Analysis
-
max time kernel
1479s -
max time network
1451s -
platform
windows10-2004_x64 -
resource
win10v2004-20230831-en -
resource tags
arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system -
submitted
11-09-2023 13:06
Static task
static1
Behavioral task
behavioral1
Sample
36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe
Resource
win10-20230831-en
Behavioral task
behavioral2
Sample
36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe
Resource
win10v2004-20230831-en
General
-
Target
36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe
-
Size
454KB
-
MD5
2c72015e22b53c215403979536bce826
-
SHA1
39eb8e3c2cef23d1c7a3f5c3133f40ecc98c1cf1
-
SHA256
36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd
-
SHA512
0d2e590b0c32de661ab94c0f7a0eccbbc2bac637120b0148e04b05a826ca5858e6d147e0011bd5094f260e5ff0d3dafbf9bc2c4df099adc3ac5c98d50b6df4b1
-
SSDEEP
6144:ARkz9/pOuAXNjskDoLHq/97BJBNcplFbs4NhulBngyAyLo59QeW:AK5ppmNjluHqVVxcFbsK8fnrS9Q
Malware Config
Extracted
C:\Users\Public\Videos\read-me.txt
globeimposter
http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV
http://helpqvrg3cc5mvb3.onion/
Signatures
-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Renames multiple (8646) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
aspnet_wp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\aspnet_wp.exe" aspnet_wp.exe -
Drops desktop.ini file(s) 30 IoCs
Processes:
aspnet_wp.exedescription ioc process File opened for modification C:\Users\Admin\Saved Games\desktop.ini aspnet_wp.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini aspnet_wp.exe File opened for modification C:\Users\Admin\Documents\desktop.ini aspnet_wp.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini aspnet_wp.exe File opened for modification C:\Program Files\desktop.ini aspnet_wp.exe File opened for modification C:\Users\Public\Libraries\desktop.ini aspnet_wp.exe File opened for modification C:\Users\Admin\Videos\desktop.ini aspnet_wp.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini aspnet_wp.exe File opened for modification C:\Users\Admin\Links\desktop.ini aspnet_wp.exe File opened for modification C:\Users\Public\Pictures\desktop.ini aspnet_wp.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini aspnet_wp.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini aspnet_wp.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1980726966-773384374-2129981223-1000\desktop.ini aspnet_wp.exe File opened for modification C:\Users\Public\desktop.ini aspnet_wp.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini aspnet_wp.exe File opened for modification C:\Users\Admin\Music\desktop.ini aspnet_wp.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini aspnet_wp.exe File opened for modification C:\Users\Public\Videos\desktop.ini aspnet_wp.exe File opened for modification C:\Users\Public\Downloads\desktop.ini aspnet_wp.exe File opened for modification C:\Users\Public\Desktop\desktop.ini aspnet_wp.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini aspnet_wp.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini aspnet_wp.exe File opened for modification C:\Users\Public\Music\desktop.ini aspnet_wp.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini aspnet_wp.exe File opened for modification C:\Users\Admin\Searches\desktop.ini aspnet_wp.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-1980726966-773384374-2129981223-1000\desktop.ini aspnet_wp.exe File opened for modification C:\Users\Public\Documents\desktop.ini aspnet_wp.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini aspnet_wp.exe File opened for modification C:\Program Files (x86)\desktop.ini aspnet_wp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI aspnet_wp.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exedescription pid process target process PID 1476 set thread context of 3908 1476 36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe aspnet_wp.exe -
Drops file in Program Files directory 64 IoCs
Processes:
aspnet_wp.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-32.png aspnet_wp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.scale-125_contrast-black.png aspnet_wp.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Times New Roman-Arial.xml aspnet_wp.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_zh_CN.jar aspnet_wp.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.scale-150.png aspnet_wp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\SmallTile.scale-100.png aspnet_wp.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptyShare.scale-200.png aspnet_wp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\1851_40x40x32.png aspnet_wp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionWideTile.scale-100.png aspnet_wp.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\LargeLogo.scale-125_contrast-white.png aspnet_wp.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-phn.xrm-ms aspnet_wp.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_CopyDrop32x32.gif aspnet_wp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_bow.png aspnet_wp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_gridview.svg aspnet_wp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_move_18.svg aspnet_wp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\MyOffice.BackgroundTasks.dll aspnet_wp.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\js\jquery.jstree.js aspnet_wp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-80.png aspnet_wp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\it-it\ui-strings.js aspnet_wp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\files_icons.png aspnet_wp.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\read-me.txt aspnet_wp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_contrast-black.png aspnet_wp.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\cs-cz\read-me.txt aspnet_wp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml aspnet_wp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\Icons\jit_moments.png aspnet_wp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-80_altform-unplated_contrast-white.png aspnet_wp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\ui-strings.js aspnet_wp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-36.png aspnet_wp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-80_contrast-white.png aspnet_wp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud_retina.png aspnet_wp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-60.png aspnet_wp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-400_contrast-white.png aspnet_wp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql90.xsl aspnet_wp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_F_COL.HXK aspnet_wp.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\cs-cz\read-me.txt aspnet_wp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-30_altform-fullcolor.png aspnet_wp.exe File opened for modification C:\Program Files\Microsoft Office\root\vreg\proof.en-us.msi.16.en-us.vreg.dat aspnet_wp.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\DUBAI-LIGHT.TTF aspnet_wp.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ppd.xrm-ms aspnet_wp.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul.xrm-ms aspnet_wp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\cs-cz\ui-strings.js aspnet_wp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-20_altform-unplated_contrast-black.png aspnet_wp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\dropdownarrow_16x16x32.png aspnet_wp.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\read-me.txt aspnet_wp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-100_contrast-white.png aspnet_wp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\drvSOFT.x3d aspnet_wp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\LargeTile.scale-100.png aspnet_wp.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\igxim.dll aspnet_wp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-150_contrast-white.png aspnet_wp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_ja.json aspnet_wp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\tr-tr\PlayStore_icon.svg aspnet_wp.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\css\read-me.txt aspnet_wp.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\msvcr120.dll aspnet_wp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-ae\ui-strings.js aspnet_wp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\Icons_Icon_PoP_sm.png aspnet_wp.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libdiracsys_plugin.dll aspnet_wp.exe File created C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\read-me.txt aspnet_wp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-gb\ui-strings.js aspnet_wp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\root\ui-strings.js aspnet_wp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\ui-strings.js aspnet_wp.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-si\read-me.txt aspnet_wp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-GB\en-GB_female_TTS\skin_en-GB_female_TTS.lua aspnet_wp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\GetHelp.exe aspnet_wp.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_LogoSmall.scale-200.png aspnet_wp.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exepid process 1476 36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe 1476 36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
aspnet_wp.exepid process 3908 aspnet_wp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exedescription pid process Token: SeDebugPrivilege 1476 36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exeaspnet_wp.exedescription pid process target process PID 1476 wrote to memory of 1844 1476 36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe aspnet_state.exe PID 1476 wrote to memory of 1844 1476 36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe aspnet_state.exe PID 1476 wrote to memory of 1844 1476 36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe aspnet_state.exe PID 1476 wrote to memory of 3908 1476 36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe aspnet_wp.exe PID 1476 wrote to memory of 3908 1476 36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe aspnet_wp.exe PID 1476 wrote to memory of 3908 1476 36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe aspnet_wp.exe PID 1476 wrote to memory of 3908 1476 36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe aspnet_wp.exe PID 1476 wrote to memory of 3908 1476 36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe aspnet_wp.exe PID 1476 wrote to memory of 3908 1476 36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe aspnet_wp.exe PID 1476 wrote to memory of 3908 1476 36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe aspnet_wp.exe PID 3908 wrote to memory of 2320 3908 aspnet_wp.exe cmd.exe PID 3908 wrote to memory of 2320 3908 aspnet_wp.exe cmd.exe PID 3908 wrote to memory of 2320 3908 aspnet_wp.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe"C:\Users\Admin\AppData\Local\Temp\36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe"2⤵PID:1844
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"2⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe > nul3⤵PID:2320
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5274ed38049352bb6a9c1ec32409f91f9
SHA1b908f7ef836d99a1e85239e1fcd27a75c19798b7
SHA2561e7571b37b506089a7d9b57c769a169452331a53b3a594a11113536c1b65aec2
SHA5129c4e5e0ebe4e7e5742cb93685cab3ea56bada876cbd988e01fb4fb641a508913e5d54c0a2e1930cc52f6aef6da275fc123360ae0a4d35c34821acd762abc5a74
-
Filesize
1KB
MD52a758e641033b1161b7a062d76a85e6f
SHA185e365504123b20ae9f54c47fd3d747221ff119a
SHA2560551bf52dba99657446cc74bd2d5a8be7f827e90678a8a4812e6f02e4c0076ab
SHA5127645105297ee62374d2db3f12d077cc7d9ca85127d819c53dece843554532bede5e4ad87a3549f4d02b437bd222b2a6075df49f913fef7000e387c0d8f59d01c