By ZeroDay Malware Intelligence•April 27, 2026•
malware
COBALTSTRIKE Malware Analysis: MITRE ATT&CK, IOCs & Detection
title: "COBALTSTRIKE Malware Analysis: MITRE ATT&CK, IOCs & Detection"
description: "Complete technical analysis of CobaltStrike — detection ratio N/A, MITRE ATT&CK mapping, IOCs, behavioral profile, YARA rules, and incident response. Enriched by Zerosday with live MalwareBazaar and OTX data."
date: "2026-04-27"
category: malware
image: "/img/posts/malware.png"
tags: ["malware", "threat-intelligence", "mitre-attck", "cobaltstrike", "cobaltstrike", "ioc", "detection", "cybersecurity"]
author: "ZeroDay Malware Intelligence"
malwareFamily: "CobaltStrike"
malwareType: "CobaltStrike"
detectRatio: "N/A"
attackTechniquesCount: "0"
COBALTSTRIKE Malware Analysis: MITRE ATT&CK, IOCs & Detection
Detection ratio: N/A | MITRE ATT&CK techniques: see below | Type: CobaltStrike | Updated: 2026-04-27
CobaltStrike Analysis: A Deep Dive for Security Professionals
This report provides a comprehensive technical analysis of CobaltStrike, a sophisticated post-exploitation framework widely leveraged by threat actors for advanced persistent threats (APTs) and financially motivated attacks. We delve into its internal mechanics, MITRE ATT&CK mapping, IOCs, static and dynamic analysis, real-world campaigns, and actionable detection and response strategies. This analysis is crucial for understanding the evolving threat landscape, particularly concerning sophisticated malware deployments and potential zero-day exploits that might leverage such frameworks.
Executive Summary
CobaltStrike is a commercial penetration testing tool that has been widely adopted and weaponized by various threat actors due to its powerful post-exploitation capabilities. Originally designed for red teams to simulate adversarial behavior, its features are now extensively used by APT groups and cybercriminals alike. The framework allows for the creation of sophisticated malware implants, known as "beacons," which facilitate remote command and control (C2), lateral movement, privilege escalation, and data exfiltration. Its modular design and ease of customization make it a persistent threat, capable of adapting to various network environments and evading detection. While not a zero-day exploit itself, CobaltStrike is often used in conjunction with discovered vulnerabilities, including potential future exploits for systems like those running specific AI models or hardware architectures, to achieve initial access. Its history is marked by its evolution from a legitimate tool to a staple in the arsenal of numerous threat actors, with ongoing campaigns targeting a wide range of industries globally. Attribution is often difficult due to its widespread use and the potential for "renting" CobaltStrike infrastructure.
How It Works — Technical Deep Dive
CobaltStrike's effectiveness stems from its modular architecture and its ability to deploy a highly configurable agent called a "Beacon."
Initial Infection Vector
CobaltStrike does not typically provide its own initial infection vector but is rather deployed after an initial compromise. Common initial access methods include:
- Phishing Campaigns: Malicious documents (e.g., Word, Excel, PDF) embedded with VBA macros or exploits that, when opened, download and execute a CobaltStrike stager.
- Exploitation of Vulnerabilities: Leveraging publicly known vulnerabilities (e.g., CVE-2023-41974, CVE-2023-46805) or potential zero-day exploits to gain initial execution on a target system.
- Supply Chain Attacks: Compromising legitimate software or update mechanisms to distribute CobaltStrike payloads.
- Credential Stuffing/Brute Force: Gaining access to systems via compromised credentials.
The typical payload delivered during initial infection is a small "stager" which is then responsible for downloading and executing the full CobaltStrike Beacon.
Persistence Mechanisms
CobaltStrike employs various techniques to maintain persistence:
- Registry Run Keys: Adding entries to
HKCU\Software\Microsoft\Windows\CurrentVersion\RunorHKLM\Software\Microsoft\Windows\CurrentVersion\Runto ensure the Beacon restarts on system boot.# Example PowerShell command to add a registry run key New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "MalwarePersistence" -Value "C:\Path\To\Beacon.exe" -PropertyType String -Force - Scheduled Tasks: Creating scheduled tasks that execute the Beacon at specific intervals or system events.
# Example schtasks command to create a persistent task schtasks /create /tn "MalwareUpdate" /tr "C:\Path\To\Beacon.exe" /sc ONLOGON /rl HIGHEST - DLL Hijacking: Dropping a malicious DLL in a location where a legitimate application will load it, thereby executing the Beacon.
- WMI Event Subscriptions: Registering a WMI event consumer to trigger Beacon execution.
Command and Control (C2) Communication Protocol
CobaltStrike's Beacon uses a highly flexible C2 protocol, commonly leveraging HTTP/S or DNS.
- HTTP/S (Malleable C2): This is the most prevalent protocol. CobaltStrike's "Malleable C2" profiles allow attackers to customize the network traffic to mimic legitimate web traffic, making it difficult to detect with signature-based IDS/IPS.
- Profiles: Users can select from pre-defined profiles (e.g.,
iis,apache,cloud) or create custom ones. These profiles dictate how the Beacon formats its HTTP/S requests and responses, including User-Agent strings, URI paths, headers, and data encoding (e.g., Base64, AES encryption). - Beaconing Interval: The Beacon periodically "checks in" with the C2 server. This interval can be randomized to avoid predictable traffic patterns.
- Traffic Patterns: Requests often look like standard web requests (e.g., GET or POST to a specific URI). The data exchanged is encrypted and can be further disguised.
- Example HTTP Request (Obfuscated): A typical request might involve a POST to
/submit.phpwith a custom User-Agent and encrypted data in the request body. The response might be a small chunk of data or a larger payload.
- Profiles: Users can select from pre-defined profiles (e.g.,
- DNS: Beacons can also communicate over DNS, typically using TXT or CNAME records for data exfiltration and command retrieval. This is less common for full command execution due to bandwidth limitations but useful for initial reconnaissance or small data transfers.
- DNS Queries: The Beacon constructs DNS queries with encoded commands or data, and the DNS server (controlled by the attacker) responds with encoded data.
- RFC 1035 and RFC 1034: These foundational RFCs define the DNS protocol, and CobaltStrike leverages its structure for C2.
Payload Delivery and Staging Mechanism
CobaltStrike employs a multi-stage approach:
- Stager: A small executable (e.g.,
.exe,.dll,.ps1) that is delivered during initial compromise. Its sole purpose is to download and execute the main Beacon payload. Stagers can be shellcode, executables, or scripts. - Beacon Payload: The main Beacon executable, which is significantly larger and contains the core functionality for C2, process injection, and further payload execution. This is often downloaded from the C2 server in memory or dropped to disk.
- Stage 2 Payloads: CobaltStrike can download and execute additional modules or payloads (e.g., Mimikatz, PowerSploit scripts, custom executables) from the C2 server. These are used for privilege escalation, credential dumping, lateral movement, and data exfiltration.
Privilege Escalation Steps
CobaltStrike utilizes common privilege escalation techniques:
- UAC Bypass: Exploiting known vulnerabilities or misconfigurations to bypass User Account Control (UAC) and gain elevated privileges.
- Credential Dumping: Using tools like Mimikatz (often injected directly into memory) to extract plaintext passwords, hashes, and Kerberos tickets from memory.
# Example Mimikatz command (executed via Beacon) to dump LSASS sekurlsa::logonpasswords - Token Impersonation/Theft: Stealing access tokens from other processes with higher privileges to impersonate those users.
- Exploiting Vulnerabilities: Leveraging specific CVEs (e.g., older Windows privilege escalation vulnerabilities that remain unpatched) to gain SYSTEM privileges.
Lateral Movement Techniques Used
CobaltStrike facilitates lateral movement across a network:
- PsExec / SMB: Using Windows Management Instrumentation (WMI) or SMB to remotely execute commands and drop/execute payloads on other systems.
- Remote Service Creation: Creating and starting a new service on a remote machine to execute code.
- Scheduled Tasks on Remote Systems: Creating scheduled tasks on remote machines.
- PowerShell Remoting: Leveraging PowerShell remoting to execute commands and scripts.
- Pass-the-Hash / Pass-the-Ticket: Using stolen credentials (hashes or Kerberos tickets) to authenticate to remote systems without knowing the plaintext password.
Data Exfiltration Methods
Data is exfiltrated through the Beacon's C2 channel, disguised as normal network traffic. This can include:
- Encrypted Data Uploads: Sensitive files or gathered information are encrypted and sent back to the C2 server via HTTP/S POST requests or DNS queries.
- Selective Data Transfer: Attackers can specify which files or data to exfiltrate, often targeting specific directories or file types.
Anti-Analysis / Anti-Debugging / Anti-VM Tricks
CobaltStrike's Beacons and stagers incorporate several anti-analysis techniques:
- Memory-Only Execution: Many payloads are designed to run entirely in memory, avoiding disk artifacts.
- Process Injection: Injecting Beacon code into legitimate system processes (e.g.,
svchost.exe,explorer.exe) to evade detection and blend in with normal system activity. - Anti-Debugging: Detecting the presence of debuggers and terminating the process or behaving differently. This can involve checking for debugger flags, timing checks, or attempting to trap exceptions.
- Anti-VM / Anti-Sandbox: Detecting virtualized environments (VMware, VirtualBox) or sandboxes by checking for specific registry keys, device names, CPUID instructions, or MAC address patterns.
- Code Obfuscation: Storing critical strings or API calls in an obfuscated format, requiring runtime decryption.
- Resource Packing: Embedding payloads within resources of executables, requiring unpacking at runtime.
MITRE ATT&CK Full Mapping
| Technique ID | Technique Name | Implementation | Detection |
|---|---|---|---|
| T1071.001 | Application Layer Protocol: Web Protocols | CobaltStrike Beacons extensively use HTTP/S for C2 communication, often disguised using Malleable C2 profiles to mimic legitimate web traffic. | Monitor for unusual HTTP/S traffic patterns, non-standard User-Agent strings, or beacons communicating with known malicious domains/IPs. Analyze Malleable C2 profiles for deviations from expected network traffic. |
| T1071.004 | Application Layer Protocol: DNS | Beacons can use DNS for C2 communication, particularly for data exfiltration or command retrieval, leveraging TXT or CNAME records. | Monitor for an unusually high volume of DNS queries, especially for TXT records, or queries to suspicious domains. Analyze DNS packet payloads for encoded data. |
| T1059.001 | Command and Scripting Interpreter: PowerShell | CobaltStrike heavily relies on PowerShell for execution of various post-exploitation tasks, including reconnaissance, lateral movement, and payload delivery, often executed via powershell.exe -EncodedCommand. |
Detect the execution of powershell.exe with suspicious or obfuscated -EncodedCommand arguments. Monitor for PowerShell scripts performing suspicious API calls or network connections. |
| T1059.003 | Command and Scripting Interpreter: Windows Command Shell | CobaltStrike can execute commands directly via cmd.exe, often used for basic system interaction or launching other tools. |
Monitor for suspicious cmd.exe executions, especially those involving network commands, file manipulation, or launching of other executables. |
| T1055.012 | Process Injection: Process Hollowing | A common technique where a legitimate process is started in a suspended state, its memory is hollowed out, and malicious code is written and executed. | Monitor for processes that are started in a suspended state and then have their memory modified or code executed. Look for unusual memory regions or calls to NtUnmapViewOfSection followed by WriteProcessMemory. |
| T1055.001 | Process Injection: Native API | CobaltStrike injects its Beacon code into legitimate running processes (e.g., explorer.exe, svchost.exe) using native Windows API calls like CreateRemoteThread, VirtualAllocEx, WriteProcessMemory. |
Detect suspicious API call sequences associated with process injection. Monitor for code caves or unusual memory regions in legitimate processes. |
| T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | CobaltStrike creates registry run keys (HKCU\...\Run, HKLM\...\Run) or places executables in startup folders to ensure persistence across reboots. |
Monitor for the creation or modification of registry run keys and startup folders. Look for executables being added to these locations that are not part of legitimate system software. |
| T1078 | Valid Accounts | CobaltStrike leverages stolen credentials obtained through credential dumping (e.g., Mimikatz) or other means for lateral movement. | Monitor for anomalous login events, especially from unusual source IPs or at odd hours. Analyze credential access events in security logs. |
| T1003.001 | OS Credential Dumping: LSASS Memory | CobaltStrike uses tools like Mimikatz to dump credentials from the Local Security Authority Subsystem Service (LSASS) process memory. | Detect access to the LSASS process memory (lsass.exe) by non-system processes. Monitor for specific Mimikatz command execution patterns. |
| T1543.003 | Create or Modify System Process: Windows Service | CobaltStrike can create new Windows services or modify existing ones to achieve persistence or execute payloads. | Monitor for the creation of new Windows services with suspicious names or executable paths. Audit changes to existing service configurations. |
| T1105 | Ingress Tool Transfer | CobaltStrike Beacons download additional payloads, tools, and modules from the C2 server. | Monitor for unusual outbound connections initiating file downloads to executables or script files. Analyze network traffic for downloads of executables or scripts from suspicious sources. |
| T1570 | Lateral Tool Transfer | CobaltStrike can copy itself or other tools (e.g., Mimikatz, PowerSploit scripts) to remote systems for execution. | Monitor for suspicious file copies to remote systems, especially executables or scripts that are not part of standard system administration tools. |
Indicators of Compromise (IOCs)
File Hashes (SHA256 / MD5 / SHA1)
- SHA256:
d1d89530dafec1f0318f1d0e5c6a5397876728b1475d8e1f2d8e7e60f99972cb- MD5:
e16774abe801617b9668301327c93cb3 - Type: zip
- MD5:
- SHA256:
24680027afadea90c7c713821e214b15cb6c922e67ac01109fb1edb3ee4741d9- MD5:
d47de3772f2d61a043e7047431ef4cf4 - Type: unknown
- MD5:
- SHA256:
9aabbd8fdf34c28f7350afcbda9587cda4c4d73b8e2c2043349ac1803e66eea5- MD5:
0bf547e4592f9c449f20b0d08ed39bb5 - Type: sh
- MD5:
- SHA256:
780932a6633d9a56cb1622f0accfd45dce315ec023c04b051bca683f8917ae49- MD5:
c32b4563d66d31abd05d6256bf7f692e - Type: unknown
- MD5:
- SHA256:
251acef3eb67202c82e5969eb22ab4902b1ba53df362dc486511657d3ce51b3d- MD5:
fd7f470d455d8d4884b7363ce8996b66 - Type: elf
- MD5:
Network Indicators
- C2 Domains/IPs: Specific domains/IPs are highly variable and profile-dependent. Look for domains/IPs with low reputation, unusual registration patterns, or those associated with known malicious infrastructure.
- Ports: Primarily TCP 80 (HTTP) and 443 (HTTPS). DNS C2 uses UDP 53.
- Protocols: HTTP/1.1, HTTPS, DNS.
- HTTP/S Beacon Patterns:
- User-Agents: Can be customized. Common patterns mimic legitimate browsers (e.g.,
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36) but can also be entirely custom. - URIs: Often obfuscated or mimic common web paths (e.g.,
/submit.php,/images/logo.png,/admin/login.asp). - Request Methods: Primarily POST for sending data, GET for retrieving commands/payloads.
- Headers: Custom headers may be present, or standard headers might be manipulated.
- Data Encoding: Base64, AES encryption are common.
- User-Agents: Can be customized. Common patterns mimic legitimate browsers (e.g.,
- URL Patterns: Look for patterns that don't align with normal web browsing, especially those involving random-looking query parameters or unusual path structures.
Registry Keys / File Paths / Mutex
- Persistence Keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\<RandomName>HKLM\Software\Microsoft\Windows\CurrentVersion\Run\<RandomName>
- Dropped File Names: Highly variable. Beacons might be dropped as
.exe,.dll, or disguised as legitimate files in temporary directories (%TEMP%,%APPDATA%\Local\Temp), or in user profile directories. - Mutexes: CobaltStrike Beacons typically create a mutex to prevent multiple instances from running. The mutex name is often derived from the Beacon configuration or a random string. Examples:
Global\Microsoft-Windows-CoreUser_323334or custom-generated GUID-like strings.
YARA Rule
rule CobaltStrike_Beacon_v4 {
meta:
description = "Detects CobaltStrike Beacon v4.x implants"
author = "Malware Analyst"
date = "2026-04-27"
malware_family = "CobaltStrike"
threat_actor = "Various"
reference = "MalwareBazaar, VirusTotal"
score = 70
// This rule is designed to detect common characteristics of CobaltStrike Beacons,
// particularly those leveraging in-memory execution and specific API hooking patterns.
// It's crucial to note that Malleable C2 profiles can significantly alter network IOCs.
// This rule focuses on binary artifacts and runtime behaviors.
strings:
// Common indicators of a CobaltStrike Beacon's internal structure.
// These strings are often found in memory or unpacked binaries.
$s1 = { 4D 5A ?? ?? 00 00 01 00 03 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0