Emotet
Attributions are based on open-source threat reports. A family appearing here means at least one syscall record cites it; absence does not imply non-use.
13 syscalls cited
- NtAllocateVirtualMemory
Reserves, commits or both a region of virtual memory in a target process.
- NtCreateThreadEx
Creates a new thread in a target process, optionally suspended, with rich attribute list support.
- NtResumeThread
Decrements the suspend count of a thread, resuming execution when the count reaches zero.
- NtGetCurrentProcessorNumber
Returns the zero-based logical-processor index the calling thread is currently executing on.
- NtCreateEvent
Creates a named or unnamed event synchronization object and returns a handle to it.
- NtOpenEvent
Opens a handle to an existing named event object.
- NtSetEvent
Sets an event object to the signaled state, releasing waiting threads.
- NtCreateMutant
Creates or opens a named or unnamed mutant (mutex) object and optionally takes initial ownership.
- NtQuerySystemTime
Returns the current system time as a 64-bit count of 100-ns intervals since 1601-01-01 UTC.
- NtCreateKey
Creates or opens a registry key — the kernel-level primitive behind every persistence beacon written to the registry.
- NtSetValueKey
Writes a named value into an open registry key — the workhorse for Run-key and IFEO persistence.
- NtCreateFile
Creates or opens a file, directory, device, or named pipe — every dropper's first call to disk.
- NtQueryDirectoryObject
Enumerates the entries (name + type) inside an object-manager directory.