Analysis Overview
SHA256
ceaa4d371a7d05ee9dc926777f30684b0acd7ea78c745a8d1b3eaa77b6e85e55
Threat Level: Known bad
The file SPI MARINE.js was found to be: Known bad.
Malicious Activity Summary
Vjw0rm
Blocklisted process makes network request
Executes dropped EXE
Loads dropped DLL
Drops startup file
Reads user/profile data of web browsers
Checks computer location settings
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Program crash
outlook_win_path
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
outlook_office_path
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-12 13:06
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-12 13:06
Reported
2023-01-12 13:09
Platform
win7-20221111-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mTDWCoeANO.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mTDWCoeANO.js | C:\Windows\System32\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Payload.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\SPI MARINE.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\mTDWCoeANO.js"
C:\Users\Admin\AppData\Local\Temp\Payload.exe
"C:\Users\Admin\AppData\Local\Temp\Payload.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 1908
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 8.8.8.8:53 | discord.com | udp |
| N/A | 162.159.128.233:443 | discord.com | tcp |
| N/A | 8.8.8.8:53 | api.telegram.org | udp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
Files
memory/1780-54-0x000007FEFB7C1000-0x000007FEFB7C3000-memory.dmp
memory/820-55-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\mTDWCoeANO.js
| MD5 | 52a7a3de89aa5553c03bc908385e47c6 |
| SHA1 | c9119e20eb105d5f722d5fdc417a51a829b2b517 |
| SHA256 | 8331fd62bc3e4ebc9129cdfaaa8f1ee5e18461e13fff209e7220d6a93c8cb0fd |
| SHA512 | 3bfbd03b780803142088aa898fd6443a9a1aea202a714a00173227b5ecd98deadce5c0fded80225525e7a88e5c38b591b558a0106779b168e8c5b1b7038e63e3 |
memory/1468-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Payload.exe
| MD5 | 2b7f757f0a02ced496481020f0b8f1eb |
| SHA1 | 21f11c5f725648d27af684ecff61c3ef7ecbcba3 |
| SHA256 | e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9 |
| SHA512 | 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7 |
C:\Users\Admin\AppData\Local\Temp\Payload.exe
| MD5 | 2b7f757f0a02ced496481020f0b8f1eb |
| SHA1 | 21f11c5f725648d27af684ecff61c3ef7ecbcba3 |
| SHA256 | e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9 |
| SHA512 | 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7 |
memory/1468-61-0x00000000011B0000-0x0000000001274000-memory.dmp
memory/1468-62-0x0000000075991000-0x0000000075993000-memory.dmp
memory/1468-63-0x00000000006A0000-0x00000000006AE000-memory.dmp
memory/1468-64-0x0000000008540000-0x00000000085F2000-memory.dmp
memory/964-65-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\Payload.exe
| MD5 | 2b7f757f0a02ced496481020f0b8f1eb |
| SHA1 | 21f11c5f725648d27af684ecff61c3ef7ecbcba3 |
| SHA256 | e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9 |
| SHA512 | 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7 |
\Users\Admin\AppData\Local\Temp\Payload.exe
| MD5 | 2b7f757f0a02ced496481020f0b8f1eb |
| SHA1 | 21f11c5f725648d27af684ecff61c3ef7ecbcba3 |
| SHA256 | e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9 |
| SHA512 | 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7 |
\Users\Admin\AppData\Local\Temp\Payload.exe
| MD5 | 2b7f757f0a02ced496481020f0b8f1eb |
| SHA1 | 21f11c5f725648d27af684ecff61c3ef7ecbcba3 |
| SHA256 | e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9 |
| SHA512 | 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7 |
\Users\Admin\AppData\Local\Temp\Payload.exe
| MD5 | 2b7f757f0a02ced496481020f0b8f1eb |
| SHA1 | 21f11c5f725648d27af684ecff61c3ef7ecbcba3 |
| SHA256 | e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9 |
| SHA512 | 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7 |
\Users\Admin\AppData\Local\Temp\Payload.exe
| MD5 | 2b7f757f0a02ced496481020f0b8f1eb |
| SHA1 | 21f11c5f725648d27af684ecff61c3ef7ecbcba3 |
| SHA256 | e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9 |
| SHA512 | 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-12 13:06
Reported
2023-01-12 13:09
Platform
win10v2004-20221111-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mTDWCoeANO.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mTDWCoeANO.js | C:\Windows\System32\wscript.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4460 wrote to memory of 4852 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 4460 wrote to memory of 4852 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 4460 wrote to memory of 4732 | N/A | C:\Windows\system32\wscript.exe | C:\Users\Admin\AppData\Local\Temp\Payload.exe |
| PID 4460 wrote to memory of 4732 | N/A | C:\Windows\system32\wscript.exe | C:\Users\Admin\AppData\Local\Temp\Payload.exe |
| PID 4460 wrote to memory of 4732 | N/A | C:\Windows\system32\wscript.exe | C:\Users\Admin\AppData\Local\Temp\Payload.exe |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\SPI MARINE.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\mTDWCoeANO.js"
C:\Users\Admin\AppData\Local\Temp\Payload.exe
"C:\Users\Admin\AppData\Local\Temp\Payload.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 8.8.8.8:53 | discord.com | udp |
| N/A | 162.159.135.232:443 | discord.com | tcp |
| N/A | 8.8.8.8:53 | api.telegram.org | udp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 20.50.73.10:443 | tcp | |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 96.16.53.137:80 | tcp | |
| N/A | 96.16.53.137:80 | tcp | |
| N/A | 96.16.53.137:80 | tcp | |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
Files
memory/4852-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\mTDWCoeANO.js
| MD5 | 52a7a3de89aa5553c03bc908385e47c6 |
| SHA1 | c9119e20eb105d5f722d5fdc417a51a829b2b517 |
| SHA256 | 8331fd62bc3e4ebc9129cdfaaa8f1ee5e18461e13fff209e7220d6a93c8cb0fd |
| SHA512 | 3bfbd03b780803142088aa898fd6443a9a1aea202a714a00173227b5ecd98deadce5c0fded80225525e7a88e5c38b591b558a0106779b168e8c5b1b7038e63e3 |
memory/4732-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Payload.exe
| MD5 | 2b7f757f0a02ced496481020f0b8f1eb |
| SHA1 | 21f11c5f725648d27af684ecff61c3ef7ecbcba3 |
| SHA256 | e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9 |
| SHA512 | 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7 |
C:\Users\Admin\AppData\Local\Temp\Payload.exe
| MD5 | 2b7f757f0a02ced496481020f0b8f1eb |
| SHA1 | 21f11c5f725648d27af684ecff61c3ef7ecbcba3 |
| SHA256 | e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9 |
| SHA512 | 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7 |
memory/4732-137-0x0000000000380000-0x0000000000444000-memory.dmp
memory/4732-138-0x0000000004E00000-0x0000000004E66000-memory.dmp
memory/4732-139-0x00000000087C0000-0x00000000087E2000-memory.dmp
memory/4732-140-0x0000000002820000-0x000000000282A000-memory.dmp
memory/4732-141-0x0000000002850000-0x0000000002862000-memory.dmp