Malware Analysis Report

2024-11-16 13:27

Sample ID 240802-t8qvgawfpc
Target bb9108d709a49a0ac3184418b0b2a450N.exe
SHA256 6a5c3542e1f68e12b4f135585bb132ce42e1d82f102728f221f651cb0e9bac8e
Tags
urelas discovery trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6a5c3542e1f68e12b4f135585bb132ce42e1d82f102728f221f651cb0e9bac8e

Threat Level: Known bad

The file bb9108d709a49a0ac3184418b0b2a450N.exe was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan upx

Urelas

Deletes itself

Loads dropped DLL

Executes dropped EXE

UPX packed file

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-02 16:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-02 16:43

Reported

2024-08-02 16:46

Platform

win7-20240729-en

Max time kernel

119s

Max time network

77s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bb9108d709a49a0ac3184418b0b2a450N.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\teuzr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vyowej.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokus.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bb9108d709a49a0ac3184418b0b2a450N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\teuzr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vyowej.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tokus.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2308 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\bb9108d709a49a0ac3184418b0b2a450N.exe C:\Users\Admin\AppData\Local\Temp\teuzr.exe
PID 2308 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\bb9108d709a49a0ac3184418b0b2a450N.exe C:\Users\Admin\AppData\Local\Temp\teuzr.exe
PID 2308 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\bb9108d709a49a0ac3184418b0b2a450N.exe C:\Users\Admin\AppData\Local\Temp\teuzr.exe
PID 2308 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\bb9108d709a49a0ac3184418b0b2a450N.exe C:\Users\Admin\AppData\Local\Temp\teuzr.exe
PID 2308 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\bb9108d709a49a0ac3184418b0b2a450N.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\bb9108d709a49a0ac3184418b0b2a450N.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\bb9108d709a49a0ac3184418b0b2a450N.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\bb9108d709a49a0ac3184418b0b2a450N.exe C:\Windows\SysWOW64\cmd.exe
PID 408 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\teuzr.exe C:\Users\Admin\AppData\Local\Temp\vyowej.exe
PID 408 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\teuzr.exe C:\Users\Admin\AppData\Local\Temp\vyowej.exe
PID 408 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\teuzr.exe C:\Users\Admin\AppData\Local\Temp\vyowej.exe
PID 408 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\teuzr.exe C:\Users\Admin\AppData\Local\Temp\vyowej.exe
PID 2648 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\vyowej.exe C:\Users\Admin\AppData\Local\Temp\tokus.exe
PID 2648 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\vyowej.exe C:\Users\Admin\AppData\Local\Temp\tokus.exe
PID 2648 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\vyowej.exe C:\Users\Admin\AppData\Local\Temp\tokus.exe
PID 2648 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\vyowej.exe C:\Users\Admin\AppData\Local\Temp\tokus.exe
PID 2648 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\vyowej.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\vyowej.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\vyowej.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\vyowej.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bb9108d709a49a0ac3184418b0b2a450N.exe

"C:\Users\Admin\AppData\Local\Temp\bb9108d709a49a0ac3184418b0b2a450N.exe"

C:\Users\Admin\AppData\Local\Temp\teuzr.exe

"C:\Users\Admin\AppData\Local\Temp\teuzr.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\vyowej.exe

"C:\Users\Admin\AppData\Local\Temp\vyowej.exe" OK

C:\Users\Admin\AppData\Local\Temp\tokus.exe

"C:\Users\Admin\AppData\Local\Temp\tokus.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/2308-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2308-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2308-37-0x0000000000526000-0x000000000087A000-memory.dmp

memory/2308-35-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2308-33-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2308-30-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2308-28-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2308-25-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2308-23-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2308-20-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2308-18-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2308-15-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2308-13-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2308-11-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2308-10-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2308-8-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2308-6-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2308-5-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2308-3-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2308-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\teuzr.exe

MD5 4022c2924531cca46c9d14b56def4b5b
SHA1 9e66875bff003caaaa95d0cd96a3f96b2f1c8ccd
SHA256 a61723caf40d132c6f309157f6e3b1c9d16791e34ff32bcde5962ae49707a7c8
SHA512 f80ae9507b2a22631a9399cf5c2ca093fd3bb702da18381b102e2399c7fc12a021fb12739b772656bc6dfa6756604e8d4410acee3b79bfb87973cf7505967364

memory/408-61-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 31138cca8cdd75c0cb5b82357b465987
SHA1 7a4bd4989a4056c7891b6da44aa19ec9e055b155
SHA256 c8d084cf1cde1c714cd4edc8fc578a9f7c8bf0c6301c4f8a507d5198950bbdd4
SHA512 2dca974bd197d77ef2fdac2a9edf125c5bbdf40efc2f736af18dbba877bc6584c41af9748f6bec13a2aa506ccb8ec971bc16371c30edd7016682eac402f31c15

memory/2308-52-0x0000000003FC0000-0x0000000004AAC000-memory.dmp

memory/2308-62-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2308-53-0x0000000003FC0000-0x0000000004AAC000-memory.dmp

memory/2308-1-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2308-63-0x0000000000526000-0x000000000087A000-memory.dmp

memory/408-89-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/408-103-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 55769237c9349ce4a2ae93e2c72335a3
SHA1 b93400a40645d874d21932cfa251201974ab6942
SHA256 7a37934c062a589a70d73009e7ceeb2ee2ea076fc07a6f1f1195b520a66827f2
SHA512 c60d055788c972ece620d22fa58d27eef47f1c99d43fe11b7b380c43ab3d7fd1e61e7bab419096062678e025b773213321659481dbc2678fab84ee95aeb6599c

memory/408-87-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/408-84-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/408-82-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/408-105-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/408-113-0x00000000042D0000-0x0000000004DBC000-memory.dmp

memory/408-117-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/408-116-0x00000000042D0000-0x0000000004DBC000-memory.dmp

\Users\Admin\AppData\Local\Temp\tokus.exe

MD5 e11199b17a1744bad821df8fc5e633c8
SHA1 5a18705fd7b9e881162e44d4141ebb2aca9e9bd4
SHA256 c7c12a08dfc943ff9d422ed9cbfb4ea2b8f60c87b629168546a87d2f931c54eb
SHA512 ddc9d985f39c8a36506b11b8b95ebd10dadb6d48bad67ec371e4f2ac36b3be49418cfc966d55d22b63ee2a2882fc0dac621cac27a9acfd742c4079c2aa9949de

memory/2648-162-0x0000000004A10000-0x0000000004BA9000-memory.dmp

memory/1684-164-0x0000000000400000-0x0000000000599000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 e6b49eb79580575e0694517f00203669
SHA1 cd8fc2a65b6853a2223c4f471711179f9fdd6305
SHA256 949b7ff93077e3ec526dd5c7eae825f676b32b020e10a72123822515151ce6c9
SHA512 2866a31d8344e10a06c48a8b3a1dee9bcf79e1025d93cfa79ed8c81076248788f2d2d2a97d527b133470fe877918fd01775a3b0255b90e5ba9def4b794a25fbf

memory/2648-173-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gbp.ini

MD5 dbef593bccc2049f860f718cd6fec321
SHA1 e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA256 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA512 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

memory/1684-177-0x0000000000400000-0x0000000000599000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-02 16:43

Reported

2024-08-02 16:46

Platform

win10v2004-20240802-en

Max time kernel

89s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bb9108d709a49a0ac3184418b0b2a450N.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bb9108d709a49a0ac3184418b0b2a450N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\okawp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\okawp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mixoej.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bb9108d709a49a0ac3184418b0b2a450N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\okawp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\mixoej.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bb9108d709a49a0ac3184418b0b2a450N.exe

"C:\Users\Admin\AppData\Local\Temp\bb9108d709a49a0ac3184418b0b2a450N.exe"

C:\Users\Admin\AppData\Local\Temp\okawp.exe

"C:\Users\Admin\AppData\Local\Temp\okawp.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\mixoej.exe

"C:\Users\Admin\AppData\Local\Temp\mixoej.exe" OK

C:\Users\Admin\AppData\Local\Temp\coluk.exe

"C:\Users\Admin\AppData\Local\Temp\coluk.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/3824-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/3824-1-0x0000000000F30000-0x0000000000F31000-memory.dmp

memory/3824-3-0x0000000000F50000-0x0000000000F51000-memory.dmp

memory/3824-2-0x0000000000F40000-0x0000000000F41000-memory.dmp

memory/3824-8-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/3824-4-0x00000000010A0000-0x00000000010A1000-memory.dmp

memory/3824-7-0x00000000010D0000-0x00000000010D1000-memory.dmp

memory/3824-11-0x0000000000526000-0x000000000087A000-memory.dmp

memory/3824-6-0x00000000010C0000-0x00000000010C1000-memory.dmp

memory/3824-5-0x00000000010B0000-0x00000000010B1000-memory.dmp

memory/3824-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\okawp.exe

MD5 f785bc7d7d3fa8e3065962eec3c4758b
SHA1 a15670da001352155ec43bbb459b3ae8c401b988
SHA256 1b11c6b891dc2623e55f6713169dd183b611880509cbd9a539186827e28ff267
SHA512 ecb97819505bef41c651877b8f1088b46bb16db209e570c3dd383acc6d2776f1b9348c7078cb6f088523278052478eb3355abebada2bcb792a476c884b62875f

memory/940-24-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/3824-25-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/3824-26-0x0000000000526000-0x000000000087A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 31138cca8cdd75c0cb5b82357b465987
SHA1 7a4bd4989a4056c7891b6da44aa19ec9e055b155
SHA256 c8d084cf1cde1c714cd4edc8fc578a9f7c8bf0c6301c4f8a507d5198950bbdd4
SHA512 2dca974bd197d77ef2fdac2a9edf125c5bbdf40efc2f736af18dbba877bc6584c41af9748f6bec13a2aa506ccb8ec971bc16371c30edd7016682eac402f31c15

memory/940-30-0x0000000001070000-0x0000000001071000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 54ac55437bf1d5fa4e6644149c8334e6
SHA1 b874aaff5484c5d51c879cd1cfb7ea98c5e64a3e
SHA256 c0581edf2bde4a429bad87ab6c041fa41d9ad298ba2aaf6e544a542545ad376a
SHA512 5ae5c54aefa1bd2b82ff396fbc165c7e4dfd3cdf1b45e2ce2a055abc6bd763b1fb3c5a74e8bedc4b520f50331e76d6a44cbd770e3a234e15398f6fd7b433f93e

memory/940-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/940-38-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/940-29-0x0000000001060000-0x0000000001061000-memory.dmp

memory/940-28-0x0000000000F70000-0x0000000000F71000-memory.dmp

memory/940-40-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/940-48-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2616-49-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2616-57-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2616-56-0x00000000011D0000-0x00000000011D1000-memory.dmp

memory/2616-55-0x00000000011C0000-0x00000000011C1000-memory.dmp

memory/2616-54-0x00000000011B0000-0x00000000011B1000-memory.dmp

memory/2616-53-0x00000000011A0000-0x00000000011A1000-memory.dmp

memory/2616-52-0x0000000001170000-0x0000000001171000-memory.dmp

memory/2616-51-0x0000000001050000-0x0000000001051000-memory.dmp

memory/2616-50-0x0000000001040000-0x0000000001041000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\coluk.exe

MD5 6d70c9e78c8f43ab8471b5fb7a5dd6a9
SHA1 4dfeb1bbd9cc94a1e881c5cc4f318c1405fce249
SHA256 e4c5562aac8fc9b4f039e5c6623a908fba51a53e00b3df677570e20ba639bb68
SHA512 3e1291ba5cc9ad467496df8f50d98e3e7bcfccdf21ff93ef8638c09336a6acfa3a13551bce77e754a316f6724a3225e08b843349b864533dfd4fb156570ed949

memory/4044-71-0x0000000000400000-0x0000000000599000-memory.dmp

memory/2616-72-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 d9b9e0e0aac87f739ed720475990eb63
SHA1 28b055a745c668caf38608b156221e69ded75b7a
SHA256 83c48d1da0f7a1937487198304aa344fa619718d222946797a8c22978bc0630f
SHA512 3ca73d2ee1d4bdc07daf8a8a6bca2623aad2831a51636df6a63b51b97a4b65141feaddce0d011bb0bff703737e8f92c87452025e2768a221793e4999265d4702

C:\Users\Admin\AppData\Local\Temp\gbp.ini

MD5 dbef593bccc2049f860f718cd6fec321
SHA1 e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA256 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA512 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

memory/4044-75-0x0000000000400000-0x0000000000599000-memory.dmp