File name:

Go2DownInst.exe

Full analysis: https://app.any.run/tasks/ccac6211-ba48-472c-a5f7-00798415cee5
Verdict: Malicious activity
Analysis date: July 06, 2025, 21:24:05
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

11B56AAB2B16798A81CACDDB6366C827

SHA1:

2BC3AD6071459D45C51E383E27CE49FFBA0459E7

SHA256:

3914205B56FA444BD3A1C26D802100BA5B076A9EA5E1033BC216BFC75FC80F6F

SSDEEP:

49152:J+AufXBXqB7zXCBmkjT+JtqynAO6ZCmSxbv0kFgQ0Qh1lhUqgEsZknWJJsNg0ELV:J+9XBa5XCBmHtqyAO6smSlvMQ0QrTUNl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • Go2DownInst.exe (PID: 7080)

    • Executable content was dropped or overwritten

      • Go2DownInst.exe (PID: 7080)

    • The process creates files with name similar to system file names

      • Go2DownInst.exe (PID: 7080)

    • There is functionality for taking screenshot (YARA)

      • Go2DownInst.exe (PID: 7080)

    • The process executes via Task Scheduler

      • updater.exe (PID: 6812)

    • Application launched itself

      • updater.exe (PID: 6812)

  • INFO

    • The sample compiled with chinese language support

      • Go2DownInst.exe (PID: 7080)

    • Reads the computer name

      • Go2DownInst.exe (PID: 7080)
      • updater.exe (PID: 6812)

    • Checks supported languages

      • Go2DownInst.exe (PID: 7080)
      • updater.exe (PID: 6812)
      • updater.exe (PID: 856)

    • The sample compiled with english language support

      • Go2DownInst.exe (PID: 7080)

    • Creates files in the program directory

      • Go2DownInst.exe (PID: 7080)

    • Reads the software policy settings

      • Go2DownInst.exe (PID: 7080)
      • slui.exe (PID: 3956)

    • Create files in a temporary directory

      • Go2DownInst.exe (PID: 7080)

    • Reads the machine GUID from the registry

      • Go2DownInst.exe (PID: 7080)

    • UPX packer has been detected

      • Go2DownInst.exe (PID: 7080)

    • Checks proxy server information

      • slui.exe (PID: 3956)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 6812)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:11:22 09:54:59+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 28672
InitializedDataSize: 186368
UninitializedDataSize: 2048
EntryPoint: 0x3a0b
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 2.5.0.0
ProductVersionNumber: 2.5.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Go2Down
FileDescription: Go2Down
FileVersion: 2.5.0.0
InternalName: Go2Down.exe
LegalCopyright: Go2Down Copyright(c)2024
ProductName: Go2Down
ProductVersion: 2.5.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
5
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start go2downinst.exe slui.exe updater.exe no specs updater.exe no specs go2downinst.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
856"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=134.0.6985.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x2a0,0x2a4,0x2a8,0x27c,0x2ac,0x111c460,0x111c46c,0x111c478C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exeupdater.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
3956C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6812"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --wake --systemC:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exesvchost.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
7052"C:\Users\admin\Desktop\Go2DownInst.exe" C:\Users\admin\Desktop\Go2DownInst.exeexplorer.exe
User:
admin
Company:
Go2Down
Integrity Level:
MEDIUM
Description:
Go2Down
Exit code:
3221226540
Version:
2.5.0.0
Modules
Images
c:\users\admin\desktop\go2downinst.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7080"C:\Users\admin\Desktop\Go2DownInst.exe" C:\Users\admin\Desktop\Go2DownInst.exe
explorer.exe
User:
admin
Company:
Go2Down
Integrity Level:
HIGH
Description:
Go2Down
Version:
2.5.0.0
Modules
Images
c:\users\admin\desktop\go2downinst.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
6 816
Read events
6 816
Write events
0
Delete events
0

Modification events

No data
Executable files
5
Suspicious files
1
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
7080Go2DownInst.exeC:\Users\admin\AppData\Local\Temp\nsu6727.tmp\nsProcess.dllexecutable
MD5:88D3E48D1C1A051C702D47046ADE7B4C
SHA256:51DA07DA18A5486B11E0D51EBFF77A3F2FCBB4D66B5665D212CC6BDA480C4257
7080Go2DownInst.exeC:\Users\admin\AppData\Local\Temp\nsu6727.tmp\logo.icoimage
MD5:20E003B736C8F61ECEAA4CC26163EE1E
SHA256:6B6927BAE13C6383DFA336FD3991E0BF932A434CAEAA50FE76F60A477E94C0E3
7080Go2DownInst.exeC:\Users\admin\AppData\Local\Temp\nsu6727.tmp\StdUtils.dllexecutable
MD5:C6A6E03F77C313B267498515488C5740
SHA256:B72E9013A6204E9F01076DC38DABBF30870D44DFC66962ADBF73619D4331601E
7080Go2DownInst.exeC:\Users\admin\AppData\Local\Temp\nsu6727.tmp\System.dllexecutable
MD5:E38D8FF9F749EE1B141A122FEC7280E0
SHA256:00F7604D4F36A728C7759F4D9CF3E30C9728C503557AAC49BBCD55CFC3E4FCB4
7080Go2DownInst.exeC:\Users\admin\AppData\Local\Temp\nsu6727.tmp\licence_1033.rtftext
MD5:695EB12AAACDAC9E8735A5FACF5F341A
SHA256:AA732E211CB9A48558CEC0C9E48E4E323F77C3801CEA29C309B6E62E32788A41
7080Go2DownInst.exeC:\Users\admin\AppData\Local\Temp\nsu6727.tmp\licence_2052.rtftext
MD5:2F9BE4592F28B531B7464762FE3A95B4
SHA256:7DC2D01197D1364CE61EBF240F822E1590F793F89DA258E28449D69F3E761A16
7080Go2DownInst.exeC:\Users\admin\AppData\Local\Temp\nsu6727.tmp\skin.zipcompressed
MD5:C992E31BA30BE1028729BD90A37B9353
SHA256:F4EC3431DF8EA3836DCBDF25984A5BD281C6A78187454CB74CB4236B53AF22A9
7080Go2DownInst.exeC:\Users\admin\AppData\Local\Temp\nsu6727.tmp\BgWorker.dllexecutable
MD5:33EC04738007E665059CF40BC0F0C22B
SHA256:50F735AB8F3473423E6873D628150BBC0777BE7B4F6405247CDDF22BB00FB6BE
856updater.exeC:\Program Files (x86)\Google\GoogleUpdater\updater.logtext
MD5:21D047F290DC9403BCEB6807AAE56810
SHA256:E83B8A51E54367C8826A65F627F17BED1C23D5E749FADE65856B264463E00CE2
7080Go2DownInst.exeC:\Program Files (x86)\Go2Down\config.initext
MD5:D7AB79D645102E5301EE7789EBCE1AA0
SHA256:D9BC082B6735A08CFA29754083A58DC98B0A5A5695AE0F8703EBE7CC92CA51ED
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
20
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4372
RUXIMICS.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4372
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
188.114.96.3:443
https://apk.iflydown.com/go2Down_Win/test10/app.7z
unknown
unknown
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
GET
200
188.114.96.3:443
https://apk.iflydown.com/go2Down_Win/test10/config.ini
unknown
text
78 b
unknown
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4372
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4372
RUXIMICS.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
4372
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
apk.iflydown.com
  • 188.114.97.3
  • 188.114.96.3
unknown
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 20.42.72.131
whitelisted

Threats

No threats detected
Process
Message
Go2DownInst.exe
Window, size, 560,350
Go2DownInst.exe
Window, sizebox, 0,0,0,0
Go2DownInst.exe
Window, roundcorner, 3,3
Go2DownInst.exe
Window, caption, 0,0,0,560
Go2DownInst.exe
Window, showshadow, true
Go2DownInst.exe
Window, shadowimage, images/shadow.png
Go2DownInst.exe
Window, shadowsize, 14
Go2DownInst.exe
Window, shadowcorner, 14,14,14,14
Go2DownInst.exe
LabelUI, visible, false
Go2DownInst.exe
LabelUI, name, instinfo
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Go2DownInst.exe