Creates a section object backed by a file or the system pagefile for shared memory mapping.
- NtMapViewOfSection
Maps a view of a section object into the virtual address space of a target process.
- NtCreateThreadEx
Creates a new thread in a target process, optionally suspended, with rich attribute list support.
- NtQueryInformationThread
Reads a property from a thread via the THREADINFOCLASS enum — TEB pointer, hide-from-debugger flag, times, exit status.
- NtDelayExecution
Suspends the calling thread for a specified interval, optionally in an alertable state.
- NtQuerySystemTime
Returns the current system time as a 64-bit count of 100-ns intervals since 1601-01-01 UTC.
- NtClose
Closes a kernel object handle (file, key, event, process, thread, section, etc.).