File name:	Odyssey-1KImproved.exe
Full analysis:	https://app.any.run/tasks/82c1b621-9c15-4d14-aec9-b31a52f130e5
Verdict:	Malicious activity
Analysis date:	June 21, 2025, 20:03:12
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	python
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (console) x86-64, for MS Windows, 7 sections
MD5:	79B3B4F44712EA3D795D7FD90E639988
SHA1:	8D3E3DAC89C506C239ACF7AFDF503F3B2FCD3A9E
SHA256:	E348262D7913634A2C9AFB2BB4430D0F6283BF799BC8C613B9E3843ABD95FE6D
SSDEEP:	98304:Oxb2H2o5gv0Ve7xTT8lnasdu4WtHfktEzafhOsE+XZ0j1kV8sVcS77s8ohWnXZLT:ldrm2Qyreqdy

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2025:06:18 20:00:04+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.42
CodeSize:	178688
InitializedDataSize:	153600
UninitializedDataSize:	-
EntryPoint:	0xc380
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows command line

PID	Process	Filename		Type
6584	Odyssey-1KImproved.exe	C:\Users\admin\AppData\Local\Temp\_MEI65842\api-ms-win-core-console-l1-1-0.dll		executable
		MD5:E8B9D74BFD1F6D1CC1D99B24F44DA796	SHA256:B1B3FD40AB437A43C8DB4994CCFFC7F88000CC8BB6E34A2BCBFF8E2464930C59
6584	Odyssey-1KImproved.exe	C:\Users\admin\AppData\Local\Temp\_MEI65842\VCRUNTIME140.dll		executable
		MD5:BE8DBE2DC77EBE7F88F910C61AEC691A	SHA256:4D292623516F65C80482081E62D5DADB759DC16E851DE5DB24C3CBB57B87DB83
6584	Odyssey-1KImproved.exe	C:\Users\admin\AppData\Local\Temp\_MEI65842\_socket.pyd		executable
		MD5:9C6283CC17F9D86106B706EC4EA77356	SHA256:5CC62AAC52EDF87916DEB4EBBAD9ABB58A6A3565B32E7544F672ACA305C38027
6584	Odyssey-1KImproved.exe	C:\Users\admin\AppData\Local\Temp\_MEI65842\_hashlib.pyd		executable
		MD5:B0262BD89A59A3699BFA75C4DCC3EE06	SHA256:4ADFBBD6366D9B55D902FC54D2B42E7C8C989A83016ED707BD7A302FC3FC7B67
6584	Odyssey-1KImproved.exe	C:\Users\admin\AppData\Local\Temp\_MEI65842\_lzma.pyd		executable
		MD5:B71DBE0F137FFBDA6C3A89D5BCBF1017	SHA256:6216173194B29875E84963CD4DC4752F7CA9493F5B1FD7E4130CA0E411C8AC6A
6584	Odyssey-1KImproved.exe	C:\Users\admin\AppData\Local\Temp\_MEI65842\_decimal.pyd		executable
		MD5:F930B7550574446A015BC602D59B0948	SHA256:3B9AD1D2BC9EC03D37DA86135853DAC73B3FE851B164FE52265564A81EB8C544
6584	Odyssey-1KImproved.exe	C:\Users\admin\AppData\Local\Temp\_MEI65842\api-ms-win-core-datetime-l1-1-0.dll		executable
		MD5:CFE0C1DFDE224EA5FED9BD5FF778A6E0	SHA256:0D0F80CBF476AF5B1C9FD3775E086ED0DFDB510CD0CC208EC1CCB04572396E3E
6584	Odyssey-1KImproved.exe	C:\Users\admin\AppData\Local\Temp\_MEI65842\api-ms-win-core-handle-l1-1-0.dll		executable
		MD5:E89CDCD4D95CDA04E4ABBA8193A5B492	SHA256:1A489E0606484BD71A0D9CB37A1DC6CA8437777B3D67BFC8C0075D0CC59E6238
6584	Odyssey-1KImproved.exe	C:\Users\admin\AppData\Local\Temp\_MEI65842\api-ms-win-core-file-l1-1-0.dll		executable
		MD5:EFAD0EE0136532E8E8402770A64C71F9	SHA256:3D2C55902385381869DB850B526261DDEB4628B83E690A32B67D2E0936B2C6ED
6584	Odyssey-1KImproved.exe	C:\Users\admin\AppData\Local\Temp\_MEI65842\api-ms-win-core-namedpipe-l1-1-0.dll		executable
		MD5:321A3CA50E80795018D55A19BF799197	SHA256:5476DB3A4FECF532F96D48F9802C966FDEF98EC8D89978A79540CB4DB352C15F

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1268	svchost.exe	GET	200	23.55.104.172:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2664	RUXIMICS.exe	GET	200	23.55.104.172:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	23.55.104.172:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2664	RUXIMICS.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	200	20.190.159.71:443	https://login.live.com/RST2.srf	unknown	xml	1.24 Kb	whitelisted
—	—	POST	200	40.126.31.0:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	16.7 Kb	whitelisted
—	—	POST	200	20.190.159.2:443	https://login.live.com/RST2.srf	unknown	xml	11.1 Kb	whitelisted
—	—	POST	200	40.126.31.69:443	https://login.live.com/RST2.srf	unknown	xml	11.1 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1268	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2664	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1268	svchost.exe	23.55.104.172:80	crl.microsoft.com	Akamai International B.V.	US	whitelisted
2664	RUXIMICS.exe	23.55.104.172:80	crl.microsoft.com	Akamai International B.V.	US	whitelisted
5944	MoUsoCoreWorker.exe	23.55.104.172:80	crl.microsoft.com	Akamai International B.V.	US	whitelisted
1268	svchost.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
2664	RUXIMICS.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 4.231.128.59	whitelisted
google.com	142.250.184.206	whitelisted
crl.microsoft.com	23.55.104.172 23.55.104.190	whitelisted
www.microsoft.com	2.23.246.101 95.101.149.131	whitelisted
client.wns.windows.com	172.211.123.249	whitelisted
login.live.com	20.190.159.71 40.126.31.129 20.190.159.130 40.126.31.128 20.190.159.68 40.126.31.69 20.190.159.2 40.126.31.0	whitelisted
nexusrules.officeapps.live.com	52.111.227.11	whitelisted
slscr.update.microsoft.com	20.109.210.53	whitelisted
fe3cr.delivery.mp.microsoft.com	13.85.23.206	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted

General Info

Odyssey-1KImproved.exe

79B3B4F44712EA3D795D7FD90E639988

8D3E3DAC89C506C239ACF7AFDF503F3B2FCD3A9E

E348262D7913634A2C9AFB2BB4430D0F6283BF799BC8C613B9E3843ABD95FE6D

98304:Oxb2H2o5gv0Ve7xTT8lnasdu4WtHfktEzafhOsE+XZ0j1kV8sVcS77s8ohWnXZLT:ldrm2Qyreqdy

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

The process drops C-runtime libraries

Process drops python dynamic module

Process drops legitimate windows executable

Loads Python modules

Executable content was dropped or overwritten

Application launched itself

INFO

Checks supported languages

The sample compiled with english language support

Create files in a temporary directory

Reads the computer name

Reads the software policy settings

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings