Royal

Attributions are based on open-source threat reports. A family appearing here means at least one syscall record cites it; absence does not imply non-use.

6 syscalls cited

NtTerminateProcess
Terminates a target process and all of its threads with a given exit status.
NtSuspendProcess
Suspends every thread in a target process by incrementing each thread's suspend count.
NtResumeProcess
Decrements every thread's suspend count in a target process, resuming threads that reach zero.
NtWriteFile
Writes data to an open file, pipe, or device — the kernel companion to NtCreateFile for dropping payloads.
NtSetInformationFile
Sets file metadata via FILE_INFORMATION_CLASS — rename, dispose (delete), allocate, end-of-file, etc.
NtQueryVolumeInformationFile
Retrieves filesystem and volume properties (label, size, device type, attributes) for the volume backing a file handle.