[ Remcos ]

https://success.trendmicro.com/solution/1123281-remcos-malware-information

https://breakingsecurity.net/remcos/





[ CreateProcessInternalW ]



http://a-twisted-world.blogspot.com/2008/03/createprocessinternal-function.html



DWORD WINAPI CreateProcessInternal(

  __in         DWORD unknown1,                              // always (?) NULL

  __in_opt     LPCTSTR lpApplicationName,

  __inout_opt  LPTSTR lpCommandLine,

  __in_opt     LPSECURITY_ATTRIBUTES lpProcessAttributes,

  __in_opt     LPSECURITY_ATTRIBUTES lpThreadAttributes,

  __in         BOOL bInheritHandles,

  __in         DWORD dwCreationFlags,

  __in_opt     LPVOID lpEnvironment,

  __in_opt     LPCTSTR lpCurrentDirectory,

  __in         LPSTARTUPINFO lpStartupInfo,

  __out        LPPROCESS_INFORMATION lpProcessInformation,

  __in         DWORD unknown2                               // always (?) NULL

);



7th param is dwCreationFlags. If it is 4 then create a process in a suspended state.





[ WriteProcessMemory ]

https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-writeprocessmemory



BOOL WriteProcessMemory(

  HANDLE  hProcess,

  LPVOID  lpBaseAddress,

  LPCVOID lpBuffer,

  SIZE_T  nSize,

  SIZE_T  *lpNumberOfBytesWritten

);