Analysis Overview
SHA256
5bc8c6aa7ccb11de2b19cabc08c096025da18e7898c5e8227ef109c266820f82
Threat Level: Known bad
The file Client-built.exe was found to be: Known bad.
Malicious Activity Summary
Quasar family
Quasar RAT
Quasar payload
Executes dropped EXE
Unsigned PE
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-17 15:18
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-17 15:18
Reported
2024-04-17 15:35
Platform
win7-20240221-en
Max time kernel
1032s
Max time network
1042s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Height = "21" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5E1F2511-FCCE-11EE-917A-EA263619F6CB} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{EFB00E53-D0C7-11EE-917A-EA263619F6CB}.dat = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Height = "0" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windowsstartup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windowsstartup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7feee179758,0x7feee179768,0x7feee179778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1176 --field-trial-handle=1148,i,4498509610772567175,15961627691273312008,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1512 --field-trial-handle=1148,i,4498509610772567175,15961627691273312008,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1608 --field-trial-handle=1148,i,4498509610772567175,15961627691273312008,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2188 --field-trial-handle=1148,i,4498509610772567175,15961627691273312008,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2196 --field-trial-handle=1148,i,4498509610772567175,15961627691273312008,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1404 --field-trial-handle=1148,i,4498509610772567175,15961627691273312008,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1340 --field-trial-handle=1148,i,4498509610772567175,15961627691273312008,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3448 --field-trial-handle=1148,i,4498509610772567175,15961627691273312008,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3576 --field-trial-handle=1148,i,4498509610772567175,15961627691273312008,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3660 --field-trial-handle=1148,i,4498509610772567175,15961627691273312008,131072 /prefetch:8
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2720 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2720 CREDAT:209938 /prefetch:2
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f8
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.1.240:4782 | tcp | |
| N/A | 192.168.1.240:4782 | tcp | |
| N/A | 192.168.1.240:4782 | tcp | |
| N/A | 192.168.1.240:4782 | tcp | |
| N/A | 192.168.1.240:4782 | tcp | |
| N/A | 192.168.1.240:4782 | tcp | |
| N/A | 192.168.1.240:4782 | tcp | |
| N/A | 192.168.1.240:4782 | tcp | |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 142.250.200.14:443 | apis.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| N/A | 192.168.1.240:4782 | tcp | |
| N/A | 192.168.1.240:4782 | tcp | |
| N/A | 192.168.1.240:4782 | tcp | |
| N/A | 192.168.1.240:4782 | tcp | |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 13.107.5.80:80 | api.bing.com | tcp |
| US | 13.107.5.80:80 | api.bing.com | tcp |
| N/A | 192.168.1.240:4782 | tcp | |
| N/A | 192.168.1.240:4782 | tcp | |
| N/A | 192.168.1.240:4782 | tcp | |
| N/A | 192.168.1.240:4782 | tcp | |
| N/A | 192.168.1.240:4782 | tcp | |
| N/A | 192.168.1.240:4782 | tcp | |
| N/A | 192.168.1.240:4782 | tcp | |
| N/A | 192.168.1.240:4782 | tcp | |
| N/A | 192.168.1.240:4782 | tcp | |
| N/A | 192.168.1.240:4782 | tcp | |
| N/A | 192.168.1.240:4782 | tcp | |
| N/A | 192.168.1.240:4782 | tcp | |
| N/A | 192.168.1.240:4782 | tcp | |
| N/A | 192.168.1.240:4782 | tcp | |
| N/A | 192.168.1.240:4782 | tcp | |
| N/A | 192.168.1.240:4782 | tcp | |
| N/A | 192.168.1.240:4782 | tcp | |
| N/A | 192.168.1.240:4782 | tcp | |
| N/A | 192.168.1.240:4782 | tcp | |
| N/A | 192.168.1.240:4782 | tcp | |
| N/A | 192.168.1.240:4782 | tcp | |
| N/A | 192.168.1.240:4782 | tcp | |
| N/A | 192.168.1.240:4782 | tcp | |
| N/A | 192.168.1.240:4782 | tcp | |
| N/A | 192.168.1.240:4782 | tcp | |
| N/A | 192.168.1.240:4782 | tcp | |
| N/A | 192.168.1.240:4782 | tcp | |
| N/A | 192.168.1.240:4782 | tcp | |
| N/A | 192.168.1.240:4782 | tcp | |
| N/A | 192.168.1.240:4782 | tcp | |
| N/A | 192.168.1.240:4782 | tcp |
Files
memory/2732-0-0x0000000000E50000-0x0000000001174000-memory.dmp
memory/2732-1-0x000007FEF5540000-0x000007FEF5F2C000-memory.dmp
memory/2732-2-0x000000001B1E0000-0x000000001B260000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | eb8790c82d5096b84022449c2298c62a |
| SHA1 | 12030a6f4988fb744328bc1963c7017207e40276 |
| SHA256 | 5bc8c6aa7ccb11de2b19cabc08c096025da18e7898c5e8227ef109c266820f82 |
| SHA512 | d4d7ac397e023e6c08dfd6681e802d4c52d56a45a4e66acd53bc0138d3ed45f3930ef0d90cdeaafcf478d08ecab28cae61ffe5c571fa4c37be39497f16891464 |
memory/2732-8-0x000007FEF5540000-0x000007FEF5F2C000-memory.dmp
memory/2664-7-0x000007FEF5540000-0x000007FEF5F2C000-memory.dmp
memory/2664-9-0x0000000000910000-0x0000000000C34000-memory.dmp
memory/2664-10-0x000000001B480000-0x000000001B500000-memory.dmp
memory/2664-11-0x000007FEF5540000-0x000007FEF5F2C000-memory.dmp
memory/2664-12-0x000000001B480000-0x000000001B500000-memory.dmp
\??\pipe\crashpad_2184_CMVVZJAMFLBVCBFG
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
| MD5 | aefd77f47fb84fae5ea194496b44c67a |
| SHA1 | dcfbb6a5b8d05662c4858664f81693bb7f803b82 |
| SHA256 | 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611 |
| SHA512 | b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 57ecc98a3a0933228956257918f6ed4e |
| SHA1 | 89418506cbedc423d31b8478b55f29b4a43fad10 |
| SHA256 | 71eec5739e1c1f0f5b75d78c55c23bffbf62c85775e6bdcb7d5f1c61a0aa1f4a |
| SHA512 | e47f049127e2bc622965abe56637bc0fb61ab24f519530d560f80c761d9f6fc7f529848d755262ec2f579e646621a4aaea138b963397446f06415e4a26fdb199 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 88d6d9d261dbdc8d693bc2334b7b6b17 |
| SHA1 | 5cb4b8986afd02279e7716e18844b7c7b077cb9b |
| SHA256 | 671eb917cfb3ef8d4c1c6dfc859ff424d3b68239abdbeead42fd14521f059d72 |
| SHA512 | fe433e0dcd05717506b003c0038d2b96112fb915718c8021c8ed9d5a8438ed5095340cbebf8ffecea507c83af108f7528cfbba7f9dedf5c37cde6de24e4a8079 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | df8eaea0eb500c51ac55b4a132b7ed96 |
| SHA1 | 074605892329ba31d19032b28b0c8e036f0087c1 |
| SHA256 | 0ea8aa3113a0024fdc6f0b9affff698b9f18f61e658ab132c811afcbf2d24f57 |
| SHA512 | aca2e38d57bb863317f82d355a3b861576475d21bb177bb9fa183d8db56b516cc5d39cda609aaf2bd2c545921d0d21202ee2f3d60caddfb6cbaf5016d344971e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 70610c45e71ae60a1e721eb6c3cde9d4 |
| SHA1 | df9de3a6008363e7771af9ec9c54dd40287e771c |
| SHA256 | 6b7512776078c207e7bb635d355e5bbf53088638eb9bed566d0092bf7ac12495 |
| SHA512 | 6ef48b66bb5fdae4df26d8399cb9906360fa229111101d4d149df8b48e9a820a5c8583c36d0b1dc06f9c0c19b486e52124c674612562649c31adbd400953405f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\1f01833b-28c5-47fa-9120-68dd00224722.tmp
| MD5 | 26914d75b08888a281f25f672021b7b5 |
| SHA1 | 070f719254f05230c63da22c74360c6987291e8b |
| SHA256 | af07b1d542962f430e02acd29b492e0fabeede995b235acfe83b34b41e23d12e |
| SHA512 | 0d866a9c71b5c3248138e0308d041a44a94d40f634187ba1cf951be82ca6fb92ddb65ffffe41db038c9fdbe1d27facfb451f21530454426d62b8c856a5b66e25 |
C:\Users\Admin\AppData\Local\Temp\Cab6911.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar69F4.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | da48eebeaaf084758fc87530828e1f14 |
| SHA1 | 8cb838c780257dd9fc9c7d675cfeb9ee9ab919f6 |
| SHA256 | 6c58522a9a7ea366ceab394b23c5729ac500e6461f29c0d0ef0bac8e7e76da2d |
| SHA512 | be1744ca874bd803f2b093a3168bb82a597cc67240c4fb7e468fb859aa444ecb42bd5f631a8739371ecd6ff385bd0820587f0da55bc4d2fd9f0213f52fd82dcc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fa684bf465f2e77a377277bc6c985fc1 |
| SHA1 | e5e8e46447995c70f762f1f6a21d0a9f4f68b51d |
| SHA256 | 61e6f25c3bb4145a7dc3f8b090b71e34fe3672bb4ca7f8ba86d4482735823f25 |
| SHA512 | 5d371631054f88b9cc1ba440edcc6583d29e244bfaf4970cd4fd6c60510ef32cbc9d9f8ef2c03920de0e7c88cc279916ae2c6dea65ac89ae5a7185da31390b05 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e0002d4181f250f063b41ae75970662f |
| SHA1 | 315bb152c3a1bcdf39185876261468e1862b089e |
| SHA256 | 931b2177b1b975c63562e9466d85ba24be5da00e938c71d3819a4eaa4b67483a |
| SHA512 | 83547b61ea2b98155c62dc4d0e4b4a531f0feb1befe41412d361e91bd1c46acf1b2f7a9b1407b2a2fee8630992d56f9107af6508f9f3c5747bcbf0f717571425 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4003540791072fa44394b82a2dad99b9 |
| SHA1 | 142d065d37f9bde36d2404edf2c13b110bb98d4c |
| SHA256 | d297c84100c593d81826ba461c6b445e47a9861df79a80e4822fe9e46c619e95 |
| SHA512 | 03f103e8c7f44bbb19f28e1ec166fc411f42faf12d929da8cb275750cbfbb42254fe4e5489d76f5a4d4b286049c17a2aab1e32ef68eb02f487cf6d3cd90e17e3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 72bf4c1251ebc2c021fd25e27b07f2a2 |
| SHA1 | fd2f008ae6ea8e3090b6877157cb7da03085522a |
| SHA256 | 15b0fbc83c71be7422f17cb32c4d075fdcc2010d85e15dfe2981f3cf6f9c4133 |
| SHA512 | d71792fc225fbfb014afd6bdf7c2e069e12eae03c95e396c4dd82947dcdbe72b15107bae455d2f191b35269be4c368a0dc1c2e4adeb3ba4e105d32b69f44bea1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 99a697e0ba8e049d3b3d1c66157302f7 |
| SHA1 | a397b020de273759748204766c4e3581dc459e1c |
| SHA256 | f12dc38796ed011e3c98c9758c1a9b8ab2ba2d8b5a781600a083ca5af2925bf1 |
| SHA512 | defc2faf5475052b44bdfbf61903440382334049c45198031a5080510d6482fe384610227ea0d0ce5a7658a845a7fc5c54589625a92bbd9001b3ed6bfcd7abec |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bfa6782193ede4bd80a9847f1557a755 |
| SHA1 | 3a5ed2da9e0dafc1f3b68944a71398df916621d3 |
| SHA256 | 66b970bdfebe4f3486a2ecf6a94ad9702679fc1d1d77ddc46cce7a14a6f24344 |
| SHA512 | d94d4bd55670d05645eb518e150cecd586ea736d8798653ea29377539b67f21e1bf5e28636d50c5c010f85eb1220bc0e6d7f4017c09e46f5b4ea6d93d0ec3e51 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d52c26c5db1e9cc7baa446d6cdfa74fc |
| SHA1 | e8f809d5accc8ac1fe23c00ff21fdd0dfb8801b3 |
| SHA256 | 4961bc563f08171bac4f760708204415aa82abc3e21773d17c51396b09f6e476 |
| SHA512 | 6978af17ee103d51aa31c5ca208379bc3e28b91f4933963b9d945ccac717edc3b3b1a6ba25165c03d0ab03a3655f775afae59a40f539dd9f60f6670436ec06c2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 20c84877a02a358e70a9d1fb001aa275 |
| SHA1 | d32b07c0f5eec8b9f1fb261e15fbaa65d78ee8ad |
| SHA256 | 9bf43f80cf4206c6c88ab333a4894ce687392d7ba6f3f1fa541a58a2fe076bd5 |
| SHA512 | 75df494fc5b7cc85c4f40cac6b073d2a22e27711cf1d37e8f794badcf0ddd7ab2d98a3ea78e9f6646f1b2823ca0cd49b93d334f736d551da5dc7847c0b7852d1 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\PZGWOGHY.txt
| MD5 | e3532e524b182ff59c0dbc45d51d04cb |
| SHA1 | 20dde2e88a2326d326dec6272d23f0f0a7b33185 |
| SHA256 | 3cded7c965508b61646eaa7c12a145411fdb5bf4e98da371abea3dc45ea9be0e |
| SHA512 | 021f9f034f1bca1f4b1e65c2ae1c647d9cd693f17600eba82cdabe39f341db5cc8d3bfbcb634b86546e332130f64c0a17ca0930ac4d7fc1c9a5f3f7fd7765c74 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\qsml[1].xml
| MD5 | b2130aab9684ead28494c033cdc03b27 |
| SHA1 | f2a722f874edcf5fecd4b90dec824af651231d69 |
| SHA256 | 4e73d6ff38214f43dc41d85ce1c9c8d61ea842d1db20eae5f1a21c0e09c99454 |
| SHA512 | 447bc2b113ec995663b779e1b39741a43044a189896e460225ccc938d54636ebc5aed1d7fa7caefeecde2b839cfa080cbbb8996c4a66316a6a20d09aad44ff53 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\qsml[2].xml
| MD5 | bac742f0e7c5f35ac3505c93ca1104c9 |
| SHA1 | a9635e3ba1abb12206bdaa4236fb44789ac8be5a |
| SHA256 | e2f18b1a6b5db2451c94083e09a93c8542d2be4434aab0993cb7f5e22f46fc02 |
| SHA512 | 4f6dfdda05595e41dcd319996e6c8b7145b4aeeea081003920fb6f3a04d7e0076d1cd2ce132bbc96c42e4bc844fbc9aef676ec8f071c0b1b76384309d01a32a0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\qsml[3].xml
| MD5 | da3e372243ed748f15b04ce84a6cd28c |
| SHA1 | e7f1c63b32d31b77631c783ac3e2739cb82cabc0 |
| SHA256 | e2ecffea9da045ebbf5ba4faa746ebea2c8af1a8759c830d5362251e3add3a59 |
| SHA512 | b3941b06762239e1b576c5a5f8b2c4889b261d8a549d8546dd8097a2d9683c70508fd2318cfcb260557976a817260ff4ec159779b96d7d2e1435a51428db6641 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\qsml[4].xml
| MD5 | 9cb760b23d8247e69005c5860659b469 |
| SHA1 | ac3bf20ccefed1afbc424d9099e78872ea97b922 |
| SHA256 | d4e5aa8c00d29970694212209cfb782168ad2bfcca178544a750ec970cb3c119 |
| SHA512 | 287a101d5be8e101b5124aadd89424e0758118aef35df554f049cf15236597109446867feda69aa58389eefe3a069f25f9cfa97f12265ceccfa6b4392c31c452 |
C:\Users\Admin\AppData\Local\Temp\~DFFB7CAF65A4A8DF72.TMP
| MD5 | e101698f9be392500cb7d249c21d6ecd |
| SHA1 | 225bc9c3315a51d6231fc82d847e2813798b7c4f |
| SHA256 | 27983beb2999ff35b9835c4de0d5ec424e1cacfe131d1082e2fed82eadc5766c |
| SHA512 | d6a996ff4fa8f0d5b1b86ed1513922c119c10dd583e9e04c45a1c6825664515d2551b8c5926d3863ea9b5b719eff1939fb135485e29ed9e7c3a91b52a871b804 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-17 15:18
Reported
2024-04-17 15:20
Platform
win10v2004-20240412-en
Max time kernel
126s
Max time network
142s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3928 wrote to memory of 5000 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 3928 wrote to memory of 5000 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 3928 wrote to memory of 1620 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe |
| PID 3928 wrote to memory of 1620 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe |
| PID 1620 wrote to memory of 3132 | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 1620 wrote to memory of 3132 | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | C:\Windows\SYSTEM32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windowsstartup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windowsstartup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| N/A | 192.168.1.240:4782 | tcp | |
| US | 20.231.121.79:80 | tcp | |
| N/A | 192.168.1.240:4782 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| N/A | 192.168.1.240:4782 | tcp | |
| N/A | 192.168.1.240:4782 | tcp | |
| N/A | 192.168.1.240:4782 | tcp | |
| N/A | 192.168.1.240:4782 | tcp |
Files
memory/3928-0-0x0000000000C10000-0x0000000000F34000-memory.dmp
memory/3928-1-0x00007FFFFDBF0000-0x00007FFFFE6B1000-memory.dmp
memory/3928-2-0x000000001BCB0000-0x000000001BCC0000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | eb8790c82d5096b84022449c2298c62a |
| SHA1 | 12030a6f4988fb744328bc1963c7017207e40276 |
| SHA256 | 5bc8c6aa7ccb11de2b19cabc08c096025da18e7898c5e8227ef109c266820f82 |
| SHA512 | d4d7ac397e023e6c08dfd6681e802d4c52d56a45a4e66acd53bc0138d3ed45f3930ef0d90cdeaafcf478d08ecab28cae61ffe5c571fa4c37be39497f16891464 |
memory/1620-9-0x00007FFFFDBF0000-0x00007FFFFE6B1000-memory.dmp
memory/3928-8-0x00007FFFFDBF0000-0x00007FFFFE6B1000-memory.dmp
memory/1620-10-0x000000001B530000-0x000000001B540000-memory.dmp
memory/1620-11-0x000000001BC30000-0x000000001BC80000-memory.dmp
memory/1620-12-0x000000001BD40000-0x000000001BDF2000-memory.dmp
memory/1620-13-0x00007FFFFDBF0000-0x00007FFFFE6B1000-memory.dmp