A few weeks ago I received a PE file (MD5: 34105EF38CEA1B4B2ABADD0CB3404E69) and was asked to figure out if it is related to the Betabot malware family. This sample was executed on a 32bit version of Windows XP SP3. It covers the initial execution of the dropper up to the point that a copy of itself is spawned. The malware uses CreateProcessW() to call itself. After calling CreateProcess, NtWriteVirtualMemory is used to write the UPX packed PE file into the spawned processs memory at 0x400000.”]
Source: https://blog.talosintelligence.com/2014/05/betabot-process-injection.html

