lbpierre/darkgate-doc-action-id.md

## darkgate-doc-action-id.md

      
    Raw
  

              darkgate-doc-action-id.md
            
          
Action Id
Description


1052
search and delete log files


1053
self update (and remove traces of the update, rmdir /s /q c:\temp && del /q /f %temp%*.au30)


1060
delete shadow copies (c vssadmin delete shadows /for=c: /all /quiet)


1072
kill rar process and remove traces of rar archive


1096
ntdll used to execute payload in memory as notepad.exe


1099
Spoof parent PID to execute a cmd.exe


1100
APC injection via NtTestAlert


1101
APC injection via NtTestAlert


1102
Execute payload into another process memory


1104
execute a cmd.exe


1105
unknown


1106
kill process by ID


1107
unknown


1108
setup proxy server (with registry key)


1109
remove internet proxy


1111
unknown


1114
Get Web browser data with hVNC


1118
get Google chrome cookie


1119
get data related to SysListView32 (something related to password)


1120
get Opera cookies


1122
kill brave, msedge, chrome and firefox processes


1126
asm execution (not sure)


1134
start miner


1336
Set thread execution status


1337
execute something as notepad.exe using in mem ntdll.dll


1345
Privilege escalation via PsExec, pidgin, or raw STUB


1443
anydesk /c net user SafeMode /delete


1448
execute loader in new desktop


1449
execute command


1450
execute c:\temp\anydesk.exe as admin


1452
restart anydesk from c:\temp\anydesk.exe


1453
remove anydesk


1454
privilege escalation via PsExec.exe or piding.exe


1457
create RAR for exfiltration


1466
start reverse shell


1467
setup rev shell port


1469
kill process by ID and start reverse shell


1470
kill process by id


1480
download and execute PowerShell script


1482
start hVNC


1483
started hVNC


1487
self update


1489
download powershell script


1490
download and execute Powershell script


1491
resume process (by ID)


1494
restart a process


2001
Update by AU3


2003
Update by RAW STUB


2005
update by exe or dll (sqlite3.dll, libssp-0.dll, pidgin.exe)


3001
send host fingerprint


3004
Web browser password view


3005
retrieve Mail pass view


3006
retrieve fileZilla secrets


3013
execute PE in c:\temp\


3033
Pop Message Test


3034
ping back same req


3035
search token in discord process memory


3036
start monero miner
Action Id	Description
1052	search and delete log files
1053	self update (and remove traces of the update, rmdir /s /q c:\temp && del /q /f %temp%*.au30)
1060	delete shadow copies (c vssadmin delete shadows /for=c: /all /quiet)
1072	kill rar process and remove traces of rar archive
1096	ntdll used to execute payload in memory as notepad.exe
1099	Spoof parent PID to execute a cmd.exe
1100	APC injection via NtTestAlert
1101	APC injection via NtTestAlert
1102	Execute payload into another process memory
1104	execute a cmd.exe
1105	unknown
1106	kill process by ID
1107	unknown
1108	setup proxy server (with registry key)
1109	remove internet proxy
1111	unknown
1114	Get Web browser data with hVNC
1118	get Google chrome cookie
1119	get data related to SysListView32 (something related to password)
1120	get Opera cookies
1122	kill brave, msedge, chrome and firefox processes
1126	asm execution (not sure)
1134	start miner
1336	Set thread execution status
1337	execute something as notepad.exe using in mem ntdll.dll
1345	Privilege escalation via PsExec, pidgin, or raw STUB
1443	anydesk /c net user SafeMode /delete
1448	execute loader in new desktop
1449	execute command
1450	execute c:\temp\anydesk.exe as admin
1452	restart anydesk from c:\temp\anydesk.exe
1453	remove anydesk
1454	privilege escalation via PsExec.exe or piding.exe
1457	create RAR for exfiltration
1466	start reverse shell
1467	setup rev shell port
1469	kill process by ID and start reverse shell
1470	kill process by id
1480	download and execute PowerShell script
1482	start hVNC
1483	started hVNC
1487	self update
1489	download powershell script
1490	download and execute Powershell script
1491	resume process (by ID)
1494	restart a process
2001	Update by AU3
2003	Update by RAW STUB
2005	update by exe or dll (sqlite3.dll, libssp-0.dll, pidgin.exe)
3001	send host fingerprint
3004	Web browser password view
3005	retrieve Mail pass view
3006	retrieve fileZilla secrets
3013	execute PE in c:\temp\
3033	Pop Message Test
3034	ping back same req
3035	search token in discord process memory
3036	start monero miner