File name:

FedoraMediaWriter-win64-5.2.3.exe

Full analysis: https://app.any.run/tasks/89bca2ea-3b35-418f-bb0c-b7cc591184be
Verdict: Malicious activity
Analysis date: March 16, 2025, 17:46:04
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
opendir
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

9B27EB5218F4CDC6654904EE313B28CA

SHA1:

817B8B4BAE092EF0A69965C616D67C5DD1061683

SHA256:

9FE4981D9C59128E5DD2FA558A4DC03A6455414C0C3F9CBD5310223821C6DA3E

SSDEEP:

393216:EMu0tvS/NzWk3aVbKk2uY7OODzHr6UNmHMDIyZmukXC5We5Fe5j9Fzw:EIEt6OT7pHdmHMD1LFWHw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • FedoraMediaWriter-win64-5.2.3.exe (PID: 1164)

    • Creates a software uninstall entry

      • FedoraMediaWriter-win64-5.2.3.exe (PID: 1164)

    • There is functionality for taking screenshot (YARA)

      • FedoraMediaWriter-win64-5.2.3.exe (PID: 1164)
      • mediawriter.exe (PID: 1812)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • FedoraMediaWriter-win64-5.2.3.exe (PID: 1164)

    • The process creates files with name similar to system file names

      • FedoraMediaWriter-win64-5.2.3.exe (PID: 1164)

    • Process drops legitimate windows executable

      • FedoraMediaWriter-win64-5.2.3.exe (PID: 1164)

    • Detected use of alternative data streams (AltDS)

      • mediawriter.exe (PID: 1812)

  • INFO

    • Checks supported languages

      • FedoraMediaWriter-win64-5.2.3.exe (PID: 1164)
      • mediawriter.exe (PID: 1812)

    • Create files in a temporary directory

      • FedoraMediaWriter-win64-5.2.3.exe (PID: 1164)

    • Reads the software policy settings

      • slui.exe (PID: 3396)
      • mediawriter.exe (PID: 1812)

    • Process checks computer location settings

      • mediawriter.exe (PID: 1812)

    • Creates files or folders in the user directory

      • mediawriter.exe (PID: 1812)

    • Reads the computer name

      • FedoraMediaWriter-win64-5.2.3.exe (PID: 1164)
      • mediawriter.exe (PID: 1812)

    • The sample compiled with english language support

      • FedoraMediaWriter-win64-5.2.3.exe (PID: 1164)

    • Reads the machine GUID from the registry

      • mediawriter.exe (PID: 1812)

    • Creates files in the program directory

      • FedoraMediaWriter-win64-5.2.3.exe (PID: 1164)

    • Reads the time zone

      • mediawriter.exe (PID: 1812)

    • Checks proxy server information

      • mediawriter.exe (PID: 1812)
      • slui.exe (PID: 3396)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:03:30 16:55:19+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 139776
UninitializedDataSize: 2048
EntryPoint: 0x3665
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.5.2.3
ProductVersionNumber: 0.5.2.3
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: Tool to write Fedora images to flash drives
CompanyName: Fedora Project
FileDescription: Fedora Media Writer
FileVersion: 0.5.2
LegalCopyright: Fedora Project
ProductName: Fedora Media Writer
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start fedoramediawriter-win64-5.2.3.exe slui.exe mediawriter.exe fedoramediawriter-win64-5.2.3.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1164"C:\Users\admin\Desktop\FedoraMediaWriter-win64-5.2.3.exe" C:\Users\admin\Desktop\FedoraMediaWriter-win64-5.2.3.exe
explorer.exe
User:
admin
Company:
Fedora Project
Integrity Level:
HIGH
Description:
Fedora Media Writer
Exit code:
0
Version:
0.5.2
Modules
Images
c:\users\admin\desktop\fedoramediawriter-win64-5.2.3.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1812"C:\Program Files (x86)\Fedora Media Writer\mediawriter.exe"C:\Program Files (x86)\Fedora Media Writer\mediawriter.exe
FedoraMediaWriter-win64-5.2.3.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\program files (x86)\fedora media writer\mediawriter.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\gdi32.dll
3396C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5380"C:\Users\admin\Desktop\FedoraMediaWriter-win64-5.2.3.exe" C:\Users\admin\Desktop\FedoraMediaWriter-win64-5.2.3.exeexplorer.exe
User:
admin
Company:
Fedora Project
Integrity Level:
MEDIUM
Description:
Fedora Media Writer
Exit code:
3221226540
Version:
0.5.2
Modules
Images
c:\users\admin\desktop\fedoramediawriter-win64-5.2.3.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
21 250
Read events
21 235
Write events
15
Delete events
0

Modification events

(PID) Process:(1164) FedoraMediaWriter-win64-5.2.3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fedora Media Writer
Operation:writeName:DisplayName
Value:
Fedora Media Writer
(PID) Process:(1164) FedoraMediaWriter-win64-5.2.3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fedora Media Writer
Operation:writeName:UninstallString
Value:
"C:\Program Files (x86)\Fedora Media Writer\uninstall.exe"
(PID) Process:(1164) FedoraMediaWriter-win64-5.2.3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fedora Media Writer
Operation:writeName:QuietUninstallString
Value:
"C:\Program Files (x86)\Fedora Media Writer\uninstall.exe" /S
(PID) Process:(1164) FedoraMediaWriter-win64-5.2.3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fedora Media Writer
Operation:writeName:InstallLocation
Value:
"C:\Program Files (x86)\Fedora Media Writer"
(PID) Process:(1164) FedoraMediaWriter-win64-5.2.3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fedora Media Writer
Operation:writeName:DisplayIcon
Value:
"C:\Program Files (x86)\Fedora Media Writer\mediawriter.ico"
(PID) Process:(1164) FedoraMediaWriter-win64-5.2.3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fedora Media Writer
Operation:writeName:Publisher
Value:
Fedora Project
(PID) Process:(1164) FedoraMediaWriter-win64-5.2.3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fedora Media Writer
Operation:writeName:HelpLink
Value:
https://github.com/FedoraQt/MediaWriter
(PID) Process:(1164) FedoraMediaWriter-win64-5.2.3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fedora Media Writer
Operation:writeName:URLUpdateInfo
Value:
https://getfedora.org
(PID) Process:(1164) FedoraMediaWriter-win64-5.2.3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fedora Media Writer
Operation:writeName:URLInfoAbout
Value:
https://getfedora.org
(PID) Process:(1164) FedoraMediaWriter-win64-5.2.3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fedora Media Writer
Operation:writeName:DisplayVersion
Value:
5.2.3
Executable files
96
Suspicious files
52
Text files
1 267
Unknown types
0

Dropped files

PID
Process
Filename
Type
1164FedoraMediaWriter-win64-5.2.3.exeC:\Users\admin\AppData\Local\Temp\nsyF2C0.tmp\modern-wizard.bmpimage
MD5:CBE40FD2B1EC96DAEDC65DA172D90022
SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
1164FedoraMediaWriter-win64-5.2.3.exeC:\Program Files (x86)\Fedora Media Writer\LICENSE.GPL-2.txttext
MD5:AB26AB31898F14D964EA6C6C9BC7E909
SHA256:1471DD6D4E79665ED811BFADFE945258CCB118CE984FCB9689A9AD252B20CC4C
1164FedoraMediaWriter-win64-5.2.3.exeC:\Program Files (x86)\Fedora Media Writer\Qt6Gui.dllexecutable
MD5:ED7751B773B9064EDBADD261936C3E4C
SHA256:7BF2863D491430DA8D08E396F6B255AFD7696166697B5D089137BC63CB46FAAC
1164FedoraMediaWriter-win64-5.2.3.exeC:\Program Files (x86)\Fedora Media Writer\Qt6Core.dllexecutable
MD5:96960FB6D837C99ADF1D60CED65188E2
SHA256:F0CCC66F9496C6AD1075FC08466BB0CCD7B9F3EE014292DD5036C8FCC2018E72
1164FedoraMediaWriter-win64-5.2.3.exeC:\Program Files (x86)\Fedora Media Writer\Qt6QuickControls2.dllexecutable
MD5:88A73A367B7FFC36B173ECDC147558C6
SHA256:3464804230E6BB3C19DD272B55AF617D23D6A7D7B793E50105BD0C13D922AA7E
1164FedoraMediaWriter-win64-5.2.3.exeC:\Program Files (x86)\Fedora Media Writer\Qt6QuickControls2Basic.dllexecutable
MD5:55A6226CD21CE7D8BFA6ADE0E2758FDA
SHA256:CFFC705D1A40588DD90FBC26DEE2F7DB54FD34379C948BF99CAB49240B657176
1164FedoraMediaWriter-win64-5.2.3.exeC:\Program Files (x86)\Fedora Media Writer\Qt6QuickControls2FluentWinUI3StyleImpl.dllexecutable
MD5:C4B2A1B07848BBB513ECAFC61880BB14
SHA256:3619B3027811F11EC74AA97CB80DC68C1CBBDCFE3CE4D319794A0D9FEB5D5B72
1164FedoraMediaWriter-win64-5.2.3.exeC:\Program Files (x86)\Fedora Media Writer\Qt6QmlWorkerScript.dllexecutable
MD5:013E2E876B876DF578B3C8B2EF6FA602
SHA256:ACF40948086DC0ECAD5A04D5A0D8E431FB591A31EEF4F769CA47FD504AC60CC8
1164FedoraMediaWriter-win64-5.2.3.exeC:\Program Files (x86)\Fedora Media Writer\Qt6LabsFolderListModel.dllexecutable
MD5:FAF2F861478E2E9C7CACAFBF9021EAC0
SHA256:C828FBEB8B2E90AFF493489839B6B9F15463FC96673BAD85B77014526693AB83
1164FedoraMediaWriter-win64-5.2.3.exeC:\Users\admin\AppData\Local\Temp\nsyF2C0.tmp\UserInfo.dllexecutable
MD5:F8B6DD1F9620BE4EF2AD1E81FB6B79FA
SHA256:A921CC9CC4AF332BE96186D60D2539CB413DFA44CFD73E85687F9338505FF85E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
23
DNS requests
8
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1812
mediawriter.exe
GET
197.155.77.1:80
http://197.155.77.1:80/fedora/linux/releases/41/Workstation/x86_64/iso/Fedora-Workstation-Live-x86_64-41-1.4.iso
unknown
unknown
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
GET
200
8.43.85.67:443
https://mirrors.fedoraproject.org/mirrorlist?path=/pub/fedora/linux/releases/41/Workstation/x86_64/iso/Fedora-Workstation-Live-x86_64-41-1.4.iso
unknown
text
18.4 Kb
whitelisted
GET
200
185.141.165.254:443
https://fedoraproject.org/releases.json
unknown
text
101 Kb
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
192.168.100.255:138
whitelisted
7012
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1812
mediawriter.exe
18.133.140.134:443
fedoraproject.org
AMAZON-02
GB
whitelisted
1812
mediawriter.exe
85.236.55.6:443
fedoraproject.org
InterNetX GmbH
DE
whitelisted
1812
mediawriter.exe
197.155.77.1:80
fedora.mirror.liquidtelecom.com
Liquid Telecommunications Ltd
KE
whitelisted
3396
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 172.217.16.142
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
fedoraproject.org
  • 18.133.140.134
  • 38.145.60.20
  • 152.19.134.142
  • 38.145.60.21
  • 85.236.55.6
  • 18.192.40.85
  • 152.19.134.198
  • 18.159.254.57
  • 185.141.165.254
whitelisted
mirrors.fedoraproject.org
  • 85.236.55.6
  • 152.19.134.142
  • 152.19.134.198
  • 38.145.60.21
  • 185.141.165.254
  • 18.133.140.134
  • 18.192.40.85
  • 38.145.60.20
  • 18.159.254.57
whitelisted
fedora.mirror.liquidtelecom.com
  • 197.155.77.1
whitelisted

Threats

PID
Process
Class
Message
1812
mediawriter.exe
Misc activity
ET INFO ISO File Downloaded
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
FedoraMediaWriter-win64-5.2.3.exe