DcRat

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

Modifies WinLogon for persistence

Modifies security service

Process spawned unexpected child process

This typically indicates the parent process was compromised via an exploit or macro.

UAC bypass

DCRat payload

Detects payload of DCRat, commonly dropped by NSIS installers.

Downloads MZ/PE file

Executes dropped EXE

Possible privilege escalation attempt

Stops running service(s)