A Hauri analysis describes a phishing email campaign that used a broadcast-station honorarium lure to deliver a Windows shortcut file. The LNK chain authenticated to Dropbox, pulled encrypted PowerShell and PE payloads from attacker-controlled paths, decrypted them with AES and GZip stages, and established scheduled tasks under AppData for persistence. Later stages collected the victim IP address, created Dropbox log folders, monitored keystrokes and clipboard data, and wrote keylogging output to version.xml before sending it to a C2 endpoint under gbi????.com. The report provides representative file paths and hashes for version103.vbs, w{random}.ps1, and the final payload.