Process spawned unexpected child process

This typically indicates the parent process was compromised via an exploit or macro.

XpertRAT

XpertRAT is a remote access trojan with various capabilities.

XpertRAT Core Payload

NirSoft MailPassView

Password recovery tool for various email clients

NirSoft WebBrowserPassView

Password recovery tool for various web browsers

Nirsoft

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE