|Enterprise||T1071||.001||Application Layer Protocol: Web Protocols|
|Enterprise||T1059||.003||Command and Scripting Interpreter: Windows Command Shell|
|Enterprise||T1005||Data from Local System||
PcShare can collect files and information from a compromised host.
|Enterprise||T1140||Deobfuscate/Decode Files or Information||
PcShare has decrypted its strings by applying a XOR operation and a decompression using a custom implemented LZM algorithm.
|Enterprise||T1546||.015||Event Triggered Execution: Component Object Model Hijacking||
PcShare has created the
|Enterprise||T1041||Exfiltration Over C2 Channel||
PcShare can upload files and information from a compromised host to its C2 servers.
|Enterprise||T1070||.004||Indicator Removal: File Deletion||
PcShare has deleted its files and components from a compromised host.
|Enterprise||T1056||.001||Input Capture: Keylogging|
|Enterprise||T1036||.001||Masquerading: Invalid Code Signature||
PcShare has used an invalid certificate in attempt to appear legitimate.
|.005||Masquerading: Match Legitimate Name or Location||
PcShare has been named
PcShare can delete its persistence mechanisms from the registry.
|Enterprise||T1027||Obfuscated Files or Information||
PcShare has been encrypted with XOR using different 32-long Base16 strings and compressed with LZW algorithm.
PcShare can obtain a list of running processes on a compromised host.
The PcShare payload has been injected into the
PcShare can search the registry files of a compromised host.
|Enterprise||T1218||.011||System Binary Proxy Execution: Rundll32|
|Enterprise||T1016||System Network Configuration Discovery||
PcShare can obtain the proxy settings of a compromised machine using
PcShare can capture camera video as part of its collection process.
During FunnyDream the threat actors used a customized version of PcShare.