[ CreateToolhelp32Snapshot ] https://docs.microsoft.com/en-us/windows/win32/api/tlhelp32/nf-tlhelp32-createtoolhelp32snapshot [ PROCESSENTRY32 structure ] https://docs.microsoft.com/en-us/windows/win32/api/tlhelp32/ns-tlhelp32-processentry32 [ Process32First ] https://docs.microsoft.com/en-us/windows/win32/api/tlhelp32/nf-tlhelp32-process32first [ Process32Next ] https://docs.microsoft.com/en-us/windows/win32/api/tlhelp32/nf-tlhelp32-process32next [ Taking a Snapshot and Viewing Processes ] https://docs.microsoft.com/en-us/windows/win32/toolhelp/taking-a-snapshot-and-viewing-processes [ VirtualAllocEx ]* https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualallocex [ WriteProcessMemory ]* https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-writeprocessmemory [ CreateRemoteThread ]* https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createremotethread [ OpenProcess ]* https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocess [ Process Security and Access Rights - Used in 1st param of OpenProcess ] https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights *signature APIs in Remote Process Injection Malware - if you see these, it means the malware has process injection capabilities