: Use of Base64 encoding or character replacement to hide commands like IEX (Invoke-Expression). [5]

: Run strings on the extracted files to find hidden URLs or PowerShell commands. [5]

The analysis typically involves the following steps found in successful write-ups:

: Attempts to modify registry keys or add files to the Startup folder. [4]