Analysis Overview
SHA256
4e1729bc6da9b09dd3914f71694f75c06074bf6dc64b985a0099760dc00fcd33
Threat Level: Known bad
The file fffffffffff.exe was found to be: Known bad.
Malicious Activity Summary
Orcus family
Orcus
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-11 18:33
Signatures
Orcus family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-11 18:33
Reported
2024-12-12 08:48
Platform
win7-20240903-en
Max time kernel
598s
Max time network
600s
Command Line
Signatures
Orcus
Orcus family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fffffffffff.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fffffffffff.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\WindowsInput.exe | C:\Users\Admin\AppData\Local\Temp\fffffffffff.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsInput.InstallLog | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.InstallState | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fffffffffff.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fffffffffff.exe
"C:\Users\Admin\AppData\Local\Temp\fffffffffff.exe"
C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe" --install
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 8.8.8.8:53 | email-hitting.gl.at.ply.gg | udp |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 8.8.8.8:53 | email-hitting.gl.at.ply.gg | udp |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
Files
memory/2112-0-0x000000007458E000-0x000000007458F000-memory.dmp
memory/2112-1-0x0000000000AF0000-0x0000000000BC8000-memory.dmp
memory/2112-2-0x0000000000300000-0x000000000030A000-memory.dmp
memory/2112-3-0x0000000074580000-0x0000000074C6E000-memory.dmp
memory/2112-4-0x00000000046A0000-0x00000000046EC000-memory.dmp
memory/2112-5-0x00000000003E0000-0x00000000003EC000-memory.dmp
\Windows\SysWOW64\WindowsInput.exe
| MD5 | e854a4636afc652b320e12e50ba4080e |
| SHA1 | 8a4ac6ecc22ee5f3a8ec846d38b41ff18c641fdc |
| SHA256 | 94b9c78c6fa2bf61fba20a08ad4563f7dd2f5668c28eff227965ce0a2032d5d5 |
| SHA512 | 30aabd5079b6ed0948eb70fd18e9166096e4ba5d1d47fc35b7270f931d19bbe6cd929b6010f70297bf5272dc5a79e2523721354d211c4080d68ad8d17e316118 |
memory/2040-12-0x000007FEF59DE000-0x000007FEF59DF000-memory.dmp
C:\Windows\SysWOW64\WindowsInput.InstallLog
| MD5 | e469dda91ae810a1f94c96060f3f8a65 |
| SHA1 | 0b4b3b0f6f937016b1e045ce5313ee2a65a38630 |
| SHA256 | d42fee8db8eb0e047ca53ad59b1c9bc69fe04993be36fec502e3532371908842 |
| SHA512 | 2eb4037361c03e195c642a53f55a3182a6df19903db503060e366f2394750e64ae04fdaace61ef5a6dba649defc88322d78edd2928bc53ebd1ce11d68cc88dac |
memory/2040-23-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp
memory/2040-24-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp
C:\Windows\SysWOW64\WindowsInput.InstallLog
| MD5 | c2291863df7c2d3038ce3c22fa276506 |
| SHA1 | 7b7d2bc07a6c35523807342c747c9b6a19f3184e |
| SHA256 | 14504199bede3f46129969dbd2b7680f2e5b7fcd73a3e427ce1bb6217a6d13da |
| SHA512 | 00bf40174a67e3e663d18a887c5b461a1e5ead0b27f0a139d87969158c58f4ca72cfa5a731dda239356192ca4cb5ac6ae2b0e37401d534e686cabacd3cbee8fa |
memory/2040-39-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp
memory/2112-42-0x0000000004EC0000-0x0000000004F0E000-memory.dmp
\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
| MD5 | bf3709975587af1ae764262fd2ce2f48 |
| SHA1 | de63b6c5b11653e8d777f8cbbf6018972413d44a |
| SHA256 | 4e1729bc6da9b09dd3914f71694f75c06074bf6dc64b985a0099760dc00fcd33 |
| SHA512 | 19d3ed22232c5f907b951935ff465bea24317421c47934032cb010f250eb8bdebfd6907a26b844716c4da1599d37c54e8275ce67f13810c9b064c962b84e4d94 |
memory/2512-50-0x0000000000870000-0x0000000000948000-memory.dmp
memory/2112-49-0x0000000074580000-0x0000000074C6E000-memory.dmp
memory/2512-51-0x00000000007A0000-0x00000000007B0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-11 18:33
Reported
2024-12-11 19:19
Platform
win10v2004-20241007-en
Max time kernel
589s
Max time network
592s
Command Line
Signatures
Orcus
Orcus family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fffffffffff.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\WindowsInput.exe | C:\Users\Admin\AppData\Local\Temp\fffffffffff.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsInput.InstallLog | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.InstallState | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fffffffffff.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1040 wrote to memory of 1012 | N/A | C:\Users\Admin\AppData\Local\Temp\fffffffffff.exe | C:\Windows\SysWOW64\WindowsInput.exe |
| PID 1040 wrote to memory of 1012 | N/A | C:\Users\Admin\AppData\Local\Temp\fffffffffff.exe | C:\Windows\SysWOW64\WindowsInput.exe |
| PID 1040 wrote to memory of 4916 | N/A | C:\Users\Admin\AppData\Local\Temp\fffffffffff.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
| PID 1040 wrote to memory of 4916 | N/A | C:\Users\Admin\AppData\Local\Temp\fffffffffff.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
| PID 1040 wrote to memory of 4916 | N/A | C:\Users\Admin\AppData\Local\Temp\fffffffffff.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\fffffffffff.exe
"C:\Users\Admin\AppData\Local\Temp\fffffffffff.exe"
C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe" --install
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | email-hitting.gl.at.ply.gg | udp |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.49.80.91.in-addr.arpa | udp |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 8.8.8.8:53 | email-hitting.gl.at.ply.gg | udp |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp |
Files
memory/1040-0-0x000000007526E000-0x000000007526F000-memory.dmp
memory/1040-1-0x0000000000E00000-0x0000000000ED8000-memory.dmp
memory/1040-2-0x0000000001B20000-0x0000000001B2A000-memory.dmp
memory/1040-3-0x0000000075260000-0x0000000075A10000-memory.dmp
memory/1040-4-0x00000000061B0000-0x0000000006754000-memory.dmp
memory/1040-5-0x0000000005E00000-0x0000000005E92000-memory.dmp
memory/1040-6-0x00000000059A0000-0x00000000059EC000-memory.dmp
memory/1040-7-0x0000000005B70000-0x0000000005B92000-memory.dmp
memory/1040-8-0x0000000005B40000-0x0000000005B4C000-memory.dmp
C:\Windows\SysWOW64\WindowsInput.exe
| MD5 | e854a4636afc652b320e12e50ba4080e |
| SHA1 | 8a4ac6ecc22ee5f3a8ec846d38b41ff18c641fdc |
| SHA256 | 94b9c78c6fa2bf61fba20a08ad4563f7dd2f5668c28eff227965ce0a2032d5d5 |
| SHA512 | 30aabd5079b6ed0948eb70fd18e9166096e4ba5d1d47fc35b7270f931d19bbe6cd929b6010f70297bf5272dc5a79e2523721354d211c4080d68ad8d17e316118 |
memory/1012-20-0x00007FFB80A75000-0x00007FFB80A76000-memory.dmp
memory/1012-22-0x0000000000DA0000-0x0000000000DC0000-memory.dmp
memory/1012-21-0x0000000000D60000-0x0000000000D78000-memory.dmp
memory/1012-23-0x00007FFB807C0000-0x00007FFB81161000-memory.dmp
memory/1012-24-0x00007FFB807C0000-0x00007FFB81161000-memory.dmp
memory/1012-27-0x000000001B6A0000-0x000000001B6C4000-memory.dmp
memory/1012-35-0x000000001C000000-0x000000001C4CE000-memory.dmp
memory/1012-36-0x000000001C570000-0x000000001C60C000-memory.dmp
C:\Windows\SysWOW64\WindowsInput.InstallLog
| MD5 | c2291863df7c2d3038ce3c22fa276506 |
| SHA1 | 7b7d2bc07a6c35523807342c747c9b6a19f3184e |
| SHA256 | 14504199bede3f46129969dbd2b7680f2e5b7fcd73a3e427ce1bb6217a6d13da |
| SHA512 | 00bf40174a67e3e663d18a887c5b461a1e5ead0b27f0a139d87969158c58f4ca72cfa5a731dda239356192ca4cb5ac6ae2b0e37401d534e686cabacd3cbee8fa |
memory/1012-53-0x00007FFB807C0000-0x00007FFB81161000-memory.dmp
memory/1040-56-0x0000000006B60000-0x0000000006BAE000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
| MD5 | bf3709975587af1ae764262fd2ce2f48 |
| SHA1 | de63b6c5b11653e8d777f8cbbf6018972413d44a |
| SHA256 | 4e1729bc6da9b09dd3914f71694f75c06074bf6dc64b985a0099760dc00fcd33 |
| SHA512 | 19d3ed22232c5f907b951935ff465bea24317421c47934032cb010f250eb8bdebfd6907a26b844716c4da1599d37c54e8275ce67f13810c9b064c962b84e4d94 |
memory/4916-68-0x000000007526E000-0x000000007526F000-memory.dmp
memory/1040-69-0x0000000075260000-0x0000000075A10000-memory.dmp
memory/4916-70-0x0000000075260000-0x0000000075A10000-memory.dmp
memory/4916-71-0x0000000006140000-0x0000000006302000-memory.dmp
memory/4916-72-0x0000000005980000-0x0000000005990000-memory.dmp
memory/4916-73-0x0000000006660000-0x000000000666A000-memory.dmp
memory/4916-74-0x0000000075260000-0x0000000075A10000-memory.dmp