CreateProcessInternalW
CreationFlags: CREATE_SUSPENDED 0x00000004
Malware creating a process in a suspended state
typically from a packer and process injection
it has unpacked code and is injecting it into a user process
will be followed with calls like
NtGetContextThread
ReadProcessMemory
memcpy
WriteProcessMemory ('MZ')
NetSetContextThread
NtResumeThread
to edit memory of suspended process and inject the malicious code
