Analysis of Aquvaprn.exe Malware for Operating System Investigation Using Memory Forensics Method

In today's digital age, data has become a valuable asset. Various techniques are used to steal personal data that could potentially be misused by irresponsible parties. The object used in this study is AQUVAPRN.exe, which is a type of malware known as a Remote Access Trojan (RAT). When this malware runs, the creator of the malware can access personal data from the infected operating system without the user's knowledge. AQUVAPRN.exe works in the background when an application is executed, creating several processes such as modifying the registry, creating files, reading files, and making continuous internet connections to a specific IP address without the user's knowledge. The result obtained from the AQUVAPRN.exe malware is an IP address of 109.51.76.80, with the domain located in Lisbon, Portugal, and has an MD5 hash value of 55c2c12970cda52f58bfad7b8c7d37d5. It is also known that the AQUVAPRN.exe malware uses an anti-reverse engineering technique, specifically obfuscation, which obstructs or hinders the malware from being analyzed or reverse-engineered to determine the code used to create the malware. The PID of the AQUVAPRN.EXE process is 8332 with a virtual tool (Virtual Address) of 0x8e0f57042080.