MEDIUM Suspicious Process Creation

Prevented (Blocked) ID: #289 | Detected: 2026-01-01 01:17:28 | Malware
View Incident Back
Alert Overview

Suspicious process creation detected

Unclassified
XDR Agent
New
DS:PANW/XDR Agent DOM:Security
Host Information
BOOK-R0BE6S1NC3
172.27.1.74
ubuntu
fb5c54168a024bea95ad1bfc092f7a53
00:72:ee:3e:51:84
Process Information Process Execution
Actor Process (Executor)
Process Name powershell.exe
Path C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 22924
SHA256 0ff6f2c94bc7e2833a5f7e16de1622e5dba70396f31c7d5f56381870317e8c46 VT
MD5 a97e6573b97b44c96122bfa543a82ea1
Signature Microsoft Windows N/A 
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Action Process (Target)
Process Name powershell.exe
SHA256 0ff6f2c94bc7e2833a5f7e16de1622e5dba70396f31c7d5f56381870317e8c46 VT
Signature Microsoft Windows Signed 
"powershell.exe" & {$OriginalCommand = 'Write-Host \""Hey, Atomic!\""'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
$EncodedCommand =[Convert]::ToBase64String($Bytes)
$EncodedCommand

Set-ItemProperty -Force -Path HKCU:Software\Microsoft\Windows\CurrentVersion -Name Debug -Value $EncodedCommand
powershell.exe -Command \""IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp HKCU:Software\Microsoft\Windows\CurrentVersion Debug).Debug)))\""}
Quick Actions
View Related Incident View Endpoint Check Hash on VirusTotal Back to Alerts
Severity Analysis
MEDIUM

Review and assess impact

Summary
Events 1
IP Addresses 1
Tags 2
File Artifacts Yes
Network Artifacts No
Registry Artifacts No
Analyst Verdict