Process spawned unexpected child process

This typically indicates the parent process was compromised via an exploit or macro.

UAC bypass

Windows security bypass

XpertRAT

XpertRAT is a remote access trojan with various capabilities.

XpertRAT Core Payload

NirSoft MailPassView

Password recovery tool for various email clients

NirSoft WebBrowserPassView

Password recovery tool for various web browsers

Nirsoft

Adds policy Run key to start application

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE