File name:

FedoraMediaWriter-win64-5.2.3.exe

Full analysis: https://app.any.run/tasks/89bca2ea-3b35-418f-bb0c-b7cc591184be
Verdict: Malicious activity
Analysis date: March 16, 2025, 17:46:04
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
opendir
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

9B27EB5218F4CDC6654904EE313B28CA

SHA1:

817B8B4BAE092EF0A69965C616D67C5DD1061683

SHA256:

9FE4981D9C59128E5DD2FA558A4DC03A6455414C0C3F9CBD5310223821C6DA3E

SSDEEP:

393216:EMu0tvS/NzWk3aVbKk2uY7OODzHr6UNmHMDIyZmukXC5We5Fe5j9Fzw:EIEt6OT7pHdmHMD1LFWHw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • FedoraMediaWriter-win64-5.2.3.exe (PID: 1164)
      • mediawriter.exe (PID: 1812)

    • Detected use of alternative data streams (AltDS)

      • mediawriter.exe (PID: 1812)

    • Executable content was dropped or overwritten

      • FedoraMediaWriter-win64-5.2.3.exe (PID: 1164)

    • Process drops legitimate windows executable

      • FedoraMediaWriter-win64-5.2.3.exe (PID: 1164)

    • The process creates files with name similar to system file names

      • FedoraMediaWriter-win64-5.2.3.exe (PID: 1164)

    • Creates a software uninstall entry

      • FedoraMediaWriter-win64-5.2.3.exe (PID: 1164)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • FedoraMediaWriter-win64-5.2.3.exe (PID: 1164)

  • INFO

    • Reads the time zone

      • mediawriter.exe (PID: 1812)

    • Process checks computer location settings

      • mediawriter.exe (PID: 1812)

    • Checks supported languages

      • mediawriter.exe (PID: 1812)
      • FedoraMediaWriter-win64-5.2.3.exe (PID: 1164)

    • Creates files or folders in the user directory

      • mediawriter.exe (PID: 1812)

    • Reads the machine GUID from the registry

      • mediawriter.exe (PID: 1812)

    • Checks proxy server information

      • mediawriter.exe (PID: 1812)
      • slui.exe (PID: 3396)

    • The sample compiled with english language support

      • FedoraMediaWriter-win64-5.2.3.exe (PID: 1164)

    • Create files in a temporary directory

      • FedoraMediaWriter-win64-5.2.3.exe (PID: 1164)

    • Reads the software policy settings

      • mediawriter.exe (PID: 1812)
      • slui.exe (PID: 3396)

    • Reads the computer name

      • mediawriter.exe (PID: 1812)
      • FedoraMediaWriter-win64-5.2.3.exe (PID: 1164)

    • Creates files in the program directory

      • FedoraMediaWriter-win64-5.2.3.exe (PID: 1164)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:03:30 16:55:19+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 139776
UninitializedDataSize: 2048
EntryPoint: 0x3665
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.5.2.3
ProductVersionNumber: 0.5.2.3
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: Tool to write Fedora images to flash drives
CompanyName: Fedora Project
FileDescription: Fedora Media Writer
FileVersion: 0.5.2
LegalCopyright: Fedora Project
ProductName: Fedora Media Writer
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start fedoramediawriter-win64-5.2.3.exe slui.exe mediawriter.exe fedoramediawriter-win64-5.2.3.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1164"C:\Users\admin\Desktop\FedoraMediaWriter-win64-5.2.3.exe" C:\Users\admin\Desktop\FedoraMediaWriter-win64-5.2.3.exe
explorer.exe
User:
admin
Company:
Fedora Project
Integrity Level:
HIGH
Description:
Fedora Media Writer
Exit code:
0
Version:
0.5.2
Modules
Images
c:\users\admin\desktop\fedoramediawriter-win64-5.2.3.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1812"C:\Program Files (x86)\Fedora Media Writer\mediawriter.exe"C:\Program Files (x86)\Fedora Media Writer\mediawriter.exe
FedoraMediaWriter-win64-5.2.3.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\program files (x86)\fedora media writer\mediawriter.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\gdi32.dll
3396C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5380"C:\Users\admin\Desktop\FedoraMediaWriter-win64-5.2.3.exe" C:\Users\admin\Desktop\FedoraMediaWriter-win64-5.2.3.exeexplorer.exe
User:
admin
Company:
Fedora Project
Integrity Level:
MEDIUM
Description:
Fedora Media Writer
Exit code:
3221226540
Version:
0.5.2
Modules
Images
c:\users\admin\desktop\fedoramediawriter-win64-5.2.3.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
21 250
Read events
21 235
Write events
15
Delete events
0

Modification events

(PID) Process:(1164) FedoraMediaWriter-win64-5.2.3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fedora Media Writer
Operation:writeName:DisplayName
Value:
Fedora Media Writer
(PID) Process:(1164) FedoraMediaWriter-win64-5.2.3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fedora Media Writer
Operation:writeName:UninstallString
Value:
"C:\Program Files (x86)\Fedora Media Writer\uninstall.exe"
(PID) Process:(1164) FedoraMediaWriter-win64-5.2.3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fedora Media Writer
Operation:writeName:QuietUninstallString
Value:
"C:\Program Files (x86)\Fedora Media Writer\uninstall.exe" /S
(PID) Process:(1164) FedoraMediaWriter-win64-5.2.3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fedora Media Writer
Operation:writeName:InstallLocation
Value:
"C:\Program Files (x86)\Fedora Media Writer"
(PID) Process:(1164) FedoraMediaWriter-win64-5.2.3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fedora Media Writer
Operation:writeName:DisplayIcon
Value:
"C:\Program Files (x86)\Fedora Media Writer\mediawriter.ico"
(PID) Process:(1164) FedoraMediaWriter-win64-5.2.3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fedora Media Writer
Operation:writeName:Publisher
Value:
Fedora Project
(PID) Process:(1164) FedoraMediaWriter-win64-5.2.3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fedora Media Writer
Operation:writeName:HelpLink
Value:
https://github.com/FedoraQt/MediaWriter
(PID) Process:(1164) FedoraMediaWriter-win64-5.2.3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fedora Media Writer
Operation:writeName:URLUpdateInfo
Value:
https://getfedora.org
(PID) Process:(1164) FedoraMediaWriter-win64-5.2.3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fedora Media Writer
Operation:writeName:URLInfoAbout
Value:
https://getfedora.org
(PID) Process:(1164) FedoraMediaWriter-win64-5.2.3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fedora Media Writer
Operation:writeName:DisplayVersion
Value:
5.2.3
Executable files
96
Suspicious files
52
Text files
1 267
Unknown types
0

Dropped files

PID
Process
Filename
Type
1164FedoraMediaWriter-win64-5.2.3.exeC:\Users\admin\AppData\Local\Temp\nsyF2C0.tmp\modern-wizard.bmpimage
MD5:CBE40FD2B1EC96DAEDC65DA172D90022
SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
1164FedoraMediaWriter-win64-5.2.3.exeC:\Program Files (x86)\Fedora Media Writer\LICENSE.GPL-2.txttext
MD5:AB26AB31898F14D964EA6C6C9BC7E909
SHA256:1471DD6D4E79665ED811BFADFE945258CCB118CE984FCB9689A9AD252B20CC4C
1164FedoraMediaWriter-win64-5.2.3.exeC:\Program Files (x86)\Fedora Media Writer\Qt6LabsFolderListModel.dllexecutable
MD5:FAF2F861478E2E9C7CACAFBF9021EAC0
SHA256:C828FBEB8B2E90AFF493489839B6B9F15463FC96673BAD85B77014526693AB83
1164FedoraMediaWriter-win64-5.2.3.exeC:\Program Files (x86)\Fedora Media Writer\LICENSE.LGPL-2.txttext
MD5:C2B4B49E94396FAB83110FE36BE2D008
SHA256:711C12CE95593CEE546063C54753B38E3A043923B4F5A98823B25B7B1721F42E
1164FedoraMediaWriter-win64-5.2.3.exeC:\Program Files (x86)\Fedora Media Writer\Qt6Quick.dllexecutable
MD5:09479E0D3F217CF65912718675EA0032
SHA256:03F2CADB44BCEB799578D1D25FDE2934B13CDC59AC1BD12F2C1D1670400BDCE1
1164FedoraMediaWriter-win64-5.2.3.exeC:\Program Files (x86)\Fedora Media Writer\Qt6Network.dllexecutable
MD5:961D809618D67A7AB3282FCCB934BCE5
SHA256:6DA1755BF7FFEEF5D42DA0A0B7B32D088B5B947288698A9E19F90FAF218918B8
1164FedoraMediaWriter-win64-5.2.3.exeC:\Program Files (x86)\Fedora Media Writer\Qt6Gui.dllexecutable
MD5:ED7751B773B9064EDBADD261936C3E4C
SHA256:7BF2863D491430DA8D08E396F6B255AFD7696166697B5D089137BC63CB46FAAC
1164FedoraMediaWriter-win64-5.2.3.exeC:\Program Files (x86)\Fedora Media Writer\Qt6Core.dllexecutable
MD5:96960FB6D837C99ADF1D60CED65188E2
SHA256:F0CCC66F9496C6AD1075FC08466BB0CCD7B9F3EE014292DD5036C8FCC2018E72
1164FedoraMediaWriter-win64-5.2.3.exeC:\Program Files (x86)\Fedora Media Writer\Qt6QmlMeta.dllexecutable
MD5:812CF63C822D66A5E507E378EFF89200
SHA256:C5996D545739E94B382A58CC1B9172BB2A7E2FF00C16A819A731EB2EC034A0FA
1164FedoraMediaWriter-win64-5.2.3.exeC:\Program Files (x86)\Fedora Media Writer\Qt6Qml.dllexecutable
MD5:8C42EFEDF6631DB2DA7BA8D09ACA00CC
SHA256:01462F142995BC0127732B087B44C68154A78635268799CE96801250E7EC5CBE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
23
DNS requests
8
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1812
mediawriter.exe
GET
197.155.77.1:80
http://197.155.77.1:80/fedora/linux/releases/41/Workstation/x86_64/iso/Fedora-Workstation-Live-x86_64-41-1.4.iso
unknown
unknown
GET
200
8.43.85.67:443
https://mirrors.fedoraproject.org/mirrorlist?path=/pub/fedora/linux/releases/41/Workstation/x86_64/iso/Fedora-Workstation-Live-x86_64-41-1.4.iso
unknown
text
18.4 Kb
whitelisted
GET
200
185.141.165.254:443
https://fedoraproject.org/releases.json
unknown
text
101 Kb
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
192.168.100.255:138
whitelisted
7012
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1812
mediawriter.exe
18.133.140.134:443
fedoraproject.org
AMAZON-02
GB
whitelisted
1812
mediawriter.exe
85.236.55.6:443
fedoraproject.org
InterNetX GmbH
DE
whitelisted
1812
mediawriter.exe
197.155.77.1:80
fedora.mirror.liquidtelecom.com
Liquid Telecommunications Ltd
KE
whitelisted
3396
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 172.217.16.142
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
fedoraproject.org
  • 18.133.140.134
  • 38.145.60.20
  • 152.19.134.142
  • 38.145.60.21
  • 85.236.55.6
  • 18.192.40.85
  • 152.19.134.198
  • 18.159.254.57
  • 185.141.165.254
whitelisted
mirrors.fedoraproject.org
  • 85.236.55.6
  • 152.19.134.142
  • 152.19.134.198
  • 38.145.60.21
  • 185.141.165.254
  • 18.133.140.134
  • 18.192.40.85
  • 38.145.60.20
  • 18.159.254.57
whitelisted
fedora.mirror.liquidtelecom.com
  • 197.155.77.1
whitelisted

Threats

PID
Process
Class
Message
1812
mediawriter.exe
Misc activity
ET INFO ISO File Downloaded
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
FedoraMediaWriter-win64-5.2.3.exe