May attempt to contact remote servers (C2) to download additional payloads.

Often flagged for "Process Hollowing" or "Code Injection," which are techniques used to hide malicious code inside legitimate processes. Recommendation

Some versions attempt to write to system directories or create registry keys to remain active after a reboot.