A — Administrative Privilege Detection * Detects whether it is running with administrator rights using registry write tests. * Alters behavior based on privilege level. B — Browser Data Erasure * Deletes history, cookies, cache, sessions, and storage from: * Google Chrome * Yandex Browser * Mozilla Firefox * Optionally terminates browsers before cleanup. C — Command & Control (C2) Communication * Communicates with a remote server over HTTP(S). * Uses custom HTTP headers for client identification, uptime, and command routing. * Supports dynamic C2 URL rotation. D — DLL Reflective Loading * Loads DLLs directly into memory without writing them to disk (32-bit only). * Uses low-level Windows API calls via DynamicWrapperX. E — Execution Engine * Executes: * Shell commands * PowerShell (base64-encoded) * EXE payloads * DLL exports * WSH scripts * Arbitrary JavaScript via `eval` F — File System Control * Read, write, move, overwrite, securely erase files. * Binary and text file handling. * Temporary file creation. G — Global Unique Identifier (UID) * Generates a persistent machine identifier from `MachineGuid`. * Used for C2 identification and registry storage. H — Host Information Harvesting * Collects: * OS version & architecture * Username & computer name * Locale & timezone * Domain membership & role * Installed antivirus products I — Installation & Persistence * Copies itself into a system directory. * Registers scheduled tasks for persistence. * Supports autorun via Task Scheduler with optional elevated privileges. J — JavaScript Remote Control * Executes attacker-supplied JavaScript code from the registry or C2. * Supports autostart JavaScript logic. K — Keylogger * Loads a PowerShell-based keylogger from encrypted registry data. * Periodically exfiltrates keystrokes to C2. * Supports remote update and stop/start control. L — Log & Evidence Removal * Clears: * Windows Event Logs * Browser traces * Shadow copies (restore points) when admin M — Memory-Only Payloads * Supports fileless execution via memory injection. * Avoids disk artifacts where possible. N — Network Evasion * Randomized domain generation (DGA-like behavior). * Multiple fallback TLDs. * Dynamic timeout control. O — OS Uptime Awareness * Uses system uptime to delay or condition execution. * Avoids early execution after boot in some cases. P — Process Control * Enumerates running processes. * Terminates specified security or browser processes. * Launches hidden processes via WMI. Q — Quiet Operation * Runs fully hidden (no windows). * Suppresses user-visible output. * Uses silent task scheduler execution. R — Registry-Based Configuration * Stores: * Configuration * Commands * Keylogger payload * State flags * Uses user-specific registry paths. S — Self-Protection * Detects multiple running instances. * Ensures single active instance. * Prevents duplicate execution. T — Task Scheduler Abuse * Creates hidden scheduled tasks. * Configurable restart behavior. * Optional elevated execution context. U — Uninstall Capability * Removes: * Files * Registry keys * Scheduled tasks * COM registrations * Cleans traces before exit. V — Version Updating * Supports self-update from C2. * Replaces its own script safely. * Restarts automatically after update. W — Windows Management Instrumentation (WMI) Abuse * Used for: * Process execution * System info gathering * Process enumeration & termination X — XOR & Hex Obfuscation * Uses XOR encryption and hex encoding: * Payloads * Network headers * Registry-stored data Y — Yield-Based Execution Loop * Sleeps between beacon intervals. * Controlled remotely via registry or C2. ### **Z — Zero-Touch Operation** * Fully autonomous once installed. * No user interaction required. * Designed for long-term persistence. --- Summary Classification Type: Advanced Windows JavaScript RAT Capabilities: * Remote command execution * Keylogging * Persistence * Anti-forensics * Fileless payload execution * C2 with domain generation