An attacker executes an obfuscated PowerShell script to download and execute malware.
An attacker exfiltrates sensitive data by encoding it in DNS subdomains (Tunneling).
An attacker attempts to extract NTLM hashes from lsass.exe process memory (e.g., Mimikatz).
An attacker exploits an upload vulnerability to drop a malicious PHP script (Web Shell) on the web server.
A process begins massively encrypting user files and drops a ransom note.