File name:

Medicat_Installer.bat

Full analysis: https://app.any.run/tasks/15b7b53b-49fb-40da-aca6-2add737bc7a7
Verdict: Malicious activity
Threats:

SystemBC is a Remote Access Trojan (RAT) that can hide communication with the Command and Control server, and deposit other malware strains.

Malware Trends Tracker     >>>
Analysis date: January 02, 2024, 17:39:08
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
systembc
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, ASCII text, with escape sequences
MD5:

683E28700D3CA10C0D7AFE54D35B390F

SHA1:

D546C4E64094684545D1000F594B8E03938F3D63

SHA256:

CC3DFB8D5E6041F86784A87EAD4E24E616DBF092A1D5882271BA5804FF343F25

SSDEEP:

192:NMCY3UbaLF13a7EJIZOTBzmkuEYb+oMGR3EUgXLcHgKjiqNrF8rzGF86kWyz5BVV:nY3KaLxBzmk4cANAEPpNe1+r2tb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • SYSTEMBC has been detected (YARA)

      • curl.exe (PID: 2472)
      • curl.exe (PID: 3696)
      • curl.exe (PID: 956)

    • Changes powershell execution policy (RemoteSigned)

      • cmd.exe (PID: 1832)

  • SUSPICIOUS

    • Reads the Internet Settings

      • powershell.exe (PID: 2020)
      • powershell.exe (PID: 2336)
      • powershell.exe (PID: 2548)
      • powershell.exe (PID: 2852)
      • powershell.exe (PID: 3020)
      • powershell.exe (PID: 3260)
      • powershell.exe (PID: 3360)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 2020)
      • cmd.exe (PID: 116)
      • cmd.exe (PID: 1832)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 1832)
      • cmd.exe (PID: 116)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 116)
      • cmd.exe (PID: 1832)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 116)
      • cmd.exe (PID: 1832)

    • Executing commands from a ".bat" file

      • powershell.exe (PID: 2020)

    • Download files or web resources using Curl/Wget

      • cmd.exe (PID: 1832)

    • Probably obfuscated PowerShell command line is found

      • cmd.exe (PID: 1832)

    • Using PowerShell to operate with local accounts

      • powershell.exe (PID: 2852)
      • powershell.exe (PID: 2548)

    • The process executes Powershell scripts

      • cmd.exe (PID: 1832)

    • Starts application with an unusual extension

      • cmd.exe (PID: 1832)

  • INFO

    • Checks supported languages

      • curl.exe (PID: 2084)
      • curl.exe (PID: 1636)
      • mode.com (PID: 2248)
      • mode.com (PID: 188)
      • curl.exe (PID: 2472)
      • curl.exe (PID: 1268)
      • curl.exe (PID: 1904)
      • curl.exe (PID: 2828)
      • curl.exe (PID: 2732)
      • curl.exe (PID: 2792)
      • curl.exe (PID: 2728)
      • curl.exe (PID: 2892)
      • curl.exe (PID: 2888)
      • curl.exe (PID: 2512)
      • curl.exe (PID: 1812)
      • curl.exe (PID: 2176)
      • mode.com (PID: 3000)
      • batbox.exe (PID: 3120)
      • mode.com (PID: 3044)
      • batbox.exe (PID: 1628)
      • batbox.exe (PID: 2460)
      • batbox.exe (PID: 3180)
      • batbox.exe (PID: 3008)
      • batbox.exe (PID: 604)
      • mode.com (PID: 3136)
      • curl.exe (PID: 3696)
      • mode.com (PID: 1168)
      • 7z.exe (PID: 3852)
      • folderbrowse.exe (PID: 4072)
      • mode.com (PID: 3764)
      • mode.com (PID: 3812)
      • folderbrowse.exe (PID: 840)
      • mode.com (PID: 392)
      • batbox.exe (PID: 2088)
      • batbox.exe (PID: 2080)
      • mode.com (PID: 2408)
      • batbox.exe (PID: 2024)
      • batbox.exe (PID: 3004)
      • batbox.exe (PID: 1864)
      • Ventoy2Disk.exe (PID: 584)
      • format.com (PID: 1604)
      • batbox.exe (PID: 296)
      • batbox.exe (PID: 1380)
      • batbox.exe (PID: 1044)
      • batbox.exe (PID: 2020)
      • mode.com (PID: 1652)
      • batbox.exe (PID: 1792)
      • curl.exe (PID: 2308)
      • batbox.exe (PID: 1796)
      • mode.com (PID: 268)
      • batbox.exe (PID: 668)
      • curl.exe (PID: 1784)
      • curl.exe (PID: 2384)
      • curl.exe (PID: 2296)
      • curl.exe (PID: 956)

    • Application launched itself

      • cmd.exe (PID: 116)
      • cmd.exe (PID: 1832)

    • Checks operating system version

      • cmd.exe (PID: 1832)

    • Drops the executable file immediately after the start

      • curl.exe (PID: 2472)
      • curl.exe (PID: 2728)
      • curl.exe (PID: 2892)
      • curl.exe (PID: 2732)
      • curl.exe (PID: 2176)
      • curl.exe (PID: 2888)
      • 7z.exe (PID: 3852)

    • The Powershell connects to the Internet

      • powershell.exe (PID: 2336)
      • powershell.exe (PID: 3020)
      • powershell.exe (PID: 3260)
      • powershell.exe (PID: 3360)

    • Unusual connection from system programs

      • powershell.exe (PID: 2336)
      • powershell.exe (PID: 3020)
      • powershell.exe (PID: 3360)
      • powershell.exe (PID: 3260)

    • Reads the computer name

      • curl.exe (PID: 2472)
      • curl.exe (PID: 1268)
      • curl.exe (PID: 1904)
      • curl.exe (PID: 2828)
      • curl.exe (PID: 2792)
      • curl.exe (PID: 2728)
      • curl.exe (PID: 2892)
      • curl.exe (PID: 2732)
      • curl.exe (PID: 1812)
      • curl.exe (PID: 2512)
      • curl.exe (PID: 2888)
      • curl.exe (PID: 2176)
      • curl.exe (PID: 3696)
      • 7z.exe (PID: 3852)
      • folderbrowse.exe (PID: 4072)
      • folderbrowse.exe (PID: 840)
      • curl.exe (PID: 1784)
      • curl.exe (PID: 2296)
      • curl.exe (PID: 2384)
      • curl.exe (PID: 956)
      • curl.exe (PID: 2308)

    • Create files in a temporary directory

      • curl.exe (PID: 2472)
      • curl.exe (PID: 1904)
      • curl.exe (PID: 1268)
      • curl.exe (PID: 2828)
      • curl.exe (PID: 2792)
      • curl.exe (PID: 2728)
      • curl.exe (PID: 2892)
      • curl.exe (PID: 2732)
      • curl.exe (PID: 2512)
      • curl.exe (PID: 2176)
      • curl.exe (PID: 1812)
      • curl.exe (PID: 2888)
      • 7z.exe (PID: 3852)
      • curl.exe (PID: 3696)
      • Ventoy2Disk.exe (PID: 584)
      • curl.exe (PID: 1784)
      • curl.exe (PID: 2308)
      • curl.exe (PID: 2296)
      • curl.exe (PID: 956)
      • curl.exe (PID: 2384)

    • Drops 7-zip archiver for unpacking

      • curl.exe (PID: 2176)
      • curl.exe (PID: 2888)

    • The executable file from the user directory is run by the CMD process

      • batbox.exe (PID: 3120)
      • batbox.exe (PID: 2460)
      • batbox.exe (PID: 3180)
      • batbox.exe (PID: 3008)
      • batbox.exe (PID: 1628)
      • batbox.exe (PID: 604)
      • GetInput.exe (PID: 3328)
      • folderbrowse.exe (PID: 4072)
      • 7z.exe (PID: 3852)
      • folderbrowse.exe (PID: 840)
      • batbox.exe (PID: 296)
      • batbox.exe (PID: 2088)
      • batbox.exe (PID: 2080)
      • batbox.exe (PID: 3004)
      • batbox.exe (PID: 2024)
      • batbox.exe (PID: 1864)
      • GetInput.exe (PID: 1772)
      • Ventoy2Disk.exe (PID: 584)
      • GetInput.exe (PID: 2208)
      • batbox.exe (PID: 1380)
      • batbox.exe (PID: 1044)
      • batbox.exe (PID: 668)
      • GetInput.exe (PID: 1344)
      • batbox.exe (PID: 2020)
      • GetInput.exe (PID: 2172)
      • batbox.exe (PID: 1796)
      • batbox.exe (PID: 1792)

    • Reads the machine GUID from the registry

      • folderbrowse.exe (PID: 840)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
92
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe no specs cmd.exe no specs reg.exe no specs ping.exe no specs curl.exe no specs timeout.exe no specs reg.exe no specs powershell.exe no specs cmd.exe cmd.exe no specs reg.exe no specs ping.exe no specs curl.exe no specs timeout.exe no specs reg.exe no specs cmd.exe no specs mode.com no specs timeout.exe no specs mode.com no specs powershell.exe ping.exe no specs #SYSTEMBC curl.exe curl.exe curl.exe curl.exe curl.exe curl.exe curl.exe curl.exe curl.exe curl.exe curl.exe curl.exe powershell.exe no specs powershell.exe no specs mode.com no specs mode.com no specs powershell.exe mode.com no specs batbox.exe no specs batbox.exe no specs batbox.exe no specs batbox.exe no specs batbox.exe no specs batbox.exe no specs powershell.exe getinput.exe no specs timeout.exe no specs powershell.exe timeout.exe no specs timeout.exe no specs #SYSTEMBC curl.exe 7z.exe no specs timeout.exe no specs mode.com no specs cmd.exe no specs folderbrowse.exe no specs mode.com no specs mode.com no specs folderbrowse.exe no specs cmd.exe no specs mode.com no specs batbox.exe no specs batbox.exe no specs batbox.exe no specs getinput.exe no specs mode.com no specs batbox.exe no specs batbox.exe no specs batbox.exe no specs getinput.exe no specs ventoy2disk.exe no specs format.com no specs mode.com no specs batbox.exe no specs batbox.exe no specs batbox.exe no specs getinput.exe no specs mode.com no specs batbox.exe no specs batbox.exe no specs batbox.exe no specs getinput.exe no specs curl.exe cmd.exe no specs curl.exe cmd.exe no specs curl.exe cmd.exe no specs curl.exe timeout.exe no specs #SYSTEMBC curl.exe

Process information

PID
CMD
Path
Indicators
Parent process
116C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Medicat_Installer.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
188mode con:cols=64 lines=18C:\Windows\System32\mode.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
DOS Device MODE Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\mode.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ulib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
268mode con:cols=64 lines=18C:\Windows\System32\mode.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
DOS Device MODE Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\mode.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ulib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
296batbox /c 0xF2 /g 10 14 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /g 10 13 /a 32 /d " " /a 32 /g 10 12 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /c 0x07C:\Users\admin\AppData\Local\Temp\bin\batbox.execmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\bin\batbox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
324ping 1.1.1.1 -n 1 -w 1000 C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
392REG QUERY "HKEY_CURRENT_USER\Control Panel\International" /v "LocaleName"C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
392mode con:cols=64 lines=18C:\Windows\System32\mode.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
DOS Device MODE Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\mode.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ulib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
584Ventoy2Disk.exe VTOYCLI /I /Drive:\: /NOUSBCheck /GPT C:\Users\admin\AppData\Local\Temp\Ventoy2Disk\Ventoy2Disk.execmd.exe
User:
admin
Integrity Level:
HIGH
Description:
Ventoy2Disk
Exit code:
1
Version:
1.0.0.3
Modules
Images
c:\users\admin\appdata\local\temp\ventoy2disk\ventoy2disk.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
604Batbox /g 3 3 /c 0xF2 /d "INSTALL MEDICAT" /g 25 3 /c 0x2F /d "TOGGLE DRIVE FORMAT (CURRENTLY Yes)" /g 3 8 /c 0xF9 /d "MEDICAT DISCORD" /g 25 8 /c 0xF9 /d "VISIT SITE" /g 42 8 /c 0xF9 /d "CHECK USB FILES" /c 0x07C:\Users\admin\AppData\Local\Temp\bin\batbox.execmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\bin\batbox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
668batbox /c 0xF4 /g 46 14 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /g 46 13 /a 32 /d " " /a 32 /g 46 12 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /c 0x07C:\Users\admin\AppData\Local\Temp\bin\batbox.execmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\bin\batbox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
Total events
21 490
Read events
21 380
Write events
107
Delete events
3

Modification events

(PID) Process:(2020) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2020) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2020) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2020) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2336) powershell.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2548) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2548) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2548) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2548) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2548) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
Operation:writeName:ExecutionPolicy
Value:
Unrestricted
Executable files
14
Suspicious files
23
Text files
44
Unknown types
0

Dropped files

PID
Process
Filename
Type
2020powershell.exeC:\Users\admin\AppData\Local\Temp\vbazol10.2gi.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
2336powershell.exeC:\Users\admin\AppData\Local\Temp\qwgmq2c4.mbg.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
1904curl.exeC:\Users\admin\AppData\Local\Temp\bin\QuickSFV.initext
MD5:7BE5A47066EDCCD7AA0D3B0D69D607FF
SHA256:2EEA3FA7D366D65C1B27B1D0796FDD9F560E289A6FA9F24DD339E5131D0B099B
2828curl.exeC:\Users\admin\AppData\Local\Temp\bin\Button.battext
MD5:5B727EFF91DE52000CEA8E61694F2A03
SHA256:03A86F9FCDCCBAA499EA4435434A45178E367639D8FB755C5211F304C70744B5
2336powershell.exeC:\Users\admin\AppData\Local\Temp\vfr0bhht.04o.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
2792curl.exeC:\Users\admin\AppData\Local\Temp\bin\Getlen.battext
MD5:8C1812E76BA7BF09CB87384089A0AB7F
SHA256:83CE5342710A2F2E385A363402661E3426728DD6BCFE9D87E22F2FB858B07BDE
1268curl.exeC:\Users\admin\AppData\Local\Temp\bin\Box.battext
MD5:E5CE0008212C431BAACB5B208F2575BD
SHA256:F164716E7B1F98F68F6CE3239345C30B3410ED9812F30B37BB7630F28047EBD9
2732curl.exeC:\Users\admin\AppData\Local\Temp\bin\GetInput.exeexecutable
MD5:2BA62AE6F88B11D0E262AF35D8DB8CA9
SHA256:3F5C64717A0092AE214154A730E96E2E56921BE2E3F1121A3E98B1BA84627665
2728curl.exeC:\Users\admin\AppData\Local\Temp\bin\batbox.exeexecutable
MD5:CB4A44BAA20AD26BF74615A7FC515A84
SHA256:9553BC17FA0FD08E026C1865812B3388E3D5495A5394BBF671E5A8F21C79989A
2548powershell.exeC:\Users\admin\AppData\Local\Temp\be4nbcnp.1oj.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
27
DNS requests
10
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
2336
powershell.exe
140.82.121.6:443
api.github.com
GITHUB
US
unknown
2472
curl.exe
185.199.108.133:443
raw.githubusercontent.com
FASTLY
US
unknown
1904
curl.exe
185.199.108.133:443
raw.githubusercontent.com
FASTLY
US
unknown
1268
curl.exe
185.199.108.133:443
raw.githubusercontent.com
FASTLY
US
unknown
2828
curl.exe
185.199.108.133:443
raw.githubusercontent.com
FASTLY
US
unknown
2732
curl.exe
185.199.108.133:443
raw.githubusercontent.com
FASTLY
US
unknown
2792
curl.exe
185.199.108.133:443
raw.githubusercontent.com
FASTLY
US
unknown

DNS requests

Domain
IP
Reputation
api.github.com
  • 140.82.121.6
  • 140.82.121.5
whitelisted
raw.githubusercontent.com
  • 185.199.108.133
  • 185.199.109.133
  • 185.199.111.133
  • 185.199.110.133
shared
translate.googleapis.com
  • 142.250.184.202
whitelisted
github.com
  • 140.82.121.4
shared
objects.githubusercontent.com
  • 185.199.108.133
  • 185.199.109.133
  • 185.199.110.133
  • 185.199.111.133
shared
files.medicatusb.com
  • 104.21.26.161
  • 172.67.137.49
unknown
mirrors.itrio.xyz
  • 104.26.0.120
  • 104.26.1.120
  • 172.67.71.217
unknown
files.dog
  • 23.133.104.42
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Medicat_Installer.bat