Malware Analysis Report

2025-06-16 05:31

Sample ID 240314-vwwqmaca85
Target 0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920
SHA256 0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920
Tags
quasar remote client spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920

Threat Level: Known bad

The file 0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920 was found to be: Known bad.

Malicious Activity Summary

quasar remote client spyware trojan

Quasar RAT

Quasar payload

Detects .NET executables utilizing NyanX-CAT C# Loader

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects executables containing common artifacts observed in infostealers

Detects .NET executables utilizing NyanX-CAT C# Loader

Detects Windows executables referencing non-Windows User-Agents

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-14 17:20

Signatures

Detects .NET executables utilizing NyanX-CAT C# Loader

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-14 17:20

Reported

2024-03-14 17:23

Platform

win7-20240220-en

Max time kernel

144s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects .NET executables utilizing NyanX-CAT C# Loader

Description Indicator Process Target
N/A N/A N/A N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing common artifacts observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2340 set thread context of 2600 N/A C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2340 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2340 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2340 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2340 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2340 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2340 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2340 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2340 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2340 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2340 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2340 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2340 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2340 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2340 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2340 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2340 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2340 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2340 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2340 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe

"C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pentestpenguin-56392.portmap.host udp
DE 193.161.193.99:56392 pentestpenguin-56392.portmap.host tcp
DE 193.161.193.99:56392 pentestpenguin-56392.portmap.host tcp
DE 193.161.193.99:56392 pentestpenguin-56392.portmap.host tcp
DE 193.161.193.99:56392 pentestpenguin-56392.portmap.host tcp
DE 193.161.193.99:56392 pentestpenguin-56392.portmap.host tcp
DE 193.161.193.99:56392 pentestpenguin-56392.portmap.host tcp
DE 193.161.193.99:56392 pentestpenguin-56392.portmap.host tcp
DE 193.161.193.99:56392 pentestpenguin-56392.portmap.host tcp
DE 193.161.193.99:56392 pentestpenguin-56392.portmap.host tcp
DE 193.161.193.99:56392 pentestpenguin-56392.portmap.host tcp
DE 193.161.193.99:56392 pentestpenguin-56392.portmap.host tcp
DE 193.161.193.99:56392 pentestpenguin-56392.portmap.host tcp
DE 193.161.193.99:56392 pentestpenguin-56392.portmap.host tcp

Files

memory/2340-0-0x0000000000220000-0x0000000000548000-memory.dmp

memory/2340-1-0x0000000074500000-0x0000000074BEE000-memory.dmp

memory/2340-2-0x0000000000BA0000-0x0000000000BE0000-memory.dmp

memory/2340-3-0x0000000074500000-0x0000000074BEE000-memory.dmp

memory/2340-4-0x0000000000BA0000-0x0000000000BE0000-memory.dmp

memory/2340-5-0x0000000004EB0000-0x00000000051D6000-memory.dmp

memory/2600-8-0x0000000000400000-0x0000000000724000-memory.dmp

memory/2600-10-0x0000000000400000-0x0000000000724000-memory.dmp

memory/2600-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2600-12-0x0000000000400000-0x0000000000724000-memory.dmp

memory/2600-6-0x0000000000400000-0x0000000000724000-memory.dmp

memory/2600-16-0x0000000000400000-0x0000000000724000-memory.dmp

memory/2600-18-0x0000000000400000-0x0000000000724000-memory.dmp

memory/2340-19-0x0000000074500000-0x0000000074BEE000-memory.dmp

memory/2600-21-0x0000000000400000-0x0000000000724000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-14 17:20

Reported

2024-03-14 17:23

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Detects .NET executables utilizing NyanX-CAT C# Loader

Description Indicator Process Target
N/A N/A N/A N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing common artifacts observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3128 set thread context of 4120 N/A C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3128 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3128 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3128 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3128 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3128 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3128 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3128 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3128 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3128 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3128 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3128 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe

"C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 198.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 pentestpenguin-56392.portmap.host udp
DE 193.161.193.99:56392 pentestpenguin-56392.portmap.host tcp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
DE 193.161.193.99:56392 pentestpenguin-56392.portmap.host tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 75.134.221.88.in-addr.arpa udp
DE 193.161.193.99:56392 pentestpenguin-56392.portmap.host tcp
DE 193.161.193.99:56392 pentestpenguin-56392.portmap.host tcp
DE 193.161.193.99:56392 pentestpenguin-56392.portmap.host tcp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
DE 193.161.193.99:56392 pentestpenguin-56392.portmap.host tcp
US 8.8.8.8:53 207.178.17.96.in-addr.arpa udp
DE 193.161.193.99:56392 pentestpenguin-56392.portmap.host tcp
DE 193.161.193.99:56392 pentestpenguin-56392.portmap.host tcp
DE 193.161.193.99:56392 pentestpenguin-56392.portmap.host tcp
DE 193.161.193.99:56392 pentestpenguin-56392.portmap.host tcp
US 8.8.8.8:53 206.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 193.161.193.99:56392 pentestpenguin-56392.portmap.host tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
DE 193.161.193.99:56392 pentestpenguin-56392.portmap.host tcp
DE 193.161.193.99:56392 pentestpenguin-56392.portmap.host tcp
DE 193.161.193.99:56392 pentestpenguin-56392.portmap.host tcp
DE 193.161.193.99:56392 pentestpenguin-56392.portmap.host tcp
DE 193.161.193.99:56392 pentestpenguin-56392.portmap.host tcp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

memory/3128-0-0x0000000075200000-0x00000000759B0000-memory.dmp

memory/3128-1-0x00000000007D0000-0x0000000000AF8000-memory.dmp

memory/3128-2-0x0000000005AF0000-0x0000000006094000-memory.dmp

memory/3128-3-0x0000000005540000-0x00000000055D2000-memory.dmp

memory/3128-4-0x0000000005490000-0x00000000054A0000-memory.dmp

memory/3128-5-0x0000000005500000-0x000000000550A000-memory.dmp

memory/3128-6-0x0000000005770000-0x00000000057E6000-memory.dmp

memory/3128-7-0x0000000075200000-0x00000000759B0000-memory.dmp

memory/3128-8-0x0000000005490000-0x00000000054A0000-memory.dmp

memory/3128-9-0x00000000060A0000-0x00000000063C6000-memory.dmp

memory/3128-10-0x0000000005810000-0x000000000582E000-memory.dmp

memory/4120-11-0x0000000000400000-0x0000000000724000-memory.dmp

memory/3128-13-0x0000000075200000-0x00000000759B0000-memory.dmp

memory/4120-14-0x0000000075200000-0x00000000759B0000-memory.dmp

memory/4120-15-0x0000000002E30000-0x0000000002E40000-memory.dmp

memory/4120-16-0x00000000069F0000-0x0000000007008000-memory.dmp

memory/4120-17-0x0000000006580000-0x00000000065D0000-memory.dmp

memory/4120-18-0x00000000067E0000-0x0000000006892000-memory.dmp

memory/4120-19-0x0000000075200000-0x00000000759B0000-memory.dmp

memory/4120-20-0x0000000002E30000-0x0000000002E40000-memory.dmp