ScareCrow loader

Attributions are based on open-source threat reports. A family appearing here means at least one syscall record cites it; absence does not imply non-use.

3 syscalls cited

NtFlushInstructionCache
Invalidates the instruction cache for a region in a target process so freshly written code can be executed.
NtMapViewOfSectionEx
Windows 10 1809+ extended section-mapping syscall that accepts MEM_EXTENDED_PARAMETER constraints.
NtAreMappedFilesTheSame
Determines whether two mapped views are backed by the same file (file object identity test).