The Korean analysis attributes a proposal-themed LNK sample to North Korea's Konni group and provides MD5, SHA-1, and SHA-256 hashes for the malware. The shortcut launches cmd.exe to find PowerShell, locate a specially sized .lnk carrier, XOR-decode embedded payloads, execute a decoded file, unpack a CAB archive into the Public Documents path, run start.vbs, and delete the LNK and CAB staging files. Follow-on batch scripts add persistence through HKCU\Software\Microsoft\Windows\CurrentVersion\Run, download a password-protected ZIP from ausbildungsbuddy.de, and execute additional content. The malware also enumerates the user's Downloads, Documents, and Desktop folders, collects system information, and uploads the resulting files to attacker-controlled PHP endpoints.