<< Back to Top Threats
K7 Detection Name Affected OS Prevalence AV Definition Version
Suspicious Program ( ID51546 ) Windows Low 12.188.53233
MD5

4ffe33b7f683695d0ee4c8a2133c5dd3
SHA256

3a82f3dafe7edb3e6f71a87f2f016bc807d3496cf362e135ed71587635d56915
File Size

3,711,487 bytes
Packer Information

N/A
First Seen

11-09-2024
Last Seen

22-05-2026
Aliases

Generik.KYJPVCY

Behavior Details

1. Creates Registry:
Adds data 0 under HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
Adds data 1 under HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
Adds data \xd9o\xe5\x01\x00\x00\x00\x00 under HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe\JScriptSetScriptStateStarted
Adds data 1 under HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
Adds data false – 21/5/2026 under HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\4ffe33b7f683695d0ee4\(Default)
Adds data wscript.exe //B “C:\Users\\AppData\Roaming\4ffe33b7f683695d0ee4.dat.js” under HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4ffe33b7f683695d0ee4
Adds data wscript.exe //B “C:\Users\\AppData\Roaming\4ffe33b7f683695d0ee4.dat.js” under HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4ffe33b7f683695d0ee4
Adds data 1 under HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass

2. Network Activity:
Downloads /json/ from http://ip-api.com/json/

Removal Instructions

1. Update K7 security to the latest version.
2. Open Windows registry editor and delete the following keys:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe\JScriptSetScriptStateStarted
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\4ffe33b7f683695d0ee4\(Default)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4ffe33b7f683695d0ee4
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4ffe33b7f683695d0ee4
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
3. Restart the machine.