File name:

Dream.Aquarium.1.293.exe

Full analysis: https://app.any.run/tasks/5db6aeb2-23d4-4fd2-8298-726b8dc01265
Verdict: Malicious activity
Analysis date: April 19, 2025, 07:30:42
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

8E8D8D0E3A281FEC5E8C81E9E7B41E95

SHA1:

53B8401A62971C2ABF6827A502FBFD21A17A35DE

SHA256:

E95C70E2FD03CC02B89A17AD2F75EED5F35DD4DA855295ACE3CF79BF5C20B1EA

SSDEEP:

98304:fFUusLcmSFCO7tyT97Tf8EEy4Kjs8qqsJ2N6MA1J8U+nMkW67txr9A0C2SUbOP6s:Rhgw1zZG+bRXSz6HS+SWIb+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Dream.Aquarium.1.293.exe (PID: 5204)
      • Dream.Aquarium.1.293.exe (PID: 5776)

    • Application launched itself

      • Dream.Aquarium.1.293.exe (PID: 5204)

    • There is functionality for taking screenshot (YARA)

      • Dream.Aquarium.1.293.exe (PID: 5204)
      • Dream.Aquarium.1.293.exe (PID: 5776)

    • Executable content was dropped or overwritten

      • Dream.Aquarium.1.293.exe (PID: 5776)
      • cmd.exe (PID: 5360)

    • Starts CMD.EXE for commands execution

      • Dream.Aquarium.1.293.exe (PID: 5776)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 1072)
      • cmd.exe (PID: 4008)
      • Dream.Aquarium.1.293.exe (PID: 5776)

    • Uses RUNDLL32.EXE to load library

      • Dream.Aquarium.1.293.exe (PID: 5776)

    • Creates a software uninstall entry

      • rundll32.exe (PID: 4620)
      • reg.exe (PID: 4164)

    • Starts application with an unusual extension

      • DreamAquarium.scr (PID: 7020)

    • Searches for installed software

      • reg.exe (PID: 4164)

  • INFO

    • Checks supported languages

      • Dream.Aquarium.1.293.exe (PID: 5204)
      • Dream.Aquarium.1.293.exe (PID: 5776)
      • DreamAquarium.scr (PID: 7020)
      • Dream_Aquarium.scr (PID: 6044)

    • Reads the computer name

      • Dream.Aquarium.1.293.exe (PID: 5204)
      • Dream.Aquarium.1.293.exe (PID: 5776)
      • Dream_Aquarium.scr (PID: 6044)

    • Process checks computer location settings

      • Dream.Aquarium.1.293.exe (PID: 5204)
      • Dream_Aquarium.scr (PID: 6044)
      • Dream.Aquarium.1.293.exe (PID: 5776)

    • Creates files in the program directory

      • Dream.Aquarium.1.293.exe (PID: 5776)

    • Manual execution by a user

      • DreamAquarium.scr (PID: 7020)

    • Creates files or folders in the user directory

      • Dream_Aquarium.scr (PID: 6044)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:04:02 22:14:00+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 101888
InitializedDataSize: 72704
UninitializedDataSize: -
EntryPoint: 0x193af
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.2.9.3
ProductVersionNumber: 1.2.9.3
FileFlagsMask: 0x003f
FileFlags: Private build
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: Company 'Dream Aquarium'
FileDescription: Dream Aquarium 1.293
FileVersion: 1.293
InternalName: Dream Aquarium Screensaver
LegalCopyright: Copyright © Dream Aquarium
OriginalFileName: DreamAquarium.scr
PrivateBuild: 09.02.2023
ProductName: Dream Aquarium Screensaver
ProductVersion: 1.293
Comments: 7z Setup SFX
LegalTrademarks: Dream Aquarium
SpecialBuild: shurfic
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
167
Monitored processes
36
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start dream.aquarium.1.293.exe no specs dream.aquarium.1.293.exe cmd.exe no specs conhost.exe no specs cmd.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs rundll32.exe no specs dreamaquarium.scr no specs dream_aquarium.scr no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
536"C:\Windows\System32\cmd.exe" /c Move dream.inf C:\WINDOWS\INFC:\Windows\System32\cmd.exeDream.Aquarium.1.293.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
632\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
684reg delete "HKLM\SOFTWARE\Wow6432Node\Spiral Monkey" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
744\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
864reg delete "HKCU\Software\Spiral Monkey" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1072"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\Software\Spiral Monkey" /fC:\Windows\System32\cmd.exeDream.Aquarium.1.293.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1388"C:\Windows\System32\reg.exe" add "HKCU\Software\Spiral Monkey\Dream Aquarium" /V whatsNewVer /T REG_BINARY /D "0681a53f" /fC:\Windows\System32\reg.exeDream.Aquarium.1.293.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1512"C:\Windows\System32\reg.exe" add "HKCU\Software\Spiral Monkey\Dream Aquarium" /V maxFish /T REG_DWORD /D "0x00000064" /fC:\Windows\System32\reg.exeDream.Aquarium.1.293.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1568\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2288\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
2 005
Read events
1 974
Write events
31
Delete events
0

Modification events

(PID) Process:(3956) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Spiral Monkey\Dream Aquarium
Operation:writeName:updateDays
Value:
0
(PID) Process:(5136) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Spiral Monkey\Dream Aquarium
Operation:writeName:hardwareAA
Value:
1
(PID) Process:(1512) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Spiral Monkey\Dream Aquarium
Operation:writeName:maxFish
Value:
100
(PID) Process:(1388) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Spiral Monkey\Dream Aquarium
Operation:writeName:whatsNewVer
Value:
0681A53F
(PID) Process:(3024) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Spiral Monkey\Dream Aquarium
Operation:writeName:InstallDir
Value:
C:\Program Files (x86)\Dream Aquarium Screensaver
(PID) Process:(6392) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Spiral Monkey\Dream Aquarium
Operation:writeName:ownerName
Value:
Registered Version
(PID) Process:(4164) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Dream Aquarium
Operation:writeName:DisplayIcon
Value:
C:\Program Files (x86)\Dream Aquarium Screensaver\Dream_Aquarium.scr
(PID) Process:(2552) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Spiral Monkey\Dream Aquarium
Operation:writeName:license
Value:
fK7bN7XAR7UQF7FPY2DZ42L6YcLACGDAg5fN
(PID) Process:(6960) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Spiral Monkey\Dream Aquarium
Operation:writeName:modules
Value:
CRPK001140429162CRPK002140129015FULL___140502151TRIAL__140502150
(PID) Process:(4620) rundll32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Dream Aquarium
Operation:writeName:DisplayName
Value:
Dream Aquarium Screensaver 1.293
Executable files
5
Suspicious files
798
Text files
21
Unknown types
2

Dropped files

PID
Process
Filename
Type
5776Dream.Aquarium.1.293.exeC:\Program Files (x86)\Dream Aquarium Screensaver\addons\CRPK001_selectmask.alphabinary
MD5:B6BA4DBE43DFD63F9621BF1430B7386B
SHA256:92360F1A42CF13F95CC73413383DB9E553065A9AEF48D8ED0385014F8A5A65B1
5776Dream.Aquarium.1.293.exeC:\Program Files (x86)\Dream Aquarium Screensaver\addons\CRPK001.dasbinary
MD5:514242D049E583DC553F39FF0CBBEBDB
SHA256:420906A46C465E6FD034F559B58C78B3043799C94B497383005E777734A6C984
5776Dream.Aquarium.1.293.exeC:\Program Files (x86)\Dream Aquarium Screensaver\dream.inftext
MD5:974F2F1B0023C7484AC85EAD6C0D4A81
SHA256:E78A6CA149A1D058FC766152F87E0600A6D552A01EC870B57348B4838A39D023
5776Dream.Aquarium.1.293.exeC:\Program Files (x86)\Dream Aquarium Screensaver\addons\CRPK002_selectmask.alphasgi
MD5:C0AF047A1F9BE60868FEFF4C254CD371
SHA256:45DC0099480F4EAE2D6783E26EB64B9870DD9D25D87FBCFC55E4064BE8B7E4B0
5776Dream.Aquarium.1.293.exeC:\Program Files (x86)\Dream Aquarium Screensaver\addons\CRPK001.alphabinary
MD5:7EA382B25C9514BF5F8B6D91F223E867
SHA256:4FF70B49DDBBD91D7BD91F35239C718E3E5C8AB55C3CADF1A4398A1D5FDB955B
5776Dream.Aquarium.1.293.exeC:\Program Files (x86)\Dream Aquarium Screensaver\global\arrays\allfish.alphabinary
MD5:9611CED9F6DF180DC3769ADE3F233D41
SHA256:ADBF4C09B7325F2FCF2F3A5C4B958556BB86839E14ACB7397FB60C8C3503465A
5776Dream.Aquarium.1.293.exeC:\Program Files (x86)\Dream Aquarium Screensaver\addons\CRPK002.dasbinary
MD5:ECF89335CB323A4AC4C8FFBB756571FC
SHA256:63D06AF5AF01DABA4DB7261673D69BB4CBFB027EC540131999078A1C68C7FFA1
5776Dream.Aquarium.1.293.exeC:\Program Files (x86)\Dream Aquarium Screensaver\global\arrays\allfish_selectmask.alphabinary
MD5:EDBA79E27BA3FA4DBE59EC7D1D1B20B4
SHA256:072962985B8494AD1A4F3570E0E98EBE3CC25C918EC46E944C05D536A6F96F36
5776Dream.Aquarium.1.293.exeC:\Program Files (x86)\Dream Aquarium Screensaver\addons\CRPK002.ftibinary
MD5:1AF2A2319E633895BB89EB891BF02FE3
SHA256:A781BBEAEC77552A49F98B79A5121DB3FDF50D9CEDD665238B1A92EA6F0552C2
5776Dream.Aquarium.1.293.exeC:\Program Files (x86)\Dream Aquarium Screensaver\global\arrays\allfish.ftibinary
MD5:132F6DB19447CBA99236933B7CA1B083
SHA256:20974EA30EE16964C3B8223497E730A13C1295D0A49BE10F587D9F4467B7F2AA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
17
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
920
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
920
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6544
svchost.exe
20.190.160.4:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
920
SIHClient.exe
20.12.23.50:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.206
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
login.live.com
  • 20.190.160.4
  • 20.190.160.67
  • 20.190.160.14
  • 20.190.160.130
  • 20.190.160.22
  • 20.190.160.20
  • 40.126.32.134
  • 20.190.160.66
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
activation-v2.sls.microsoft.com
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Dream.Aquarium.1.293.exe