Keith on Twitter (archived)

← @kwm Twitter archive

Keith

@kwm

Hancitor detection:

1. Office process spawns verclsid.exe

AND

2. verclsid.exe makes a network connection OR spawns a child process

2/28/2017, 10:09:17 AM

Favs: 5

Retweets: 0

link

Keith

@kwm

Hancitor process tree: Word > verclsid.exe > Windows PE with .tmp extension, Agent Smith icon. Courtesy of @redcanaryco + @CarbonBlack_Inc.

2/28/2017, 10:46:36 AM

Favs: 0

Retweets: 2

link