home

win.exe

Disk Space Cleanup Manager for Windows

Jiajie Yin

While the file properties state the file is developed by 'Microsoft Corporation', this is not the case and it is designed just to look like a legitimate Microsoft system file. The application win.exe, “Disk Space Cleanup Manager for Windows” by Jiajie Yin has been detected as adware by 14 anti-malware scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘win’.
Publisher:
Microsoft Corporation  (signed by Jiajie Yin)

Product:
Microsoft® Windows® Operating System

Description:
Disk Space Cleanup Manager for Windows

Version:
6.2.9200.16384 (win8_rtm.120725-1247)

MD5:
a5c65e8ccc2d930c6e7fd1abadb7ea39

SHA-1:
b843f9134861664444f8ce442499cfad000b91e0

SHA-256:
29e114d830168c1a7fa0699cdabacb78276554aada8212be42571788ce5909ec

Scanner detections:
14 / 68

Status:
Adware

Analysis date:
5/4/2024 1:14:47 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.Agent
7.1.1

avast!
Win32:Adware-gen [Adw]
150319-1

AVG
Jiajie
2016.0.3144

Baidu Antivirus
PUA.Win32.HideBaid
4.0.3.15410

Dr.Web
Trojan.Baidu.36
9.0.1.05190

ESET NOD32
Win32/HideBaid.B potentially unwanted application
7.0.302.0

Fortinet FortiGate
Riskware/HideBaid
4/10/2015

herdProtect (fuzzy)
variant of baidu.exe (Adware)
2015.7.12.21

K7 AntiVirus
Trojan
13.200.15196

McAfee
Trojan.Artemis!A5C65E8CCC2D
16.8.708.2

NANO AntiVirus
Trojan.Win32.Baidu.deinir
0.30.0.296

Qihoo 360 Security
HEUR/Malware.QVM19.Gen
1.0.0.1015

Reason Heuristics
Threat.JiajieYin
15.4.10.4

VIPRE Antivirus
Threat.4150696
38882

File size:
332.6 KB (340,600 bytes)

Product version:
6.2.9200.16384

Copyright:
© Microsoft Corporation. All rights reserved.

Original file name:
CLEANMGR.DLL

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\win\win.exe

Digital Signature
Signed by:
Jiajie Yin

Authority:
WoSign CA Limited

Valid from:
5/14/2014 7:46:39 PM

Valid to:
5/15/2015 7:46:39 PM

Subject:
CN=Jiajie Yin, E=cpa.baidu@gmail.com, L=桂林市, S=广西壮族自治区, C=CN

Issuer:
CN=WoSign Class 2 Code Signing CA, O=WoSign CA Limited, C=CN

Serial number:
3F13D1662B5F2172EF525E77D131CC4E

File PE Metadata
Compilation timestamp:
6/18/2014 1:37:49 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
6144:X1xeJN1G2qErDqFdnxU0mLf67UODC6Vec9CyU0aXTPnGQh55NOx7P7:FQNU6DqFDU0mLyJeICyU7TPn1L5NOx7

Entry address:
0x208D5

Entry point:
E8, 31, F3, 00, 00, E9, 7F, FE, FF, FF, CC, 56, 8B, 44, 24, 14, 0B, C0, 75, 28, 8B, 4C, 24, 10, 8B, 44, 24, 0C, 33, D2, F7, F1, 8B, D8, 8B, 44, 24, 08, F7, F1, 8B, F0, 8B, C3, F7, 64, 24, 10, 8B, C8, 8B, C6, F7, 64, 24, 10, 03, D1, EB, 47, 8B, C8, 8B, 5C, 24, 10, 8B, 54, 24, 0C, 8B, 44, 24, 08, D1, E9, D1, DB, D1, EA, D1, D8, 0B, C9, 75, F4, F7, F3, 8B, F0, F7, 64, 24, 14, 8B, C8, 8B, 44, 24, 10, F7, E6, 03, D1, 72, 0E, 3B, 54, 24, 0C, 77, 08, 72, 0F, 3B, 44, 24, 08, 76, 09, 4E, 2B, 44, 24, 10, 1B, 54, 24...
 
[+]

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
win

Command:
C:\Program Files\win\win.exe


Remove win.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.