Prevx Research Division
C2.EXE
Banking Info StealerFree PC Cleanup from Webroot
Use Webroot SecureAnywhere to remove C2.EXE.
"Just when you thought it couldn't get any better or faster. The Webroot scanning engine is 'high octane' with a hidden nitrous oxide system. Bravo!!!" W. Lodzinski, SecureAnywhere User
Associated Malware Groups
The unsafe files using this name are associated with the malware groups:
- Banking Info Stealer
- System Back Door
- Malicious Software
- Malware Dropper
- Worm
File Behavior
C2.EXE has been seen to perform the following behavior:
- The Process is packed and/or encrypted using a software packing process
- Writes to another Process's Virtual Memory (Process Hijacking)
- Executes a Process
- Adds a Link in the Start Menu
- This process creates other processes on disk
- Can communicate with other computer systems using HTTP protocols
- Hooks the WININET.DLL function allowing it to read or copy Http and Https web page content and session information
- Installs a browser helper object (BHO)
- Registers a Dynamic Link Library File
- Creates new folders on the system
- Injects code into other processes
- Performs DNS look ups to resolve URL IP addresses
- Can communicate with other computers using TCP protocols
- The Process is polymorphic and can change its structure
- This Process Deletes Other Processes From Disk
- Found on infected systems and resists interrogation by security products
- The process hooks code into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents
- Enables an In Process Object/Server - Common with DLL Injections
- Adds a Registry Key (EXPLORER) to auto start Programs on system start Boot up
C2.EXE has been the subject of the following behavior:
- Created as a process on disk
- Executed as a Process
- Has code inserted into its Virtual Memory space by other programs
- Terminated as a Process
- Deleted as a process from disk
- Added as a Registry auto start to load Program on Boot up
- Registered as a Dynamic Link Library File
Country Of Origin
The filename C2.EXE was first seen on Jul 12 2007 in the following geographical regions of the Webroot community:
- Canada on Jul 12 2007
- The United States on Jul 12 2007
- Hong Kong on Nov 3 2009
- The United Kingdom on May 29 2010
- Turkey on Dec 26 2010
- South Africa on Nov 17 2011
- Asia/Pacific Region on Nov 17 2011
- Thailand on May 20 2012
File Name Aliases
C2.EXE can also use the following file names:
- WINMGMT.EXE
- WINLOG.EXE
- EFCD.EXE
- F4FB.EXE
- DFF5.EXE
- E0EC.EXE
- AF5A.EXE
- C2[n].EXE
- A25[1].EXE
- C2[1].EXE
- 1C.EXE
- 9B.EXE
- C5.EXE
- FB.EXE
- D9.EXE
- DE.EXE
- E7.EXE
- BA.EXE
- C7.EXE
- BF.EXE
- C8.EXE
- CA.EXE
- FC.EXE
- 27.EXE
- A22C.EXE
- D902.EXE
- A25.EXE
- FB70.EXE
- DE41.EXE
- AF67.EXE
- D194.EXE
- C11F.EXE
- F662.EXE
- DD28.EXE
- D54E.EXE
- FF38.EXE
- 51226.EXE
- 88277342.EXE
- 30347774.EXE
- 79689789.EXE
Filesizes
The following file size has been seen:
- 41,472 bytes
- 498,688 bytes
- 135,466 bytes
- 604,672 bytes
- 708,608 bytes
- 217,088 bytes
- 32,173,972 bytes
- 28,176 bytes
File Type
The filename C2.EXE is used by multiple object types including executable programs,objects.
File Activity
One or more files with the name C2.EXE creates, deletes, copies or moves the following files and folders:
- create folder C:\Program Files\Common Files
- create folder C:\Program Files\Common Files\CPUSH
- Deletes c:\docume~1\user\locals~1\temp\nso7.tmp
- Creates c:\docume~1\user\locals~1\temp\nso9.tmp
- Creates c:\program files\common files\cpush\Uninst.exe
- Creates c:\program files\common files\cpush\cpush.dll
Help the Webroot Community to fight cyber crime
We are always looking for ways to improve the quality and speed of research to help us protect you from malicious software and cyber crime.
PCMag.com Editors' Choice Award Logo is a trademark of Ziff Davis Publishing Holdings Inc. Used under license.