← Back to malware index
Ekko sleep mask
Attributions are based on open-source threat reports. A family appearing here means at least one syscall record cites it; absence does not imply non-use.
4 syscalls cited
- NtTestAlert
Tests whether the calling thread has a pending alert and, if so, delivers any queued user-mode APCs.
- NtContinue
Restores a CPU CONTEXT into the current thread and resumes execution at CONTEXT.Rip.
- NtAlertResumeThread
Resumes a suspended thread and simultaneously alerts it so any pending APCs are delivered.
- NtDelayExecution
Suspends the calling thread for a specified interval, optionally in an alertable state.