[ VirtualAllocEx ]*
https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualallocex

[ WriteProcessMemory ]*
https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-writeprocessmemory

[ CreateRemoteThread ]*
https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createremotethread

[ OpenProcess ]*
https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocess
3rd param is pid

[ Process Security and Access Rights - Used in 1st param of OpenProcess ]
https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights

*signature APIs in Remote Process Injection Malware
- if you see these, it means the malware has process injection capabilities

[ Breakpoints ]
bp OpenProcess
watch 3rd parameter which is pid,
monitor its memory in ProcessHacker

bp WriteProcessMemory
watch 2nd param which is target address for shellcode injection,
monitor its memory in ProcessHacker,
once it is populated, dump it to a file