From 9bae60354a2106d86fc99c08e949b6ed36ed7ce6 Mon Sep 17 00:00:00 2001
From: Colson Wilhoit <defsecsentinel@protonmail.ch>
Date: Mon, 23 Mar 2026 10:17:14 -0500
Subject: [PATCH 01/14] [New Rules] macOS Unified Logs Apple Event Detections

Adds 5 new alerting rules and 1 hunting query leveraging the macOS Unified Logs integration to detect malicious AppleScript activity via Apple Event telemetry from the com.apple.appleevents subsystem.

Alerting rules:
- Hidden Text Password Prompt via AppleScript (T1056.002)
- Volume Mute via AppleScript (T1059.002)
- Clipboard Access via AppleScript (T1115)
- AppleScript ASCII Character Obfuscation and Shell Execution (T1027, T1059.002)
- AppleScript Run Script from Hidden File in Staging Directory (T1059.002, T1564.001)

Hunting query:
- Do Shell Script Execution via Apple Events (T1059.002)

Relates to: elastic/ia-trade-team#847

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 ...tion_do_shell_script_via_apple_events.toml |  37 ++++++
 ...tion_clipboard_access_via_applescript.toml |  96 ++++++++++++++
 ..._text_password_prompt_via_applescript.toml | 105 +++++++++++++++
 ...cation_and_shell_exec_via_applescript.toml | 119 +++++++++++++++++
 ..._in_staging_directory_via_applescript.toml | 125 ++++++++++++++++++
 ...execution_volume_mute_via_applescript.toml | 101 ++++++++++++++
 6 files changed, 583 insertions(+)
 create mode 100644 hunting/macos/queries/execution_do_shell_script_via_apple_events.toml
 create mode 100644 rules/integrations/unified_logs/collection_clipboard_access_via_applescript.toml
 create mode 100644 rules/integrations/unified_logs/credential_access_hidden_text_password_prompt_via_applescript.toml
 create mode 100644 rules/integrations/unified_logs/defense_evasion_ascii_character_obfuscation_and_shell_exec_via_applescript.toml
 create mode 100644 rules/integrations/unified_logs/execution_run_script_from_hidden_file_in_staging_directory_via_applescript.toml
 create mode 100644 rules/integrations/unified_logs/execution_volume_mute_via_applescript.toml

diff --git a/hunting/macos/queries/execution_do_shell_script_via_apple_events.toml b/hunting/macos/queries/execution_do_shell_script_via_apple_events.toml
new file mode 100644
index 00000000000..bf5121c04f2
--- /dev/null
+++ b/hunting/macos/queries/execution_do_shell_script_via_apple_events.toml
@@ -0,0 +1,37 @@
+[hunt]
+author = "Elastic"
+description = """
+This hunt identifies `do shell script` execution via AppleScript using macOS Unified Logs Apple Event telemetry. The Apple
+Event type `syso,exec` corresponds to the `do shell script` command, which allows AppleScript to execute arbitrary shell
+commands. While `do shell script` has many legitimate uses, it is heavily abused by macOS stealers to run shell commands
+for reconnaissance, credential theft, data exfiltration, and payload execution. This hunt returns hosts and event counts
+for `syso,exec` Apple Events, enabling analysts to identify unusual volumes of shell execution via AppleScript. This
+detection leverages the `com.apple.appleevents` subsystem debug logs and does not require private data enablement.
+"""
+integration = ["unified_logs"]
+uuid = "447987db-4501-416b-b3b3-9176871a6b20"
+name = "Do Shell Script Execution via Apple Events"
+language = ["ES|QL"]
+license = "Elastic License v2"
+notes = [
+    "This hunt returns hosts with `syso,exec` Apple Events aggregated by host and count, sorted by highest count.",
+    "A high volume of `do shell script` executions from a single host may indicate automated malicious activity or stealer malware running shell commands in bulk.",
+    "Pivot by `host.name` and review the `message` field contents to understand what shell commands are being executed.",
+    "Correlate with other Apple Event types (`syso,dlog`, `Jons,gClp`, `syso,ntoc`) on the same host to identify potential stealer activity chains.",
+    "If private data is enabled in Unified Logs, the `message` field may contain the actual shell command being executed, providing additional triage context.",
+]
+mitre = ["T1059.002"]
+query = [
+'''
+FROM logs-unified_logs.log-*
+| WHERE @timestamp > NOW() - 7 day
+| WHERE host.os.type == "macos" AND event.dataset == "unified_logs.log" AND message LIKE "*syso,exec*"
+| STATS event_count = COUNT(*), first_seen = MIN(@timestamp), last_seen = MAX(@timestamp) BY host.name
+| WHERE event_count >= 3
+| SORT event_count DESC
+'''
+]
+references = [
+    "https://pberba.github.io/security/2026/02/21/aemonitor/",
+    "https://www.elastic.co/docs/reference/integrations/unifiedlogs",
+]
diff --git a/rules/integrations/unified_logs/collection_clipboard_access_via_applescript.toml b/rules/integrations/unified_logs/collection_clipboard_access_via_applescript.toml
new file mode 100644
index 00000000000..c00ab2be057
--- /dev/null
+++ b/rules/integrations/unified_logs/collection_clipboard_access_via_applescript.toml
@@ -0,0 +1,96 @@
+[metadata]
+creation_date = "2026/03/23"
+integration = ["unified_logs"]
+maturity = "development"
+updated_date = "2026/03/23"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects clipboard data access via AppleScript using macOS Unified Logs Apple Event telemetry. The Apple Event type
+`Jons,gClp` corresponds to the `the clipboard` or `get the clipboard` AppleScript command, which retrieves the contents
+of the system clipboard. macOS stealers commonly access clipboard data to harvest cryptocurrency wallet addresses,
+passwords, sensitive tokens, or other data the user has recently copied. This detection leverages the
+`com.apple.appleevents` subsystem debug logs and does not require private data enablement.
+"""
+false_positives = [
+    """
+    Clipboard manager applications, productivity tools, and text processing utilities may legitimately access clipboard
+    contents via AppleScript. Review the source process and context to determine if the activity is expected.
+    """,
+]
+from = "now-9m"
+index = ["logs-unified_logs.log-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Clipboard Access via AppleScript"
+note = """## Triage and analysis
+
+### Investigating Clipboard Access via AppleScript
+
+This rule detects the `Jons,gClp` Apple Event, which indicates an AppleScript accessed the system clipboard. Clipboard access is a common technique used by macOS stealers to harvest sensitive data such as cryptocurrency wallet addresses, passwords, or tokens.
+
+### Possible investigation steps
+
+- Review the `message` field for the full Apple Event debug output to understand the clipboard access context.
+- Identify the source process by correlating timestamps with process execution logs from Elastic Defend or other endpoint telemetry.
+- Look for related Apple Events on the same host, such as `syso,exec` (shell execution) or network connections, which may indicate exfiltration of clipboard contents.
+- Check for recent `syso,dlog` (display dialog) events that may indicate a fake prompt was used to trick the user into copying sensitive data.
+- Review the host for known stealer malware indicators, unauthorized scripts, or recently modified files.
+- Check if the clipboard access coincides with the user interacting with sensitive applications (password managers, cryptocurrency wallets, banking sites).
+
+### False positive analysis
+
+- Clipboard manager applications (e.g., Paste, CopyClip) frequently access clipboard contents.
+- Productivity tools and text editors with clipboard integration may trigger this rule.
+- Automation workflows (Shortcuts, Automator) that process clipboard data.
+
+### Response and remediation
+
+- If clipboard access is determined to be malicious, assume sensitive data may have been captured and take appropriate action (rotate credentials, move cryptocurrency funds, etc.).
+- Isolate the affected host and investigate the full attack chain.
+- Remove any malicious scripts, applications, or persistence mechanisms.
+"""
+references = [
+    "https://pberba.github.io/security/2026/02/21/aemonitor/",
+    "https://www.elastic.co/docs/reference/integrations/unifiedlogs",
+]
+risk_score = 47
+rule_id = "28fd38cf-43c0-4904-b756-8ed9694e8f13"
+severity = "medium"
+tags = [
+    "Domain: macOS",
+    "Data Source: macOS Unified Logs",
+    "Data Source: Unified Logs",
+    "Use Case: Threat Detection",
+    "Tactic: Collection",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset: "unified_logs.log" and host.os.type: "macos" and message: *Jons,gClp*
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1115"
+name = "Clipboard Data"
+reference = "https://attack.mitre.org/techniques/T1115/"
+
+[rule.threat.tactic]
+id = "TA0009"
+name = "Collection"
+reference = "https://attack.mitre.org/tactics/TA0009/"
+
+[rule.investigation_fields]
+field_names = [
+    "host.name",
+    "host.id",
+    "message",
+    "event.dataset",
+    "process.name",
+    "process.executable",
+    "user.name",
+]
diff --git a/rules/integrations/unified_logs/credential_access_hidden_text_password_prompt_via_applescript.toml b/rules/integrations/unified_logs/credential_access_hidden_text_password_prompt_via_applescript.toml
new file mode 100644
index 00000000000..3408883437b
--- /dev/null
+++ b/rules/integrations/unified_logs/credential_access_hidden_text_password_prompt_via_applescript.toml
@@ -0,0 +1,105 @@
+[metadata]
+creation_date = "2026/03/23"
+integration = ["unified_logs"]
+maturity = "development"
+updated_date = "2026/03/23"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects the use of AppleScript's `display dialog` with hidden text input (`htxt=true`) via macOS Unified Logs Apple Event
+telemetry. The Apple Event type `syso,dlog` corresponds to the AppleScript `display dialog` command, and the `htxt=true`
+parameter indicates the dialog is configured to mask user input, which is characteristic of a password prompt. While this
+pattern has legitimate uses in authentication workflows and IT tooling, it is also commonly abused by macOS stealers to
+present deceptive credential harvesting dialogs. Triage should focus on identifying the source process and determining
+whether the prompt is part of an expected application workflow. This detection leverages the `com.apple.appleevents`
+subsystem debug logs and does not require private data enablement.
+"""
+false_positives = [
+    """
+    Legitimate applications or scripts may use `display dialog` with hidden text input for password prompts. Review the
+    source process and the context of the dialog to determine if the activity is expected. Common legitimate uses include
+    IT administration scripts, password managers, or application authentication flows.
+    """,
+]
+from = "now-9m"
+index = ["logs-unified_logs.log-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Hidden Text Password Prompt via AppleScript"
+note = """## Triage and analysis
+
+### Investigating Hidden Text Password Prompt via AppleScript
+
+This rule detects AppleScript `display dialog` commands configured with hidden text input. The Apple Event `syso,dlog` with `htxt=true` in macOS Unified Logs indicates a dialog box designed to capture sensitive input such as passwords. This pattern has legitimate uses but is also a known technique used by macOS stealers to harvest credentials via deceptive prompts.
+
+### Possible investigation steps
+
+- Review the `message` field to examine the full Apple Event debug output, including any dialog text (`dtxt`) that may reveal the prompt message shown to the user.
+- Identify the source process responsible for the Apple Event by correlating timestamps with process execution logs from Elastic Defend or other endpoint telemetry.
+- Check for related Apple Events in the same time window from the same host, such as `syso,exec` (do shell script) or network activity, which may indicate post-credential-harvest exfiltration.
+- Investigate whether the dialog text references system-level prompts (e.g., "System Preferences", "Keychain", "macOS Update") commonly impersonated by stealers.
+- Review the host for recently installed or modified applications, scripts, or LaunchAgents that could be the source of the AppleScript execution.
+
+### False positive analysis
+
+- IT administration tools may use AppleScript dialogs for legitimate authentication workflows. Verify the source application and whether it is part of standard IT tooling.
+- Password managers or security tools may trigger this pattern when prompting for master passwords.
+- Developer or automation scripts may use `display dialog` with hidden input for internal tooling.
+
+### Response and remediation
+
+- If the prompt is determined to be malicious, immediately isolate the affected host to prevent credential exfiltration.
+- Reset any credentials that may have been entered into the dialog.
+- Identify and remove the malicious script, application, or persistence mechanism responsible for the prompt.
+- Check for lateral movement or additional compromised hosts using the same technique.
+- Review endpoint telemetry for evidence of data exfiltration following the credential capture.
+"""
+references = [
+    "https://pberba.github.io/security/2026/02/21/aemonitor/",
+    "https://www.elastic.co/docs/reference/integrations/unifiedlogs",
+]
+risk_score = 47
+rule_id = "699f3a9b-4e4c-43ce-b612-04580766c69f"
+severity = "medium"
+tags = [
+    "Domain: macOS",
+    "Data Source: macOS Unified Logs",
+    "Data Source: Unified Logs",
+    "Use Case: Threat Detection",
+    "Tactic: Credential Access",
+    "Rule Type: BBR",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset: "unified_logs.log" and host.os.type: "macos" and message: *syso,dlog* and message: *htxt*
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1056"
+name = "Input Capture"
+reference = "https://attack.mitre.org/techniques/T1056/"
+[[rule.threat.technique.subtechnique]]
+id = "T1056.002"
+name = "GUI Input Capture"
+reference = "https://attack.mitre.org/techniques/T1056/002/"
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+
+[rule.investigation_fields]
+field_names = [
+    "host.name",
+    "host.id",
+    "message",
+    "event.dataset",
+    "process.name",
+    "process.executable",
+    "user.name",
+]
diff --git a/rules/integrations/unified_logs/defense_evasion_ascii_character_obfuscation_and_shell_exec_via_applescript.toml b/rules/integrations/unified_logs/defense_evasion_ascii_character_obfuscation_and_shell_exec_via_applescript.toml
new file mode 100644
index 00000000000..027ade7f2de
--- /dev/null
+++ b/rules/integrations/unified_logs/defense_evasion_ascii_character_obfuscation_and_shell_exec_via_applescript.toml
@@ -0,0 +1,119 @@
+[metadata]
+creation_date = "2026/03/23"
+integration = ["unified_logs"]
+maturity = "development"
+updated_date = "2026/03/23"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects AppleScript ASCII character obfuscation followed by script execution via macOS Unified Logs Apple Event
+telemetry. The Apple Event type `syso,ntoc` corresponds to the AppleScript `ASCII character` function, which converts
+integer values to characters. When multiple `syso,ntoc` events are observed in rapid succession followed by `syso,exec`
+(do shell script) or `syso,dsct` (run script), it indicates an attacker is building obfuscated command strings
+character-by-character before execution. This is a common evasion technique used by macOS stealers to bypass static
+string-based detection of malicious commands. This detection leverages the `com.apple.appleevents` subsystem debug logs
+and does not require private data enablement.
+"""
+false_positives = [
+    """
+    Some legitimate AppleScript-based tools or utilities may use ASCII character conversion for text processing. However,
+    the combination of repeated ASCII character conversions followed by shell execution is uncommon in legitimate usage.
+    Review the source process and context to determine if the activity is expected.
+    """,
+]
+from = "now-9m"
+index = ["logs-unified_logs.log-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "AppleScript ASCII Character Obfuscation and Shell Execution"
+note = """## Triage and analysis
+
+### Investigating AppleScript ASCII Character Obfuscation and Shell Execution
+
+This rule detects a pattern where multiple AppleScript `ASCII character` conversions (`syso,ntoc` events) are followed by script or shell execution. This technique is used by macOS stealers to evade detection by building malicious command strings one character at a time instead of using plaintext strings.
+
+### Possible investigation steps
+
+- Review the `message` fields across the sequence to understand what characters were being converted (the integer values may reveal the reconstructed command).
+- Identify the source process by correlating timestamps with process execution logs from Elastic Defend or other endpoint telemetry.
+- Look for the resulting `syso,exec` or `syso,dsct` event to understand what command was ultimately executed.
+- Check for network connections, file writes, or credential access events following the execution.
+- Review the host for known stealer malware indicators, unauthorized `.scpt` files, or recently modified LaunchAgents/LaunchDaemons.
+- Attempt to reconstruct the obfuscated command by collecting all `syso,ntoc` events in the sequence and mapping the integer parameters to ASCII characters.
+
+### False positive analysis
+
+- Legitimate text processing scripts that convert character codes are uncommon but possible. The key differentiator is the sequence of multiple conversions followed by shell execution.
+- Developer tools that generate or transform text using ASCII values may trigger this rule if they also execute the result.
+
+### Response and remediation
+
+- If the obfuscated command is determined to be malicious, immediately isolate the affected host.
+- Identify and remove the source script or application responsible for the obfuscated execution.
+- Review what was executed via the `syso,exec`/`syso,dsct` event and assess the impact (credential theft, data exfiltration, persistence, etc.).
+- Check for persistence mechanisms installed by the executed payload.
+"""
+references = [
+    "https://pberba.github.io/security/2026/02/21/aemonitor/",
+    "https://www.elastic.co/docs/reference/integrations/unifiedlogs",
+]
+risk_score = 47
+rule_id = "4c37d695-95e2-4ed8-a567-8a24f28a1028"
+severity = "medium"
+tags = [
+    "Domain: macOS",
+    "Data Source: macOS Unified Logs",
+    "Data Source: Unified Logs",
+    "Use Case: Threat Detection",
+    "Tactic: Defense Evasion",
+    "Tactic: Execution",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+sequence by host.id with maxspan=30s
+  [any where event.dataset == "unified_logs.log" and host.os.type == "macos" and message like "*syso,ntoc*"] with runs=5
+  [any where event.dataset == "unified_logs.log" and host.os.type == "macos" and
+    (message like "*syso,exec*" or message like "*syso,dsct*")]
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1027"
+name = "Obfuscated Files or Information"
+reference = "https://attack.mitre.org/techniques/T1027/"
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+[[rule.threat.technique.subtechnique]]
+id = "T1059.002"
+name = "AppleScript"
+reference = "https://attack.mitre.org/techniques/T1059/002/"
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+
+[rule.investigation_fields]
+field_names = [
+    "host.name",
+    "host.id",
+    "message",
+    "event.dataset",
+    "process.name",
+    "process.executable",
+    "user.name",
+]
diff --git a/rules/integrations/unified_logs/execution_run_script_from_hidden_file_in_staging_directory_via_applescript.toml b/rules/integrations/unified_logs/execution_run_script_from_hidden_file_in_staging_directory_via_applescript.toml
new file mode 100644
index 00000000000..c57b92b63b2
--- /dev/null
+++ b/rules/integrations/unified_logs/execution_run_script_from_hidden_file_in_staging_directory_via_applescript.toml
@@ -0,0 +1,125 @@
+[metadata]
+creation_date = "2026/03/23"
+integration = ["unified_logs"]
+maturity = "development"
+updated_date = "2026/03/23"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects AppleScript `run script` execution referencing a hidden file in a common staging directory via macOS Unified Logs
+Apple Event telemetry. The Apple Event type `syso,dsct` corresponds to the `run script` command. This rule matches
+UTF-16LE hex-encoded paths for hidden files (dot-prefixed) in `/tmp/`, `/private/tmp/`, `/var/tmp/`, and `/Users/Shared/`.
+macOS stealers commonly stage obfuscated or secondary-stage scripts as hidden files in these world-writable directories
+before executing them via `run script` to evade casual inspection and file-based detection. This detection leverages the
+`com.apple.appleevents` subsystem debug logs and does not require private data enablement.
+"""
+false_positives = [
+    """
+    Legitimate applications rarely use `run script` to execute hidden files from temporary or shared directories. If this
+    activity is observed, investigate the source process and the contents of the referenced file. Automated build or CI/CD
+    processes running on macOS endpoints may occasionally use temporary hidden files for script staging.
+    """,
+]
+from = "now-9m"
+index = ["logs-unified_logs.log-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "AppleScript Run Script from Hidden File in Staging Directory"
+note = """## Triage and analysis
+
+### Investigating AppleScript Run Script from Hidden Temporary File
+
+This rule detects the `run script` AppleScript command (`syso,dsct` Apple Event) targeting a hidden file in common staging directories (`/tmp/`, `/private/tmp/`, `/var/tmp/`, `/Users/Shared/`). The path appears in the Apple Event debug output as a UTF-16LE hex-encoded string. Stealers commonly write obfuscated or secondary-stage scripts as hidden files in these world-writable directories before executing them.
+
+### Possible investigation steps
+
+- Review the `message` field to extract the full hex-encoded file path and decode it to identify the exact hidden file being executed.
+- Check if the hidden file still exists on disk at the decoded path (e.g., `/tmp/.payload.scpt`, `/Users/Shared/.stage2.scpt`) and analyze its contents.
+- Identify the source process by correlating timestamps with process execution logs from Elastic Defend or other endpoint telemetry.
+- Look for preceding file write events to the staging directory that created the hidden file, particularly from `curl`, `wget`, `osascript`, or other download/scripting tools.
+- Check for subsequent Apple Events such as `syso,exec` (shell execution), `Jons,gClp` (clipboard access), or `syso,dlog` (dialog display) that may indicate the payload's actions.
+- Review network connections from the host around the time of execution for data exfiltration indicators.
+
+### False positive analysis
+
+- Legitimate use of `run script` with hidden files in temporary or shared directories is very uncommon. This pattern is a strong indicator of malicious activity.
+- Some development or build tools may stage scripts in these directories but rarely as hidden files.
+
+### Response and remediation
+
+- Immediately isolate the affected host as this is a strong indicator of active malware execution.
+- Recover and analyze the hidden script file before it is cleaned up.
+- Identify the full attack chain: how the file was created, what it executed, and what data may have been compromised.
+- Remove any persistence mechanisms and malicious files identified during investigation.
+"""
+references = [
+    "https://pberba.github.io/security/2026/02/21/aemonitor/",
+    "https://www.elastic.co/docs/reference/integrations/unifiedlogs",
+]
+risk_score = 47
+rule_id = "30c1662e-b7c7-4210-abd5-2a9a544cab78"
+severity = "medium"
+tags = [
+    "Domain: macOS",
+    "Data Source: macOS Unified Logs",
+    "Data Source: Unified Logs",
+    "Use Case: Threat Detection",
+    "Tactic: Execution",
+    "Tactic: Defense Evasion",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset: "unified_logs.log" and host.os.type: "macos" and message: *syso,dsct* and
+  (
+    message: *2f0074006d0070002f002e00* or
+    message: *2f0070007200690076006100740065002f0074006d0070002f002e00* or
+    message: *2f007600610072002f0074006d0070002f002e00* or
+    message: *2f00550073006500720073002f005300680061007200650064002f002e00*
+  )
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+[[rule.threat.technique.subtechnique]]
+id = "T1059.002"
+name = "AppleScript"
+reference = "https://attack.mitre.org/techniques/T1059/002/"
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1564"
+name = "Hide Artifacts"
+reference = "https://attack.mitre.org/techniques/T1564/"
+[[rule.threat.technique.subtechnique]]
+id = "T1564.001"
+name = "Hidden Files and Directories"
+reference = "https://attack.mitre.org/techniques/T1564/001/"
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+
+[rule.investigation_fields]
+field_names = [
+    "host.name",
+    "host.id",
+    "message",
+    "event.dataset",
+    "process.name",
+    "process.executable",
+    "user.name",
+]
diff --git a/rules/integrations/unified_logs/execution_volume_mute_via_applescript.toml b/rules/integrations/unified_logs/execution_volume_mute_via_applescript.toml
new file mode 100644
index 00000000000..3be70420469
--- /dev/null
+++ b/rules/integrations/unified_logs/execution_volume_mute_via_applescript.toml
@@ -0,0 +1,101 @@
+[metadata]
+creation_date = "2026/03/23"
+integration = ["unified_logs"]
+maturity = "development"
+updated_date = "2026/03/23"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects the use of AppleScript to mute the system volume via macOS Unified Logs Apple Event telemetry. The Apple Event
+type `aevt,stvl` corresponds to the `set volume` command, and the presence of `mute=true` indicates the system audio is
+being silenced. macOS stealers commonly mute the system volume before executing noisy operations (e.g., launching
+applications, playing audio, or triggering system sounds) to avoid alerting the user. This is a low-fidelity indicator
+that should be correlated with other suspicious AppleScript activity on the same host. This detection leverages the
+`com.apple.appleevents` subsystem debug logs and does not require private data enablement.
+"""
+false_positives = [
+    """
+    Legitimate applications, accessibility tools, or user automation scripts may use AppleScript to control system volume.
+    Media applications, presentation software, and meeting tools commonly adjust volume settings programmatically.
+    """,
+]
+from = "now-9m"
+index = ["logs-unified_logs.log-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Volume Mute via AppleScript"
+note = """## Triage and analysis
+
+### Investigating Volume Mute via AppleScript
+
+This rule detects the `set volume` AppleScript command with mute parameter via Apple Event telemetry. While volume control is a common legitimate operation, it is frequently observed as a pre-indicator in macOS stealer malware that silences the system before performing noisy malicious operations.
+
+### Possible investigation steps
+
+- Review the `message` field for the full Apple Event debug output to confirm the mute operation details.
+- Correlate with other Apple Event activity on the same host within a short time window, particularly `syso,exec` (shell execution), `syso,dlog` (dialog display), or `Jons,gClp` (clipboard access).
+- Identify the source process responsible for the Apple Event by correlating timestamps with process execution logs.
+- Check for recently installed or modified applications, `.scpt` files, or osascript invocations on the host.
+- Look for subsequent suspicious activity such as credential harvesting, clipboard access, or data exfiltration.
+
+### False positive analysis
+
+- Media players, video conferencing tools, and presentation software commonly control volume programmatically.
+- Accessibility tools and hearing aid integrations may adjust volume settings.
+- User-created Automator workflows or Shortcuts that control system volume.
+
+### Response and remediation
+
+- If correlated with other suspicious AppleScript activity, treat as part of a potential stealer infection and investigate the full attack chain.
+- Isolate the host if additional indicators of compromise are identified.
+- Review and remove any unauthorized scripts, applications, or persistence mechanisms.
+"""
+references = [
+    "https://pberba.github.io/security/2026/02/21/aemonitor/",
+    "https://www.elastic.co/docs/reference/integrations/unifiedlogs",
+]
+risk_score = 21
+rule_id = "bd087b7b-3671-4f47-8db7-14e77635877a"
+severity = "low"
+tags = [
+    "Domain: macOS",
+    "Data Source: macOS Unified Logs",
+    "Data Source: Unified Logs",
+    "Use Case: Threat Detection",
+    "Tactic: Execution",
+    "Rule Type: BBR",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset: "unified_logs.log" and host.os.type: "macos" and message: *aevt,stvl* and message: *mute*
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+[[rule.threat.technique.subtechnique]]
+id = "T1059.002"
+name = "AppleScript"
+reference = "https://attack.mitre.org/techniques/T1059/002/"
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+
+[rule.investigation_fields]
+field_names = [
+    "host.name",
+    "host.id",
+    "message",
+    "event.dataset",
+    "process.name",
+    "process.executable",
+    "user.name",
+]

From 2ac193b339c4202ddf264fb7d8ff34a6dff6e3f0 Mon Sep 17 00:00:00 2001
From: Colson Wilhoit <defsecsentinel@protonmail.ch>
Date: Mon, 23 Mar 2026 10:22:22 -0500
Subject: [PATCH 02/14] =?UTF-8?q?Fix=20unit=20test=20failures:=20KQL?=
 =?UTF-8?q?=E2=86=92EQL=20migration=20and=20missing=20hunting=20doc?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Convert all 4 KQL alerting rules to EQL (`any where ... message like`)
  to avoid wildcard queries on `message` field which is `match_only_text`
  type and does not support KQL wildcards
- Add missing markdown documentation for the hunting query at
  hunting/macos/docs/execution_do_shell_script_via_apple_events.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 ...cution_do_shell_script_via_apple_events.md | 45 +++++++++++++++++++
 ...tion_clipboard_access_via_applescript.toml |  6 +--
 ..._text_password_prompt_via_applescript.toml |  6 +--
 ..._in_staging_directory_via_applescript.toml | 14 +++---
 ...execution_volume_mute_via_applescript.toml |  6 +--
 5 files changed, 61 insertions(+), 16 deletions(-)
 create mode 100644 hunting/macos/docs/execution_do_shell_script_via_apple_events.md

diff --git a/hunting/macos/docs/execution_do_shell_script_via_apple_events.md b/hunting/macos/docs/execution_do_shell_script_via_apple_events.md
new file mode 100644
index 00000000000..aaafdf7c374
--- /dev/null
+++ b/hunting/macos/docs/execution_do_shell_script_via_apple_events.md
@@ -0,0 +1,45 @@
+# Do Shell Script Execution via Apple Events
+
+---
+
+## Metadata
+
+- **Author:** Elastic
+- **Description:** This hunt identifies `do shell script` execution via AppleScript using macOS Unified Logs Apple Event telemetry. The Apple Event type `syso,exec` corresponds to the `do shell script` command, which allows AppleScript to execute arbitrary shell commands. While `do shell script` has many legitimate uses, it is heavily abused by macOS stealers to run shell commands for reconnaissance, credential theft, data exfiltration, and payload execution. This hunt returns hosts and event counts for `syso,exec` Apple Events, enabling analysts to identify unusual volumes of shell execution via AppleScript.
+
+- **UUID:** `447987db-4501-416b-b3b3-9176871a6b20`
+- **Integration:** [unified_logs](https://docs.elastic.co/integrations/unified_logs)
+- **Language:** `[ES|QL]`
+- **Source File:** [Do Shell Script Execution via Apple Events](../queries/execution_do_shell_script_via_apple_events.toml)
+
+## Query
+
+```sql
+FROM logs-unified_logs.log-*
+| WHERE @timestamp > NOW() - 7 day
+| WHERE host.os.type == "macos" AND event.dataset == "unified_logs.log" AND message LIKE "*syso,exec*"
+| STATS event_count = COUNT(*), first_seen = MIN(@timestamp), last_seen = MAX(@timestamp) BY host.name
+| WHERE event_count >= 3
+| SORT event_count DESC
+```
+
+## Notes
+
+- This hunt returns hosts with `syso,exec` Apple Events aggregated by host and count, sorted by highest count.
+- A high volume of `do shell script` executions from a single host may indicate automated malicious activity or stealer malware running shell commands in bulk.
+- Pivot by `host.name` and review the `message` field contents to understand what shell commands are being executed.
+- Correlate with other Apple Event types (`syso,dlog`, `Jons,gClp`, `syso,ntoc`) on the same host to identify potential stealer activity chains.
+- If private data is enabled in Unified Logs, the `message` field may contain the actual shell command being executed, providing additional triage context.
+
+## MITRE ATT&CK Techniques
+
+- [T1059.002](https://attack.mitre.org/techniques/T1059/002)
+
+## References
+
+- https://pberba.github.io/security/2026/02/21/aemonitor/
+- https://www.elastic.co/docs/reference/integrations/unifiedlogs
+
+## License
+
+- `Elastic License v2`
diff --git a/rules/integrations/unified_logs/collection_clipboard_access_via_applescript.toml b/rules/integrations/unified_logs/collection_clipboard_access_via_applescript.toml
index c00ab2be057..1a32281a296 100644
--- a/rules/integrations/unified_logs/collection_clipboard_access_via_applescript.toml
+++ b/rules/integrations/unified_logs/collection_clipboard_access_via_applescript.toml
@@ -21,7 +21,7 @@ false_positives = [
 ]
 from = "now-9m"
 index = ["logs-unified_logs.log-*"]
-language = "kuery"
+language = "eql"
 license = "Elastic License v2"
 name = "Clipboard Access via AppleScript"
 note = """## Triage and analysis
@@ -66,10 +66,10 @@ tags = [
     "Tactic: Collection",
 ]
 timestamp_override = "event.ingested"
-type = "query"
+type = "eql"
 
 query = '''
-event.dataset: "unified_logs.log" and host.os.type: "macos" and message: *Jons,gClp*
+any where event.dataset == "unified_logs.log" and host.os.type == "macos" and message like "*Jons,gClp*"
 '''
 
 [[rule.threat]]
diff --git a/rules/integrations/unified_logs/credential_access_hidden_text_password_prompt_via_applescript.toml b/rules/integrations/unified_logs/credential_access_hidden_text_password_prompt_via_applescript.toml
index 3408883437b..5a92427dbff 100644
--- a/rules/integrations/unified_logs/credential_access_hidden_text_password_prompt_via_applescript.toml
+++ b/rules/integrations/unified_logs/credential_access_hidden_text_password_prompt_via_applescript.toml
@@ -24,7 +24,7 @@ false_positives = [
 ]
 from = "now-9m"
 index = ["logs-unified_logs.log-*"]
-language = "kuery"
+language = "eql"
 license = "Elastic License v2"
 name = "Hidden Text Password Prompt via AppleScript"
 note = """## Triage and analysis
@@ -71,10 +71,10 @@ tags = [
     "Rule Type: BBR",
 ]
 timestamp_override = "event.ingested"
-type = "query"
+type = "eql"
 
 query = '''
-event.dataset: "unified_logs.log" and host.os.type: "macos" and message: *syso,dlog* and message: *htxt*
+any where event.dataset == "unified_logs.log" and host.os.type == "macos" and message like "*syso,dlog*" and message like "*htxt*"
 '''
 
 [[rule.threat]]
diff --git a/rules/integrations/unified_logs/execution_run_script_from_hidden_file_in_staging_directory_via_applescript.toml b/rules/integrations/unified_logs/execution_run_script_from_hidden_file_in_staging_directory_via_applescript.toml
index c57b92b63b2..e832ae3f89d 100644
--- a/rules/integrations/unified_logs/execution_run_script_from_hidden_file_in_staging_directory_via_applescript.toml
+++ b/rules/integrations/unified_logs/execution_run_script_from_hidden_file_in_staging_directory_via_applescript.toml
@@ -23,7 +23,7 @@ false_positives = [
 ]
 from = "now-9m"
 index = ["logs-unified_logs.log-*"]
-language = "kuery"
+language = "eql"
 license = "Elastic License v2"
 name = "AppleScript Run Script from Hidden File in Staging Directory"
 note = """## Triage and analysis
@@ -69,15 +69,15 @@ tags = [
     "Tactic: Defense Evasion",
 ]
 timestamp_override = "event.ingested"
-type = "query"
+type = "eql"
 
 query = '''
-event.dataset: "unified_logs.log" and host.os.type: "macos" and message: *syso,dsct* and
+any where event.dataset == "unified_logs.log" and host.os.type == "macos" and message like "*syso,dsct*" and
   (
-    message: *2f0074006d0070002f002e00* or
-    message: *2f0070007200690076006100740065002f0074006d0070002f002e00* or
-    message: *2f007600610072002f0074006d0070002f002e00* or
-    message: *2f00550073006500720073002f005300680061007200650064002f002e00*
+    message like "*2f0074006d0070002f002e00*" or
+    message like "*2f0070007200690076006100740065002f0074006d0070002f002e00*" or
+    message like "*2f007600610072002f0074006d0070002f002e00*" or
+    message like "*2f00550073006500720073002f005300680061007200650064002f002e00*"
   )
 '''
 
diff --git a/rules/integrations/unified_logs/execution_volume_mute_via_applescript.toml b/rules/integrations/unified_logs/execution_volume_mute_via_applescript.toml
index 3be70420469..c270d68d035 100644
--- a/rules/integrations/unified_logs/execution_volume_mute_via_applescript.toml
+++ b/rules/integrations/unified_logs/execution_volume_mute_via_applescript.toml
@@ -22,7 +22,7 @@ false_positives = [
 ]
 from = "now-9m"
 index = ["logs-unified_logs.log-*"]
-language = "kuery"
+language = "eql"
 license = "Elastic License v2"
 name = "Volume Mute via AppleScript"
 note = """## Triage and analysis
@@ -67,10 +67,10 @@ tags = [
     "Rule Type: BBR",
 ]
 timestamp_override = "event.ingested"
-type = "query"
+type = "eql"
 
 query = '''
-event.dataset: "unified_logs.log" and host.os.type: "macos" and message: *aevt,stvl* and message: *mute*
+any where event.dataset == "unified_logs.log" and host.os.type == "macos" and message like "*aevt,stvl*" and message like "*mute*"
 '''
 
 [[rule.threat]]

From 3d0709a85c3fae5de2e31b7f97f09cc12bae33b9 Mon Sep 17 00:00:00 2001
From: Colson Wilhoit <defsecsentinel@protonmail.ch>
Date: Mon, 23 Mar 2026 10:29:17 -0500
Subject: [PATCH 03/14] Add unified_logs message field to non-ECS schema for
 EQL validation

Register `message` as `match_only_text` for the `logs-unified_logs.log-*`
index pattern so the EQL validator recognizes the field in Apple Event
detection rules.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 detection_rules/etc/non-ecs-schema.json | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json
index 5722fd0236e..f70aa9e2f21 100644
--- a/detection_rules/etc/non-ecs-schema.json
+++ b/detection_rules/etc/non-ecs-schema.json
@@ -282,5 +282,8 @@
   "metrics-*": {
     "system.process.cpu.total.norm.pct": "double",
     "system.cpu.total.norm.pct": "double"
+  },
+  "logs-unified_logs.log-*": {
+    "message": "match_only_text"
   }
 }

From 72deb61ad24b96e8cf26b0b3a075c9ed2a632080 Mon Sep 17 00:00:00 2001
From: Colson Wilhoit <defsecsentinel@protonmail.ch>
Date: Mon, 23 Mar 2026 10:35:19 -0500
Subject: [PATCH 04/14] Fix non-ECS schema: use keyword type for unified_logs
 message field

The EQL validator's KqlSchema2Eql type_mapping only supports keyword,
ip, float, integer, and boolean. Text types (including match_only_text)
return None and cause "Field not recognized" errors. Register message
as keyword so EQL treats it as a string type.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 detection_rules/etc/non-ecs-schema.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json
index f70aa9e2f21..cbadd3c9f5c 100644
--- a/detection_rules/etc/non-ecs-schema.json
+++ b/detection_rules/etc/non-ecs-schema.json
@@ -284,6 +284,6 @@
     "system.cpu.total.norm.pct": "double"
   },
   "logs-unified_logs.log-*": {
-    "message": "match_only_text"
+    "message": "keyword"
   }
 }

From a9c59d4b2edcb2ab4827d031182ed25ef1013cd1 Mon Sep 17 00:00:00 2001
From: Colson Wilhoit <defsecsentinel@protonmail.ch>
Date: Mon, 23 Mar 2026 14:08:15 -0500
Subject: [PATCH 05/14] Update Apple Event rules to use structured fields from
 index mapping

Switch from message wildcard matching to enriched keyword fields
(apple_event.type_code, apple_event.mute, apple_event.decoded_payloads,
apple_event.parameters). Update index pattern from logs-unified_logs.log-*
to logs-unifiedlogs.unifiedlogs-* and event.dataset to match actual
integration naming.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../execution_do_shell_script_via_apple_events.toml  |  4 ++--
 .../collection_clipboard_access_via_applescript.toml |  5 +++--
 ..._hidden_text_password_prompt_via_applescript.toml |  5 +++--
 ...r_obfuscation_and_shell_exec_via_applescript.toml |  8 ++++----
 ...en_file_in_staging_directory_via_applescript.toml | 12 ++++++------
 .../execution_volume_mute_via_applescript.toml       |  5 +++--
 6 files changed, 21 insertions(+), 18 deletions(-)

diff --git a/hunting/macos/queries/execution_do_shell_script_via_apple_events.toml b/hunting/macos/queries/execution_do_shell_script_via_apple_events.toml
index bf5121c04f2..4bd3c917493 100644
--- a/hunting/macos/queries/execution_do_shell_script_via_apple_events.toml
+++ b/hunting/macos/queries/execution_do_shell_script_via_apple_events.toml
@@ -23,9 +23,9 @@ notes = [
 mitre = ["T1059.002"]
 query = [
 '''
-FROM logs-unified_logs.log-*
+FROM logs-unifiedlogs.unifiedlogs-*
 | WHERE @timestamp > NOW() - 7 day
-| WHERE host.os.type == "macos" AND event.dataset == "unified_logs.log" AND message LIKE "*syso,exec*"
+| WHERE host.os.type == "macos" AND event.dataset == "unifiedlogs.unifiedlogs" AND apple_event.type_code == "syso,exec"
 | STATS event_count = COUNT(*), first_seen = MIN(@timestamp), last_seen = MAX(@timestamp) BY host.name
 | WHERE event_count >= 3
 | SORT event_count DESC
diff --git a/rules/integrations/unified_logs/collection_clipboard_access_via_applescript.toml b/rules/integrations/unified_logs/collection_clipboard_access_via_applescript.toml
index 1a32281a296..9601f7079f4 100644
--- a/rules/integrations/unified_logs/collection_clipboard_access_via_applescript.toml
+++ b/rules/integrations/unified_logs/collection_clipboard_access_via_applescript.toml
@@ -20,7 +20,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["logs-unified_logs.log-*"]
+index = ["logs-unifiedlogs.unifiedlogs-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Clipboard Access via AppleScript"
@@ -69,7 +69,7 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-any where event.dataset == "unified_logs.log" and host.os.type == "macos" and message like "*Jons,gClp*"
+any where event.dataset == "unifiedlogs.unifiedlogs" and host.os.type == "macos" and apple_event.type_code == "Jons,gClp"
 '''
 
 [[rule.threat]]
@@ -89,6 +89,7 @@ field_names = [
     "host.name",
     "host.id",
     "message",
+    "apple_event.type_code",
     "event.dataset",
     "process.name",
     "process.executable",
diff --git a/rules/integrations/unified_logs/credential_access_hidden_text_password_prompt_via_applescript.toml b/rules/integrations/unified_logs/credential_access_hidden_text_password_prompt_via_applescript.toml
index 5a92427dbff..72c888b36fe 100644
--- a/rules/integrations/unified_logs/credential_access_hidden_text_password_prompt_via_applescript.toml
+++ b/rules/integrations/unified_logs/credential_access_hidden_text_password_prompt_via_applescript.toml
@@ -23,7 +23,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["logs-unified_logs.log-*"]
+index = ["logs-unifiedlogs.unifiedlogs-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Hidden Text Password Prompt via AppleScript"
@@ -74,7 +74,8 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-any where event.dataset == "unified_logs.log" and host.os.type == "macos" and message like "*syso,dlog*" and message like "*htxt*"
+any where event.dataset == "unifiedlogs.unifiedlogs" and host.os.type == "macos" and apple_event.type_code == "syso,dlog" and
+  apple_event.parameters like "*htxt=true*"
 '''
 
 [[rule.threat]]
diff --git a/rules/integrations/unified_logs/defense_evasion_ascii_character_obfuscation_and_shell_exec_via_applescript.toml b/rules/integrations/unified_logs/defense_evasion_ascii_character_obfuscation_and_shell_exec_via_applescript.toml
index 027ade7f2de..01d03b22d97 100644
--- a/rules/integrations/unified_logs/defense_evasion_ascii_character_obfuscation_and_shell_exec_via_applescript.toml
+++ b/rules/integrations/unified_logs/defense_evasion_ascii_character_obfuscation_and_shell_exec_via_applescript.toml
@@ -23,7 +23,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["logs-unified_logs.log-*"]
+index = ["logs-unifiedlogs.unifiedlogs-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "AppleScript ASCII Character Obfuscation and Shell Execution"
@@ -74,9 +74,9 @@ type = "eql"
 
 query = '''
 sequence by host.id with maxspan=30s
-  [any where event.dataset == "unified_logs.log" and host.os.type == "macos" and message like "*syso,ntoc*"] with runs=5
-  [any where event.dataset == "unified_logs.log" and host.os.type == "macos" and
-    (message like "*syso,exec*" or message like "*syso,dsct*")]
+  [any where event.dataset == "unifiedlogs.unifiedlogs" and host.os.type == "macos" and apple_event.type_code == "syso,ntoc"] with runs=5
+  [any where event.dataset == "unifiedlogs.unifiedlogs" and host.os.type == "macos" and
+    apple_event.type_code in ("syso,exec", "syso,dsct")]
 '''
 
 [[rule.threat]]
diff --git a/rules/integrations/unified_logs/execution_run_script_from_hidden_file_in_staging_directory_via_applescript.toml b/rules/integrations/unified_logs/execution_run_script_from_hidden_file_in_staging_directory_via_applescript.toml
index e832ae3f89d..f0309b5e0dd 100644
--- a/rules/integrations/unified_logs/execution_run_script_from_hidden_file_in_staging_directory_via_applescript.toml
+++ b/rules/integrations/unified_logs/execution_run_script_from_hidden_file_in_staging_directory_via_applescript.toml
@@ -22,7 +22,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["logs-unified_logs.log-*"]
+index = ["logs-unifiedlogs.unifiedlogs-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "AppleScript Run Script from Hidden File in Staging Directory"
@@ -72,12 +72,12 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-any where event.dataset == "unified_logs.log" and host.os.type == "macos" and message like "*syso,dsct*" and
+any where event.dataset == "unifiedlogs.unifiedlogs" and host.os.type == "macos" and apple_event.type_code == "syso,dsct" and
   (
-    message like "*2f0074006d0070002f002e00*" or
-    message like "*2f0070007200690076006100740065002f0074006d0070002f002e00*" or
-    message like "*2f007600610072002f0074006d0070002f002e00*" or
-    message like "*2f00550073006500720073002f005300680061007200650064002f002e00*"
+    apple_event.decoded_payloads like "*/tmp/.*" or
+    apple_event.decoded_payloads like "*/private/tmp/.*" or
+    apple_event.decoded_payloads like "*/var/tmp/.*" or
+    apple_event.decoded_payloads like "*/Users/Shared/.*"
   )
 '''
 
diff --git a/rules/integrations/unified_logs/execution_volume_mute_via_applescript.toml b/rules/integrations/unified_logs/execution_volume_mute_via_applescript.toml
index c270d68d035..c62297a40dd 100644
--- a/rules/integrations/unified_logs/execution_volume_mute_via_applescript.toml
+++ b/rules/integrations/unified_logs/execution_volume_mute_via_applescript.toml
@@ -21,7 +21,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["logs-unified_logs.log-*"]
+index = ["logs-unifiedlogs.unifiedlogs-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Volume Mute via AppleScript"
@@ -70,7 +70,8 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-any where event.dataset == "unified_logs.log" and host.os.type == "macos" and message like "*aevt,stvl*" and message like "*mute*"
+any where event.dataset == "unifiedlogs.unifiedlogs" and host.os.type == "macos" and apple_event.type_code == "aevt,stvl" and
+  apple_event.mute == true
 '''
 
 [[rule.threat]]

From 34c19a57103ce2fac09f5d9a80f6c0e0b72a7c5e Mon Sep 17 00:00:00 2001
From: Colson Wilhoit <defsecsentinel@protonmail.ch>
Date: Mon, 23 Mar 2026 14:33:40 -0500
Subject: [PATCH 06/14] Fix event.dataset to match pipeline output:
 unifiedlogs.log

The ingest pipeline normalizes event.dataset to "unifiedlogs.log"
regardless of the data stream name. Update all rules and index
patterns accordingly.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../queries/execution_do_shell_script_via_apple_events.toml | 4 ++--
 .../collection_clipboard_access_via_applescript.toml        | 4 ++--
 ..._access_hidden_text_password_prompt_via_applescript.toml | 4 ++--
 ...haracter_obfuscation_and_shell_exec_via_applescript.toml | 6 +++---
 ...om_hidden_file_in_staging_directory_via_applescript.toml | 4 ++--
 .../unified_logs/execution_volume_mute_via_applescript.toml | 4 ++--
 6 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/hunting/macos/queries/execution_do_shell_script_via_apple_events.toml b/hunting/macos/queries/execution_do_shell_script_via_apple_events.toml
index 4bd3c917493..74e343d60a7 100644
--- a/hunting/macos/queries/execution_do_shell_script_via_apple_events.toml
+++ b/hunting/macos/queries/execution_do_shell_script_via_apple_events.toml
@@ -23,9 +23,9 @@ notes = [
 mitre = ["T1059.002"]
 query = [
 '''
-FROM logs-unifiedlogs.unifiedlogs-*
+FROM logs-unifiedlogs.log-*
 | WHERE @timestamp > NOW() - 7 day
-| WHERE host.os.type == "macos" AND event.dataset == "unifiedlogs.unifiedlogs" AND apple_event.type_code == "syso,exec"
+| WHERE host.os.type == "macos" AND event.dataset == "unifiedlogs.log" AND apple_event.type_code == "syso,exec"
 | STATS event_count = COUNT(*), first_seen = MIN(@timestamp), last_seen = MAX(@timestamp) BY host.name
 | WHERE event_count >= 3
 | SORT event_count DESC
diff --git a/rules/integrations/unified_logs/collection_clipboard_access_via_applescript.toml b/rules/integrations/unified_logs/collection_clipboard_access_via_applescript.toml
index 9601f7079f4..0525e57ddd2 100644
--- a/rules/integrations/unified_logs/collection_clipboard_access_via_applescript.toml
+++ b/rules/integrations/unified_logs/collection_clipboard_access_via_applescript.toml
@@ -20,7 +20,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["logs-unifiedlogs.unifiedlogs-*"]
+index = ["logs-unifiedlogs.log-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Clipboard Access via AppleScript"
@@ -69,7 +69,7 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-any where event.dataset == "unifiedlogs.unifiedlogs" and host.os.type == "macos" and apple_event.type_code == "Jons,gClp"
+any where event.dataset == "unifiedlogs.log" and host.os.type == "macos" and apple_event.type_code == "Jons,gClp"
 '''
 
 [[rule.threat]]
diff --git a/rules/integrations/unified_logs/credential_access_hidden_text_password_prompt_via_applescript.toml b/rules/integrations/unified_logs/credential_access_hidden_text_password_prompt_via_applescript.toml
index 72c888b36fe..46e269b7bf6 100644
--- a/rules/integrations/unified_logs/credential_access_hidden_text_password_prompt_via_applescript.toml
+++ b/rules/integrations/unified_logs/credential_access_hidden_text_password_prompt_via_applescript.toml
@@ -23,7 +23,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["logs-unifiedlogs.unifiedlogs-*"]
+index = ["logs-unifiedlogs.log-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Hidden Text Password Prompt via AppleScript"
@@ -74,7 +74,7 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-any where event.dataset == "unifiedlogs.unifiedlogs" and host.os.type == "macos" and apple_event.type_code == "syso,dlog" and
+any where event.dataset == "unifiedlogs.log" and host.os.type == "macos" and apple_event.type_code == "syso,dlog" and
   apple_event.parameters like "*htxt=true*"
 '''
 
diff --git a/rules/integrations/unified_logs/defense_evasion_ascii_character_obfuscation_and_shell_exec_via_applescript.toml b/rules/integrations/unified_logs/defense_evasion_ascii_character_obfuscation_and_shell_exec_via_applescript.toml
index 01d03b22d97..abda49a4aed 100644
--- a/rules/integrations/unified_logs/defense_evasion_ascii_character_obfuscation_and_shell_exec_via_applescript.toml
+++ b/rules/integrations/unified_logs/defense_evasion_ascii_character_obfuscation_and_shell_exec_via_applescript.toml
@@ -23,7 +23,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["logs-unifiedlogs.unifiedlogs-*"]
+index = ["logs-unifiedlogs.log-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "AppleScript ASCII Character Obfuscation and Shell Execution"
@@ -74,8 +74,8 @@ type = "eql"
 
 query = '''
 sequence by host.id with maxspan=30s
-  [any where event.dataset == "unifiedlogs.unifiedlogs" and host.os.type == "macos" and apple_event.type_code == "syso,ntoc"] with runs=5
-  [any where event.dataset == "unifiedlogs.unifiedlogs" and host.os.type == "macos" and
+  [any where event.dataset == "unifiedlogs.log" and host.os.type == "macos" and apple_event.type_code == "syso,ntoc"] with runs=5
+  [any where event.dataset == "unifiedlogs.log" and host.os.type == "macos" and
     apple_event.type_code in ("syso,exec", "syso,dsct")]
 '''
 
diff --git a/rules/integrations/unified_logs/execution_run_script_from_hidden_file_in_staging_directory_via_applescript.toml b/rules/integrations/unified_logs/execution_run_script_from_hidden_file_in_staging_directory_via_applescript.toml
index f0309b5e0dd..e189c8b23b9 100644
--- a/rules/integrations/unified_logs/execution_run_script_from_hidden_file_in_staging_directory_via_applescript.toml
+++ b/rules/integrations/unified_logs/execution_run_script_from_hidden_file_in_staging_directory_via_applescript.toml
@@ -22,7 +22,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["logs-unifiedlogs.unifiedlogs-*"]
+index = ["logs-unifiedlogs.log-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "AppleScript Run Script from Hidden File in Staging Directory"
@@ -72,7 +72,7 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-any where event.dataset == "unifiedlogs.unifiedlogs" and host.os.type == "macos" and apple_event.type_code == "syso,dsct" and
+any where event.dataset == "unifiedlogs.log" and host.os.type == "macos" and apple_event.type_code == "syso,dsct" and
   (
     apple_event.decoded_payloads like "*/tmp/.*" or
     apple_event.decoded_payloads like "*/private/tmp/.*" or
diff --git a/rules/integrations/unified_logs/execution_volume_mute_via_applescript.toml b/rules/integrations/unified_logs/execution_volume_mute_via_applescript.toml
index c62297a40dd..9dc69764359 100644
--- a/rules/integrations/unified_logs/execution_volume_mute_via_applescript.toml
+++ b/rules/integrations/unified_logs/execution_volume_mute_via_applescript.toml
@@ -21,7 +21,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["logs-unifiedlogs.unifiedlogs-*"]
+index = ["logs-unifiedlogs.log-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Volume Mute via AppleScript"
@@ -70,7 +70,7 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-any where event.dataset == "unifiedlogs.unifiedlogs" and host.os.type == "macos" and apple_event.type_code == "aevt,stvl" and
+any where event.dataset == "unifiedlogs.log" and host.os.type == "macos" and apple_event.type_code == "aevt,stvl" and
   apple_event.mute == true
 '''
 

From 98516ca9d60884a3ae7761b22dfd8c6404a61ad7 Mon Sep 17 00:00:00 2001
From: Colson Wilhoit <defsecsentinel@protonmail.ch>
Date: Mon, 23 Mar 2026 14:40:24 -0500
Subject: [PATCH 07/14] Fix password prompt and hidden file rules based on
 actual field values

- Password prompt: apple_event.parameters is an array of parameter
  names (e.g. "htxt"), not key=value strings. Match on array value
  instead of wildcard pattern.
- Hidden file rule: expand to also match syso,exec (do shell script)
  in addition to syso,dsct (run script), since both can execute
  hidden files from staging directories.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 ...tial_access_hidden_text_password_prompt_via_applescript.toml | 2 +-
 ...t_from_hidden_file_in_staging_directory_via_applescript.toml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/integrations/unified_logs/credential_access_hidden_text_password_prompt_via_applescript.toml b/rules/integrations/unified_logs/credential_access_hidden_text_password_prompt_via_applescript.toml
index 46e269b7bf6..9681ae8fdb1 100644
--- a/rules/integrations/unified_logs/credential_access_hidden_text_password_prompt_via_applescript.toml
+++ b/rules/integrations/unified_logs/credential_access_hidden_text_password_prompt_via_applescript.toml
@@ -75,7 +75,7 @@ type = "eql"
 
 query = '''
 any where event.dataset == "unifiedlogs.log" and host.os.type == "macos" and apple_event.type_code == "syso,dlog" and
-  apple_event.parameters like "*htxt=true*"
+  apple_event.parameters == "htxt"
 '''
 
 [[rule.threat]]
diff --git a/rules/integrations/unified_logs/execution_run_script_from_hidden_file_in_staging_directory_via_applescript.toml b/rules/integrations/unified_logs/execution_run_script_from_hidden_file_in_staging_directory_via_applescript.toml
index e189c8b23b9..3fb07cad1d6 100644
--- a/rules/integrations/unified_logs/execution_run_script_from_hidden_file_in_staging_directory_via_applescript.toml
+++ b/rules/integrations/unified_logs/execution_run_script_from_hidden_file_in_staging_directory_via_applescript.toml
@@ -72,7 +72,7 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-any where event.dataset == "unifiedlogs.log" and host.os.type == "macos" and apple_event.type_code == "syso,dsct" and
+any where event.dataset == "unifiedlogs.log" and host.os.type == "macos" and apple_event.type_code in ("syso,dsct", "syso,exec") and
   (
     apple_event.decoded_payloads like "*/tmp/.*" or
     apple_event.decoded_payloads like "*/private/tmp/.*" or

From 14eb1416a910c5b56e20a3d66a0d1d01a49ea7c9 Mon Sep 17 00:00:00 2001
From: Colson Wilhoit <defsecsentinel@protonmail.ch>
Date: Mon, 23 Mar 2026 16:27:51 -0500
Subject: [PATCH 08/14] Add unifiedlogs integration schema and fix data stream
 references

- Pull unifiedlogs integration manifest and schema via CLI
- Fix integration tag: unified_logs -> unifiedlogs (matches EPR package)
- Fix index pattern: logs-unifiedlogs.log-* -> logs-unifiedlogs.unifiedlogs-*
- Fix event.dataset: unifiedlogs.log -> unifiedlogs.unifiedlogs
- All rules pass local validation with updated schemas

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../etc/integration-manifests.json.gz         | Bin 27004 -> 27103 bytes
 .../etc/integration-schemas.json.gz           | Bin 7974839 -> 7975251 bytes
 ...tion_do_shell_script_via_apple_events.toml |   6 +++---
 ...tion_clipboard_access_via_applescript.toml |   6 +++---
 ..._text_password_prompt_via_applescript.toml |   6 +++---
 ...cation_and_shell_exec_via_applescript.toml |   8 ++++----
 ..._in_staging_directory_via_applescript.toml |   6 +++---
 ...execution_volume_mute_via_applescript.toml |   6 +++---
 8 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/detection_rules/etc/integration-manifests.json.gz b/detection_rules/etc/integration-manifests.json.gz
index 7e812ab2871df31e03c1e06e490bfc054c29fdcb..8a98f97b534a99211483fa177ac59ec9139deb07 100644
GIT binary patch
delta 131
zcmV-}0DS-a(gEMo0S6z82nai`!LbKuX>hb3dpjAw8`qc1Ma$d6(&jt%(xlCP-Hc}Q
zdPAM-(Z!#C8mu3=`uAN`+9=27&+)P9)#_}LiQK#Yc|2*p==`jG>bvRe`l)(>FT&|7
l%K_yuIyo$5IUJoFE@e49og6+<IsW<2{~!DNSQSIe5CFawN5237

delta 32
qcmV+*0N?-L(*gX_0S6z82nZ#Yxv>XmX$}1IpZ`Cj)6dXx#1H`Wb`Ny`

diff --git a/detection_rules/etc/integration-schemas.json.gz b/detection_rules/etc/integration-schemas.json.gz
index 19403ba053311ed05946cc4b20f218479a332891..54b156d00f9bf871b6f4f5af71d131f0b2904356 100644
GIT binary patch
delta 13072
zcmcJ#cRZE<|399>B{NxN79p}_?<7e?8QElI?{Qg2<4Pzpud-Ljv3Is4n~;^2Eu&-a
z@jWNit9rfOzuV`Z-#^!5JRi^d^D&;|I@j}*j832E9-lq|Fa+Y^$>!8P03ZMh0**t#
z2?)T302~Owg#fe?4+2g?06qi|KmZ{G5J3Pj1du?$DF`5ifYT5_1_9&{Kmh@i5I_Y1
zXCUA#1W-c&4Fu3a038I-LjVH=oP&V#5WollOb~DZ0+=Cy1p-(h;35RDK>#}hT!H`&
z2;hVOE(qX;03Hb7g#bPX;D><A5Fh{nf)F4C0m2X<0s*2BAO->A5Fh~ok`N#T0n!j4
z0|8ecKo$b7LVz3uT!R342)GUb3J`Du0u&+OCIl!!fHDN!f&di=P=$co5O4<q)F40|
z0yH2%69Vo+fEEO3Lx2th=t6)V1n5J60R$LAfDr`Tg8*X)Fo6J52rz>Ha|pN(0TvKo
z2?16RU=0B_5MT=db`W3>0S*x02mwwI;0ysS5a0>{ZV=#J1c03PB;o1zMchggqiKu*
zOU&Fe&&pW@X1`IZeF}de<C;N&i!U?1?4OPr(K+3(TWo9C)qkLL0GlXIGrrgMpwFU$
z6YhcJaMnE#z{h<qWBl=@Q`buxIPM-uiBaMqX2w>=2~AE6NDICoGI1g{3A>=M8nKvt
zla)mN($a~&V^Y8u`6%)4Tn!1DtR0iG0BzXROpqUg$!8|z+5(n7+)QAa#S`_Abzakr
z$jph7^Jy}c>h&f2f-Q`tJnVbNVR3n>hT~9RMXd$FePFD|iIO5mEGAH<<5)g`ON>Dx
z>_wR@8d$~zWW(oFA^240mCnp_5>_<<&%)d$;7M2o{lG1=Pj{JDhR>UTR2T&X&iqPZ
zq!>(U0<vOc9Gt8`KW!m6&ltP_*BFB*0ha-l`M~8zzcc`%cS@FX0+7LsalD8N&(bAH
z4Hf9?(%&cU^(It-M0z7bIP0#KlPQCX?68W^Cn5|fsbp57X#bX!x{_*Ux+_UT5Iy_3
z*t<9KvKaF7#%+Vv1rDohlY5GT2lj2?X=XVEDPCq9<9Jx{PV}Y<B1(kdg^h5nbny#L
z6M}(LSB~hF;u)D@gJC~BIKdR;0ys@}H5xb2H8BNweh6Z}3ncKEDLSSlQ;-;EWAVkJ
z!0(N?@UkgLjzgJmW10=Cn1Qs22B!fjC8-al4qCdDaQ*+8NU*|{ykln~AyXr*yBndo
z3%lpCW_*)TkjI8mWcqo_t*SR;R?F1|k3>#b8_+ajiKB3q3iTfD5gJaf__oY<hPK>0
z&(pyAfuB|dHyq1!P5P{!0uCP5l?o=j&SPf+3cLcFwagz%7Mx5L&pT;-Ji3M@_XqJW
zfS1j{bJ$Oebzi|0=AamM`+!>stY!}K0tA)S3mQ*I;6!tf430MkDR8Npd8<kp;97I=
zeB^x)z<Cxpb><uV%^YNeJIvAY#BGreod4LL5dHwc()U45EGpRcK1gdq*HFWri=TNM
z>5ikJ+9K;fNPD88hS#2uHu*%u))V6|XM}Ns9{fhG@i$!D$?Pc<&gu)rO+PW`E1E$3
z7n$HlH>L=hQ&=S(#`5!`)2)TEEYQpAlm!SJJ)|u_Tx@GvM<RInKFD&?9*=e<#Gz5h
z?YoGF5%U}x-QZjc@I3s@0>s085&T^Cz!x610MEhI7T`&o?SA3OTmKjUFM@+)ufD1K
zYakX3RINiJ5$$omn)7G@LuP8u+t4kxkCzd<QsrJQ$u}f~l`TOUL@Um_mxHwts(OZm
zXHI<Z<%O}0MLQ!l<!nV4tmv!Mno@v%P@PaMGxKfgKD~viw*CuziV1dS(fZ&INoI2H
zhb-=7BaekD&)a!$MfdhiFuuN)872K@<mqj1LGm884+~tD8Ag^G#i)Wj5C3eNL35ko
z{DKS{?sbZm_WWr_W<+t}B1vBiVPc(|A90{!n;&cFiUHHDqP@*=sa}cR1KH)i1Fa<!
z8s`e#X9E>}JKe2X*YDSzoMzPex=}av`i?Y(3XU3<y7W4&w17gW*|$#-rPE{g(X)3T
zupvL1xvtHndI^d%Nlxqamb6n@qpC|frq{|+w_<Xp(!Jk`qz#eQy|I`~H8Z!l<fvtK
z*J&)tb#P7yIXY)l5%FepZYrg~yQpx>!UL~Tu{(9bLh>2Kt>-jqGbzPnx+Vqd0$;0W
zxZtq%99Dzg7=1<pAt@z2S6#h}b4yMPqg<)@pKNaHzFXL)V-o@ovfV(5DM}Yj?C6rY
z)u~HDvu+<Q3N<0>P|d>&C?l7)($UmB#SzZv%p4mxpNSpX+RcF^;ojyTyEF9Bi}wOQ
zF9rn8)UCYRNu27;S6Y{t-wALHh~q+-rUlFu)~+?$b(qyj8pK;iaTb_}=n#@{RXF#X
zA^A}&BTBOVy{M%)zu?Q!k2e!HUH5(5GnmXp@l9ooN!<{+S`JIkx+PH~ErJrGl}qYG
zGYPp4aqA)kQ>)IrVwQFF>4Q14dAS`qvT?Tp_&3;Jt%*BO(FAqX^ObYsKP&7o`#QR6
zzrvOAZUnLH!?)YB`bpcm7v;-YJgb*UL8Goo(Ofe1l=baM*&#y~b$)6K;HSe`u#!1q
zmmJrl*KZ<S^s>;c#xpvLvuQkh!|Q`qCS5Ampx@!J_t%t$u92LSezTBv&6bo72l_Fh
z=T^u-3%!!9h!LWBi^XW|ESBs7IMD{Z=A~^wcHGesONy8Vc+3VAz$mD2ygiZYk?=<w
z@ES(O6ZbYou6x+mTbdT-Ying?YG_<SuIp)MWyu?H%3WwYZE`XnTk9c*OyoJm7tBZE
zz^(I*f^<AZbYyU%Ey#u)VdU8ckJ*B<u%R9Lz$zgeq=6sUg37p&M&+jcBXEclC=44q
zffS@?iwOs*>NYIx<?>$l-?nBehJEZnR>XdKz+!I;*LA~#+=ad7!QKM5f%0WPgij#n
zbrdSFWW!w4OE=rH>V#IDpG4+#eNpUQy}6if6U8*X6ZH07{0N0|T5^52xOnB|y?bsR
zybJeSdCOnwwQ`wJ6$B2{FO0Vo1R~ngB&yx?yeCi7+zQ=Lq_sQGWk3e|x4btU=YzZL
z!5cU$Z|kRM;7)t+4pB*|m!d8U*HJr0rGPg>0p|dk?@ck1*zKwA_fx|R%VS$?v=0aF
zpQ+*xT(IrYJ2yDeu_|jy;J8EoB+>XQn;Kc3fB#i$MnTfuu&4d%WDY~zx11*=r9=h9
zW|t)xL&=)_C$Bm(ZmTkG6TzyE=vNURM^FYEzV4$4FFSxV@J9zw7-yw}CDZ_Ra0Hd$
z1V<16_Q?Dvg>XaRR!5LoLL@jwzMW|%1fd%ov!Jw*YS5kYwQp@curCLZoPAT0g&{1s
zsbO+L6Ao@FpVV970yj;-5@f(G?vpHqHn`IXyb0($Su8g4tox^cC(s3i$DBZMcnMuI
z9CQhNjNk`O;B`z5@vzbMnwau(kuJ&$SeNL#VjW-gGo8^KDUO2&ok0e`^KpfzSSces
z>I~jE&5R0llX_jDbEQ|I%SYx55yvPz<^tZvQH?}V6~G~G;7vTODvr^>0<Sh0%MIj#
z6I{V_INWV3l}7Ng8z=)Cx`HIwRA$@gY2*qj!Zj`+4(=#Hfme0z_ud5Gd*^#q6KCIr
zWn9sdI>80~LWGjjsv7-GfrF~os_KJPT|q&N0X6Ps62~aY3{G?b`B_K1IYzVozo(lg
zdb+_??jQ~B7NK%pQ!Q)&f}*fA2$JJ2o4W=a^1vbJM%WGn+2JL3kO1f4lk#%>cPoC8
z`j~OIN%FMr&T$L+IDKlLJh93%lzarQpw=s9=L=qFHFB6xu1sk)O3ie~jg|+0;WU89
zJU~g9#{>QLvhu1DJuR_3Kx+7f2PlGFP~z1BcX)s*0N7%_5m~(iFMEJo7+WU9%G-*m
zE4l{}`*-G=`yL@{)wioddxUi&59c41hf4Hx;aTF@jU;%LkN0*S)Q$N$lj=KdsjMhb
zf%ZWbpHsyzt~?^ZQi{GBl#n`QwHLkFe_?Ij`{0T&-;724e%}?S_qj)9Nj>H2fOXfJ
z|7G#Q-se%p`l};Gi=0^NiZoL7h(^<;EWo(Bkefulnu?pGr1H6ovx!^%m`JJcvI$sq
zBi5`e&aAn_YJ!nCZ0Z2ekdV}WT@(yasqEQKCBAJ!v<A%Iog$)Lroqw{(jj<KSI3^{
z(|x>(D^;P*jiX8___Y9VZ+Lv=v(=>Wo6+fQxlQ-mou1}VkvY}v>R9%z2r-S_h#ak|
zvKIM3YyAvH`Tfd8y0slb*Ww}CO+d<K*=Co^ZYPFDf5DmZ^Hgt+UQxz`mZxXf?E-84
z+p4dMtB0LgB=2f&T4{6Yj&`XJWrdk{kBcf9*%fo!xl_gWU6!nyQ4i!eM3z1^pf2d>
zVDuzpT_)~ex~xG`gbYCSAtuf12H$R<Lele~)}Hr|rY@_0<F*xjU_0NxjMLMURM`4t
zsws2Z&W>|5H_~Bek8Yt*uX{JQD06l7qEv{wRuDz&_%d&7P*{7%^jkWDnNTHyD2ma3
z7a{HI62TT0)2=?(vUbJ6TVq3)E&64_;|$MyE_C~)G8JiW@W0BO+eA=^c#_xmb@Z4-
zarFwtvA-*$G!nBLG$fz%o3`sX*s-Uy+PZ<t&K{|pGt3bAvLQITtoGq6-yZhkiKK}*
z*vk2A)N6(Uhk4wu6{p;~mp;{X*sp^@=E!n|&xKyR<(?wv2K(H6n7XTH!nBHqhD_<G
zKg!MXXUr<Emn9q2?oS~Qe(KAYeEpD!3)}YLQwqYC2;#mDThx<*t!sLHW{dGE8$3jI
zvS1{BwL|xX3bKif{cqN5o8mgo?sl$%bGxmgbaCoN9~U3RUhtOeQ&=I-*th@4T3_O@
zpJgG%yI|8hCWo>MAwj(pvAuiXG~dA2l!_=iga)n!30Iu>YVU$b+pLskOXLZl;_*~0
z?+q7-c5x>dv}}#)k+5ous{HgRrW{H2)mU5S^8)uUdjKQ#%{EFYG1~6fDwZON$#3~8
zo+j$vArLFIM_i`IJPk?ToMgy1smFS^kkN;l_bI_G3A^f=PMh87OLUyO7nKLY7I={(
z$w?8{;d;<3GRF^b>vFYv-tazt$F#sk&zP7?X`5GRZxqt1lpCfQ6m0d2n24Y_bgh0V
zL2TB-Fs3(Lh5LeGnQ?Ao*Qt!9mlcJY@%oIAidDV>=(JsFBUe7v?Pqil&fU!vGyo^N
zMD1^~)6uV<@6*q>9LSzmm@q8=rkSv_@O6@ocJnM{R$U%R^tU2b=7dW%LjpWNE0z<S
zhyclsv%Q1QBR~rLcB1L*Vcvh~8GL}3P7So*JJkG5((q2e=MW${tC-l!a)$<8<ANve
z674V2;%|PQA#Wsdd^B`U=qFhmqM(B9ebHOiXK?#7C!F95(!n{tAo0m3Ib&85TT!*4
z@C#p%6Sp@uXZVZNcOK{s$?@i8I1Tgqf-JC#F9=|Zt`_CMhQ1&r@R@m~=))>K`~{7P
zpxJUwTw0{r!mWB>_hs<x7agq$!aB`WNzc2S8N_3f(Lr@~FZkPPUzt5(*ch37BINMm
z@o0V;BFP2pHltxAKO7RX8EDNCT}+xzm@Blgq3E=jkGk}dF5ZP~a=tLoQdM^TqXoBE
z&wCGeo@7ehbwKyh`sgSr!zM2R6wuljLR{n=DX>_6n@Jfs4(x8PxcPVOESz6c>?w+$
zaLe0Wn)bMHIDD1ThHJ`sSW6<>VwnAqSBJx|!N#){OzgKsop#C5)Y6w|$^i21eGD?M
zbx2H@$*-HYrQXr*RxsZU<a;JXPdu}f_#~Ol)naCQx%h-T!f4;YBe&&4-Lj#J-?`*$
zuWC(Xoe-}_VGkXtQvB8dD>b+vsYiZGI0rGiO$y6A1ldkXX34F^%Drd22cLQfUWBP1
zf)q^N8iDt#FVQ^n5s;$yDLlAA-xYPo%**D^q6ck+#qeqYol6_M{16m_4<CYfI1F7u
zWk#^fBak0{@dzZrODDN6zkgmU7)Ct=CGhKm?#X+rh~3DihZi4$Qh4=2J1<?sO(fuu
zM<CNlm#?mBnOhg>6W~*iK{}irrKlcGc=-|f<nnzC(qkS(*in~}+_1xAkP{=G0W!KX
zZE-ap!4DpTR3}A~&5BrMY^aFf_Q&X7dtV-d_=u6TF7nYN|G0|$T{UOpu}$Vr*2xa(
z!TDY@x36U@E#6~QLwI>>IeYf?kmzP%7wp<kt|BR~-l8h6j_m~c`g-q)WtU4+!-hVs
zE3@55{mt5yx%k88)Mda7Idxy7Ag8S;VfIl-@O@X!ipHfFWR#!4J8Glnx!3M8Ws=r`
z9th%@0ff8x$M&&DMI+4`5^wcJ%-&e8<VJ}bL;W9>)+~(Yf<q&%#zT<z9*rkiO|i9x
znhqy%b!1GBYv{e!KG@}87-9_`n0#Z*Tj8^cU>Pu}6FhjO6ns(FN^vZT4-ZGSR)vS0
z@Gl~^itTGfcI@Uc9%`%_>|+?N#xYNqgQ}$-O};l^)xcO!KytxvWSjoG@4d$*9pX!G
z4YB?Z`F?gY{1Hkop4Iy!ARbH;+zEkXOe(oT@yF~XN`F~@Z~HL{ng|>Xat7-Q{2~w}
z=NMxBF*NouG~VMMnL>Ms^~IX(7<G&E1eRp0yYGf0mGlWX?<soKilLT#FLj@|Nx~yh
zvvv%_)I4x7q&)+CK$Ac8zYM-JD`eaLdslrJr9$ExZ%wlP5c!TkxQslcw{lnQx2O(x
zUUJAwJt_D)X;C_6_w}OPMelwVYqH{#gO6?A3G%uiYCd7z0WwNBI2D^8Nx5rv<INGv
z@Dl{R(o!+F*mwC@2&F{`r2%T$aB#?ut3&C=F@oAFxu-a={~%ry3MYkdna_k9syviA
ziD8cE$@YB|a3(^NKlHy0zBA}zsQpKAOpZ`=-z8xGmPA5vo~4?aM+9`%h9<RE5#`6I
zeQ^`8?*BzTYxw~~@Ngjb@VEi`ONBq^gT1-ri{37ufhzaU(AWH$xxG)vu$};C=ndU{
z$FTkaIYLHxyVn%`X7mK8so~)vBs@`9!;|}m{s+nt+_6o6*f0nr7e9N1{RB8#D&Ir7
zhZ*gM-G938Nl(9IV{Z!U1cE*|aejc85Pbb9_~7^f4~F_+qv}p%!%F@j0uvVc=Z`<A
zf*A2}|G!n+x#lC5>~F=c!xWo|Am}Wn*zz8Ua@t<O4UcT(s^1a|kz!F?#Zi?}JM{-y
zdd|wYCsN8sT6-0njP&MJ9yCLU{fs*KLprY|nh3(u&p}EYOw-Yd&_J(<A9mP3CY@1q
zuF_G@9}xdN(l`sFZuC<_#)tlREQ~MF%<*f_RgFKL5kQk@xHAa-MX%#I<`da7kV@^B
z&G%`I8KIx$sMn9~zW7NG)6cO#{e!qWkdfN{>B`SQKBOzblFz|2$H_?HgeM@?ouBbO
zKrfpkd~32_kzp9=e`o6yMMbGUUdf-1{EWf)6Wktz{?3OE0!RJVw)Dp?W%4ulnqNZ}
z`~M8}dteFw4(chs{->*t2Wxx2z#Ku~8N`ka3*%)kjk?_)6TX;^6;l`0Yd8*;IC-l<
z^jgXb-;#@|7c2Y@Mh}M<gR^ZdU7eiY+$pHm^z?2Zmk}tRGid)*Rm#+o9JL>N`%=%s
zN)LV-*RE7qz+C?7o#2$P_&cb3R&FG$n)(9eVr7I#Pmi=uCN8_;mC}Q|!a;9(8Ou)#
zXFCTj%ucQjEz9Yd$g_*{=fGcr!LwIf#mZxc+ilHD3I+!j7hHdcLaWWKm-ureyIU^_
zo}zh5^d9%#iM$8>($?qro19OYg}zd71^JsSsV^rt*TA_i(Hp4LyYzgk<mPAW{28t3
ze19>7Wr7&3Bcn)2%ys1pte6i9?BahJ{od_=c=Z$7_=hv!eKS#erD}?}7I9YH48s|6
zy(E}^`1UViYppg=q-y%h>JJ82j|ScM>~GFZUZsfpU)E^Lf2ZssCWROjv<KHBj#Bj_
zb9_I&{+<~)?<GivsMY1!G*lbt`O=)pSJ2$b&W~*Ui>b?QLu;SKHY%I2=93NhFI;s^
z!bb_PS2%dYN4^W)SzOX~TAwETMy0it({v|Ru25gYhxX8I`NhowL`HOO24W|8hoNwX
zQ>a?~Q1V-mRttY->|vq)#{~@u?$3z(w;j|f^dkktR~tBJ$qu!2Dd?wckX@a@q00gs
zG2HnLCd-!z#bSC4DuTFeGfyT(I~xq_SuEt(u=k>QopQ}8n{0;?N~dAh?)iP>Km%!X
zaX-Eb4a26jC+C5cizYRJg(R(##&&+T=GQ#$lDdn<elt$rIy=TpNm#`L2M}A2Syilu
zR_!+RM<$SN{Q-h(crG-3#eps~pNdypXf9Vr;a;*RNE%YwpJ;JdeV`{kQWnfmPjY+J
zHiP-O!Rq)-6|I$E`i)op+=DGqOUhi4MaXfdMnMwpd_O;DRm!}!4i8VG)y`6_&pY~A
zeFBK=d3Ct~y@(q<+;Yo`GzSQ_CV(!^W&cC0zC!mjU6py3r-<dMGV4K<O>qBYy3kyB
zNm@r!x*1i&-tY<hk>WCE1khwD65UR3j`ZU6B}zj!lxJKC`ZQX(DL9znAMCEsW83oC
zWZ8LbLran{LOn|2ePNkx`Q6b$(z$h0z8xzG#gaWa$sH}uu8%me8y^rA3-|ip7|d3c
z2hG&L5<Nry-K7c*WhJ(C%Fs;hhlWbkDFm@lvBSdVoMB*cyHh3Qrg%x)J1G-y{k7DG
zO~KZ8MNvzon;Euttc#P4$#bScX;qO-Lh}O)YlC+>PH>jx*b=FXdRI2{TUiBoEKJYN
zIK6w)@QIy!FkUUEVj&fg_1v<*Fe?%LKq0ej&z#M+L$d388jX;^frX{xyIU`BHsq9)
zTWs}Ncv#mDI?R|4%owk{Anw>LY>{#ZlGxm56j&747o$_(yt=+UWj8bxeBp3e`xa__
zq$)~hE$Fjm+<us=4Fk2C8g*gLCUxNOy11~1W^Lsy)9tzJ(s)kP_C3|=KF?B@5*D7l
ze5#19)wB!j@@hfpw5lRWj#sCiHj_p$9Vxma;GA&u2Ku@$I-7j{9P|~hn>3Z_X2ar~
zt)^Rf*<jCb_BU6T5@fla-pe2!IwR3{&X3VH4?M^8OR2s=zmd&hzpsT8UxKMioH%Xe
zhk{D!9K^<5-!DELBrRb&QaI~i)CY`+km^Q*N$wS@?Lc<%?^du`1jr0~M1Z822N6Qj
zWk}hfb?PCAy^1%@`=%*{B`oTuCEs5RrjfLj>7_hRupzxrae3bG^F>>0H{)`e!Qp<c
zBXzAf2BfCao_mO3^WAUc(#shpoYkS<5RObSiZe_vfniECvfnR9_v8+e@NdDYk?0Fo
ztw^+=KOcmMxKY~HJB#UM8O#GSm8`oJ3+GYbh3Q9e3|=E%f}>h*52Pdn`@JN@>^c{D
zT7luw;4tF%6{_j;xh{PZ!cq+nVyZ_%VhG-xzHMsx>Wyh?<ST8ne=#g6H?Bv#U_Y;Z
zC4&&;nXG*Q$kP8{STM@RYA4YE%qjSP)a0l_nD#hXSQiG*oW-$iNe@+(Gf3g?qWT)R
zCbz@rtqQRw-?#=7qnlw{7^HwzV33Nc2i2ZlmihDz$yr)v8~M*c%ZeYk&sLkj=Mq5j
zD;#uMqWR7yUrWypx6RsKbK@_I?i_yh&CFRSxuq-QHIt%zWDv&YuVdoq?4W|fojBnK
zF(4JitoH4o6xzQIE;un7{i|~+3dDzfV?Z*427BhZ2trLh-KKvr3b%uzVdkmp%?`hL
zP=4eT9G<NBBAkg${x<P{9a&s2JwK$xpfC4e-k0dxa@%OI3j1uBV-<Y<6<XYj1rb*X
zHABNErcD(@LLG;Wg8KpeJznOi+0z%$Lx+T)`1gT`i8M}tZ3g)dI?k&w$82Vp_Z9ke
zNFfHS0y<uXuiDr%|KBsA_y1=mQ1Dn3NJaS|8<WoS-`^oHmlEhxJN;c4Y!r+BjF20R
zxnhq3vGxAD8sF=4VX73=!c<i#`S)ynpB)M!W!RW(UYPRz`wik~YM3iEZ_C1}n1V3H
zf<DS?GJcopMXw)Cw#F`pKQ^Rc%pL{*GuiT;zx=%?QGN5?)Dm43-g=a}xW@(`#G`@3
z6Tm8*5t+~JMes6Orl_&85bJWCJz5JPRoBr=BV!3ZACLKqL;}dEHvvC0;PYwPV*ZO!
z_#9M7hv}NKSgQBkm*4kG#letbCd|6Q*!*knA=tbz_;#x>7Jbizc7f7&5QFmZ=YqsI
zp*E%f*CwFv%T6VLBrtIT`hNSL^>_W}z}E-=D<%I7+~xWoDTyd{>a-9uK!0wz^nV(j
zNE{rs5Cc0(W4%7|)3e$goL<b-J&dQPu^x$N*KsD8Z~DHcjeD$I3w~4AJNB}pyh<~N
zo-n*xpHGDg#!CYA5fq)$^-#>xiC52kn8TWQ$iG=EOEnV+_jQEGgbkR!cYmMrzTz_!
z_d!u~Gpvq9#OF<#uHGlv5bZp7>wPc_agsQ@Z*q)KBT|G;V@QG%X%N~rI^tt5?s+rc
zqOO<Zt2GaMR9R!9Q?4y#bC`ugPht1CV_6$di+NqA^^gnbhmf$FTe_#Uby&B}u@~Mz
zsbM~r-C<Z+Hg(e4fMDQYv%%z3uKHHaXU@Qe0Lg@JOdM4;^9<v&b)M0^23y;Cy6r-5
zuRWSIeLCJ4^Ejs|g^HiV^a^O)So@$9Jhy@$$DrLBS<q>HNMcK`&lPG>1wy><<0Z*Q
zgJiT?hFO>SzaS3A8|zDEm=o=1^Xl5>QY9#1LYmDym%HMJ#@)E{*K^AJ>JX-5C5NUX
z>ei}uR*bG}_N#XFE*)XV<R+Tz_rKKE79DKPp0wS++x^zYQ=!|!#$0dWEN6Z`h$x!L
z%Mxfy%dLaf5e~ayI)~k3BJ=eUPqTt!-w0YZjA?qUHX=rFL*`o(IiDed>QCVKavW@H
z3Z4xPg%LR)B$+!K1f|M$595M;QeunJW&-Z#zIlp!c*(~_GN11)3B%0f7n)N#BJpn8
zYY0(^x?KBk4zaBHwaI|i5(Fxj$HSgJle(jzQj#Y>JxW1i7%4fo_e9FsV_-lWRc2e&
z__?o*Wdd;+FeGqB>s3R$wI8y~>tcQI_^6&_c%znNeunVDp<7xo_mw0j<dp&g+MVPy
zdc{Ld1NxK*eUj`VdTo*{zh2q-#PyFJ_azFC#0jB7`dq&eSybZYN6%S_HF^({$|G@$
zt`hk6FYQM>w3UxM${`u<NCBy^6E{nH;La3~oX;b8^rNR&=Xa3!vdxRZ{b?0jIrcZ=
zY_1_~4^n!sS|tf|M%`B`WYH$eYC>5lWy6ZEL24`-*z7fU!OCTCM$V2etID8bFp~lF
zuN@J;t=2Bq;gweXHu`xyaj+EU3(D&RDL7rnEglp~YbUsk9{27(;?Mon)X{z1yYGKC
z?I*&uuR(I4P&z&hXXg%F{Tie~+#xV|TKGHuPt2XGoG*-ew10{}M#qS=1%=W=;=*(<
zh-dFKtp7^rQGWNbdnayu&uIepY~b&}325*1tS})QVXh_WB&^&RO|H(-X37fby>68v
z&_!KYc&$W~DK@12>C05+&d>zDU!~ik%krze|4aO<lDMH3a7Y?R&QMT7Z-A%ypJsbm
z4VtiI8c2nUm|s?!PlT6J(H9KuqaI#;aBvz(iM?7vkAPpGQ4l0q4cj`wQvYM-WM;{C
zdOq%ZHDZp4&}&#X46BHHcCANedrT+9$3{AoMBiuC7`k_tM@RfZ_d>kV@W9<!pSkwL
zx+))Yr{yStgZ2P9k9aOhU~14qDZL^M{2XIdrB6mYGR2PYVRfafk4ISC@vC4vlrLy#
zK>s1?1F^EW4c(QFhee7fsrR2$iuZ0z&1r4x*^hbjCarz)$SdZ`WLphDFg%$q7G_A3
zDsXQoDN5h&T&&hFU_@|PSWy-3Jul-v?2X!bxXwM7utUUI4U9!o^qOxD)N0<dTiyxh
z<sb=(CAsf5yw6A*kq9B4dCz$&q5@LSXA&~#__3CO%k^C*q0Hd?R9R(<qny$*lM>6+
z*XcS<lJ#m*xp)Jo7(4n55t3|%=M}@zB$*xv00}OSU+EMJpktet>yV-^^80k~ZgQqB
zcW9X%mG3n#&&IH)m{-5>?eKN-)O6Rzx@d)r!kZMe+w5!+;WrRBm|ut9M$6*)DHRS8
z816^QQ3GhH0A~HE!dS#<+&(^f<7eL=J(|OAH0ylP`45PbUY9U~{ceAYovpg`#v8=n
z*y2Sg&i~=YJ%z6uv_D+^<=~V8^OWX)45+QJt@O7S=m?8aCXa&t%?|_{#*y+He}#><
z&Pv&n{ZA0=s=q>s2xpB5N0j}IF|ehZQ8NFfLL{nHV`AK!Q}V-SKlD|?g|{s%^&+$J
z1DBs?H#Z}sw7mi+JYR8}N!4{0J(av0OTEE>@29+_;m18!%SGd}Vz!<CMqERr{0!1j
zLj)P4-p+0wQP8Y4m5CPJ(qnRRbe%OsFU3Z*-!Ok&(53Y?^Sf9c-ro0z;z#>iov%0h
zRsOL@{OmAzV<uYWec$YA(STUC)E7<Dv<vtsTVXS|(Z)xPX=a@x7RVjmi-^=fhOgqg
ztTw_9*_y$cfis^IK+_yn)jJ6STyZAdk^Ea6Ud(}Mow+U9)ii;H7sW%T_`GAdS5u*a
z9=?M+RVBIGI{F2rb%WJf+B#1zXI3NPA!_q8BO&#7@;ZmD1r@?92CoH9j`7BFl^?zu
z5I>1XZrE`j=*pE#v9!CpzxS}5)8In&ll=qfJoH=-MW2De66m{JJPWB=YD@O@hK4Mu
zVwzVg4D?|kqOT2N9kY~G)6(yJVw)p(2@sWwbxd?=evYO|Kh@!giMjA%_T=pgtJ!mq
z&iX?SnaTux74CGZPXu#Nug947KOzpgH8D?rYkcQVt4NPA<nP^Z)~_g5E-C%h@wNU|
z_D^68l1!zF0XMlH;=b#q@E%HzPnmMc$YWg`VElw*(SPvei+9_j{CPO3`+Wb@-5>;k
zN3VQA`8W@rpOWz82c+sEnTI}AT)%s9y3WSRNy1*#_PM6j1*51Szm|a!{s0boNOSp=
z@>h!yaIt#~<z&5V5}7uYSiEXhPi2O_p5CHey~j6IT1TdZuseMgms+RtdV`kB!~0<S
z*f|Ey{Oy&cL3)FVvn!&yw=TDpTdT($7p;7xUitAW5nJ$xvRGvYWnxVfmD{VCmhm$d
zhrZuf3k-%gB%;X`HCHPgnez)<0`cv>-G8-zb8u5oVW%q9F|eoNZl}$@b@<IEgACg{
z7w9G9h~sz0ru7gb9rnl1YJ{n;D%<sM>@;@VYN4z@Yu&%u5l-W>s}tN*cUdRf)ia>6
zY#otvcy-rDXr9UZOXJ+Ob?EbVXEQtAaKyZU$Aq})N*MeDokI^e@SjKOadkE1c8tis
zXWSE=8WR#HQuh(|zc4nFx1XtD<4onVAJm_eZYoMg(IXg*km7lEsMc#sseCXMt&+Wv
zFDI(>jU`qx#1Y)oR1v#V;u`pI=YXP}vHtMv#;9mGt<iq^Obcow0@<rUq%+e~ojM%v
zwH;ONy_`W*mPI6ovQ(v&tE@@|w<vTA8HRem*Q48>l}c&ms+@Y7*mSOyHz`}Vq-50D
zMyl$RP~aBAS~fad`5kE-NlVlGW<mW#uhvFF*<QS3n5l!zH4y{NcFim+QSNLKj(2u@
zwf?E8C0TUW^(9Vi?<&>R&a(oq1M97M@pAY{2C0H2SXw%R$E-z9&djc%rdp!a;~pXT
z=WHJ_l((u&oE8nMoANV$o`HyyOaYw_5vJW+EP33@Ydaz1icY0zjpe<2&Bkqaok%GC
z*`7L|uWzz_kr^pv)+sNTR@83{*coi+2;7+xJ0PCLb9pR!g)T8jMLwPB6X_gUly`Y7
zr+8O7&I-Pk1M*_o!tOaBA42X{X%wa3s&LHOYUQ?#PVnA*OSNQ2^QCJwJ<q#Z-UZ8O
z^OK{%`}!LlwVUO-JOpW}>Vp2ZwDgyzKgw0nQwh^M1Sc(4#S4veFpYK$&hCQq`{FD6
zd#Amns@<i6y`-wIjdtWv9r&=Uf?HXLw<{~+J8#X}gmoTM+4n1;77(mj;wgzvI<43I
z3Y1HzxVok+NiCp~zSb}~_uiI|ID!($Lif)TW8z>`Yp6qaS3{3u^?Joe(()qsL_?TD
z=53Ax5kBI#4fS<f6j_g~ih$rA{XNgOuAWOOZT-Wat$d>=wj{w;mRkZOy}HXpZ91Y~
zU6dTW7l^y6W!uU)JP@IkZ9)W$@paRQU@`xa*J=m)-y`W~NL(3oSxCTzt}nHk#@?=H
zDY-8h3{TzK=JU3`duR2PE%%#jKDm*yMY;JBq>YxU7fZ`{W5+uJq=BaXadzzo!zD(Z
z3R~k;9mu+7m5m_AK4I55pVN|Ku{m1S@?$Z%wAmWZJ=tAPzY<`tTy5=(cW#MWai$JB
j3_`w>WO(PFn{j}&Q`*MAB5){m$S~<Ge2qr<De(UQ4kR(Q

delta 12814
zcmc(FcRW@9AAe;WB_y+m6v|#1nUy4DX3uQ0cgH%3qa-8ih>$1=*&{REM9AJ-vNsvm
z{M}3Y)A#rI{rCIBd9COBwcf9@?$P>X45x5#3<sbOBp_fx-ueJAa1aI#!2k{n;KBeN
z4B*26Mo9nzhhg9d3=qP=Q5YbC0b&>+fq`Q%KnerLVSo$<$YFp21}I^G3I?cQ-~<eu
zgaH~DpoM``FhB<b^e}K51{h%A3=Euw0Y(^Lf&pe2I0pmgVSoh&SYdz-2H0VM0|q!@
zfC~n=VSon)cwvAK1}?w=KMV-KfFKMA!N5fr5QYH}7!ZX4F&Ges0SOqm1Ou00;0g>#
z!oXD+kb;40Fdz*B*I_^g24rDC4hC+(fIJK+z<?qQD8Ya-45+}sO&Cyx0W}y<hXD;3
z(1Zak7|@0R9T?Ds0X-PdhXDf^xCH}-Fkl1&#xP(41Ew%w1_S0WU;zV`FmM|NtYE+z
z25ex!76$BKz#ax1V89UuoM6Bi23%mk6$ad3;7&dOau|t+kA29u(L?QyUm&2;N^dVu
zaXMLO(O0B*$hbQ-m;26H`!~9zn-zmBhpiv7SRT1?vRBcZ>QlrGh7Z*420<jqGb4~3
z$uI(eBltm=jhmuxwnVcb@kSseR!IO&4^MqLYJ$^!Ng$NS#Oa6$-^rk!OzRZhxHGgF
z??@JKwq|_jEtmGV0}>e0inC?Xp8rDWF^8mtN__Y@5!-tjKA+%cXD23znwy=}a*A(L
zqM1UrHE|T~k`3Vsy*QY%)HAZ<qqS}IHC26Af2aDj_JG&<ou11aN`!5PNb@i4(S6e6
zqpg9QHUX&-B@>VW-(^Qh?$&YSvI)pSK>5mLOli6&4k0xG&tc7YcpYd-4mU*E1U!Lo
znSh6}N<v(7lKeM_vN6bjG#P_<$U9>YAeb&q?4TL}E+dP^AO&*E7(5Og%D<Gcd|&$`
z$vy37l&|n^$C0+lK3AO&yvsB*&EuJREu8M|jGBY?+nnKA@hSh}MB7(1dqhO8hxO^K
zl+CC-s&>w+fKs42UvJZz-LgR4W%k9}=x*%}{ZAjFT(^h)ml<UrhIt#w_Ed>CA}<T(
z6VVr(j-T#zyys)hphH$enFC|!9#QnQt|%rUMdD3C9^8!3SwSS*6g-8zGX;sU2LNvs
zqjdY1k{)p|1(}frQ}8I>Y%fEv+`m8+h>s~qiPQT@7f~<+X(5vF94N;7QQeoEB6iNe
z|7YSM%jseIo`;>V?tM<y%tgcQwaeOy2c-uIS7uP`%93phUN=#lU!Ze<6Mk2@Kq$_g
z0m7llVqElzclGFlNM{n$c-56#!HSRgE<QVY9;bG~hgU@gkKo{y(z683hp20FJ@40c
zo7@x6J)9((ec1X?>^tVH?<61`Su_Jr<Hi{4Mk5sFpa^blw_7KoY7X)Md}S3g+WsU+
zqB%&0B$#7{#=MrNyoesDGzS@?EHKS`lsig2hs>FSXOKp7j69-y@gx5)JdV)EC&(oW
zkmH~^Vrv1?8k1GOW6e5}ekkn@o_ceQq{C5Koa%Qx_D5;Y`WSnnu*`S)J4uQ&j_~Sm
z)Q<0<k-=#@=yK_l67UysINp|hRC*<O`+>qc1_OW!nYRGX1Me8<Y3}R3N9HU*Ry-5h
zrO*9Xmi^GuDP+(RJdIRXf`{?G8jplZAX%1}d7i_{;sV5IvR`)muSp}vl&7!`Sx(#2
zI^x}b$6!xDdk9NvSnRKBNSEXnrTX^cv(IL*BTBbH8t5pslRx*EyS<?*6*bPsyF9n*
zFIGk~7B7|8$iFYALm{^>OdfRAr@)D1qj_UlA*~&uMwNV}s_1B(0y>GuPLp(?;_!f<
z;IO=1O>BJK%l4I`>#3w^%u25XpQ|PiN##fK^al3aj`ol2-?Yxqe{NN>+O1h=oiWuT
z=Tw!GpI!#(25`)7poq>%PAv2%qLx&acLI_(I%{rb?38VVsD<QjDsAOMl%m~ury8k@
zzn?b8dmQgwlv6K8+q+DXE8(dgRJ%l>B!;JSD(Kp5A4_Br<*)^8YS^7yoiojZT5+jZ
zfaAZ87{qOQ4m_LT@;5ywoFMPt{)yXtF{=}z>rqVU@0I3i;GZ8J&8g2CelImruwtiP
z(T=*q)>_(LCu6>R+Y;UCOz(~q$lIk<ajT2w+bSi57c1C5{;b}aylGpcc_Yj~G223@
z>?-9OC`QFq*WkSD`r8mYs+)K*0xVpHt6RaUv7%7tO?}0DsaA^0)r<{K^lPGxIG)##
z{KJJ3N4`xDO#{BULd%&jw`%4ztKLs`x(R33ITMg-?e;|?lyR<&b#sv(xag^=r#V<C
zDqN6SVV;_4kv1WNX46qqZNYEFsSukc+Vu2VvMjHW4(#?UavNqcj16iK9W9IXKb|o-
zyiG0M;(2`F{y^`_=5T7r(@CKSq6{ghZ@_G{(kXTYT+=U@M9;yQw}k*WD6q6q>(!n5
zv0Pt)ry;H0r)ps@?^6$rRN}LdB$-Asx3|MWv0O_fIqzyVtfRKKsTBrH)w(vh2IS2o
zJmR(MK5v}L8l@}?%y&%McztE1fOdgVLuYL_$wjim6@3dzlhTiC-?VAVEhfAi%RU}H
zM|{UTH<C#!z9qg<XgLxUk>j;KI4O5dENa!8X;ff&#^EjX%EgAWrHL*!UOXHwfeGE8
zvz~O6r?%hzB8(*3fM*dU8_WqkXafTHE3+Bul^`-~0}5cZlz1J5h1!`&lMN`1l>xC1
z!2)eAfGS;Goh>c0z4o?gevbCwi}oInTtMaOJ@(5{r{zMKYL1&6&cW6CE^d?Gv+h0E
z+Qq|zC_90Sh`lX{i>pIZfFM3jpbTQ~1mXc4C|6WgnGwR{1YX4gj^fhz&+;QpPN2fE
zx-2gqYc6~$a-D}9RZ&KA2xJE`L%kudyKGBm!f+|q0>5eu<j0rQ4FpMSed8!NT~fj}
z*pp(to~0?^2`oJ)@X!>G>U4cbm0$xgX+*QtQ;Z#f+%<$^gU2iAP_1?Exm;TU4XJVi
zyQ^l5TzN{O_3Amzs1g$Nw!R6?qRZq~9<y1Co^Ubva);0X9aeNhmzk3cK?EH@ZbaAt
zq`_0<;4~mb4DB(uLs18i4XY%@TS~1OwL;h(KoP7=1&C)9d0s3!ja;?|`LQqp75a0W
zcDoNq>>yZ@o1O&aW)?rl-inv=d0SLMHUD(=ydkx4RQwfw(%1*`ADE5EvLyl@=n0bE
z-(I>ZIJcbCn&nG3c=pW2$4{>-FrEveXAHySQ0V~PK!zMJ7v?RefUlj%q60{al{v5n
zLcCq;GiWBn#}O1mo;iY4_!5t=dz+p{>K#F5vE>@@tEeL#x_YJN(}0QH2LE=9w|s@T
z$M%NcRP9&eB_4FN=M8ah7j$%~+yK*jm|IAc+fB7TL2hgL+h#wv?Fg<QQ7;>k=mfIt
z?d#rFA`7;dK`Jrq(&zg*07tP(dc0mD)GFcLF5}l_^>bTSAc?jh*D;CLh9!$Ra>q3L
zxWWv;PIu&>3rJ5mcW`NLW#}F@KGNq5%93nHEZO2|olBY{JY;tZt&b?XfI?BOAT|DA
zZjNU~G-BwAdAiAR0a<Y4<1m}?*bUR2cdj5Vo`-GJJOy&u6*JTr^I<$OzPh!TUvRwm
zC!?G2FByoB9Nl!WuSAsHKtZgB6L^iaOWPlRmm8MKOpwbi;B`y_1bF7AXm3GmfD6oY
z=4e~d|La)JW5yD>1%fpAU&w^2m;r<s1Z4=v$ekWutV-x+*+C%;Am((ey91uYU%x3*
z1vw%WcR(@j!N)hB%2zKNgbYub4pWItR%L~1)v%jT@)ACQ>#vwG<c2mjUh#H+y1F&s
zg=>cnLl!}h72$RV&*Lf1a2PBi4ep={Za^8PHH+>bC)UD<C!Srn1^+@qilZFJm!-z7
z1X+!8THT|ZuXp*i2gU-YATN83oD}Vomx+cy)2P~M^a=NP32lWopsa}LWwYnbtTpi1
z^r`|<*=`KaY{F|u+X_5kD3C7J&%3PAfIxc8xWjxmNGZ`NNq^qvZPkdifaT^@Z947A
zYc@KWcjmJeqwbEq$Vf1PzVfbr^vyQtLGC9F1|s)M20k(i=ad=k((1<FS$eK%rofk)
z@?>gOyW|0?*=P+XjlM$9EGPt~QrfYlNPNrUU0*w`*-k{eNOMqFQ0K5eYMV6?Y&~Ay
zkdov-ujv^}Cr3m4;bm2OerHW}OX=t3z`4cb=W7jl90p!-(}#vaA-D8Jw!th<@aCg&
zwDF6FwBObQ+?uBOx_TVF`sTOustRXIN@tyH!R%Ho3q+*Cb>;Pk+|@DWNVD$p<d?j9
zP|56#(!w{Boq762#V^uIby8|lMqOfB24?gJmN>;TExr63)5gF>4Un{g*DN7HYUh~3
zm&1)`FQ~5trPa=NLSIuyXLX?mE+m?aUT0kkExjU30(%vn#R|K6UiQj)#hz>E!fUnL
zOH<dGJ}Tg`L(FW`xhihWF6T|xel91yHakp9RMe!kS9vKHw5@*s)};U5*r=dudr*{0
zqon$ix1SncIVDKXvpkJu=J0r>Fyy-!()_J__Id^)7Q|dP<^@SL(3vi-<UPHSi=O&;
zQ%dtTX~9YX(Z@t@i`~_kHzelSQJLRXr#AZ2NM8Em*qZy&DUJ&0_$A!6*JYdov#%hD
zS{pnivwf#M*sJ>4MOPO1bfNgd+|kdBRyyJd{iU>_{nO!tH8b<opV$r3=W~dOCQ6r2
zv^%GG_cvz_%`HI{sMqTh@3z||u2tDTrAo4I6DQJWv>o^FUcZ)VwLGVIz9PZDFi}_z
z9xR$XUrJWkzuDh2F<<Q&zc65J)3)}6=~TRnVd!e5!Zk1P&QB8>uU1i)C0Hwh((L5d
z0u0S_{iw=Hq<BgXj~5xPG{(`_F(&M^Z&R6BT{PMyPTp>ZWad2rRIV73bKP={df5>{
z6w6c!>+zeRrsDI>Q2HltH_Wy#&oEfA+qfdO<Wi(WFAW1z{EUSsty;PyZMg{ZrS&_h
zz&p<q$3IOMmao`n%#+FNGTac$c(ZGeszpA$R=Rmex@UD(Ls)oKIlkZ=T2jA4+LY}v
zNA2=@x+YNqWC5iam294f|7<nGHY}1~@p;7l1%GF!y#c47tBvMSt7<l`-C0|459)eK
ziT5SNAkj0SA*l<qYnH`lI;7|4Cmnhq37K<=Wf^9PW=GCFnB2}<S7Xn?3GPOcTw->u
zo)D3sLut6QT&xlImabmT?IWrQVyDV{QR1i^7a`}?BXO(Ahn$(BOK`^!I|!t}y?arL
z8exDya-c7@vhRh+-)e%s`2$XK(Kz4r<c9BPv2e0Wn0FbCxo9h!4kaOSVpwumfAi^~
zx0h{0X};qBAaTWC-ghqWdlDI-{vaY81|=Vn*t?i#hu3$(BX}8r0iP!F_%6ta+k)=F
zyoBBb*^c;U4qF9y&IY1G5z@PuTk)m4AT?f8eP{U>gy$|uNibg1som%?M1u_71<9e_
zC+`dGhG^FD%YE$5-L+E-;yY^axn#@xVy1{+iKjb_x9?NS)rJdJTUpD@g{1+$%Ih4P
zD~frXcD>f}eqRziTB2tASS_iD0JWBaAhoM49Yh-3WC<=bU*&qF%3i&2x!zN!&Y#^g
zIwc84>J@a#Zm+q$tM;lf&{v=o6RfR;)~vO?IqT4+Tb17BTY8Ck;vNLsDqgeW3wqWP
zrRDK0kl<sfX}OE3B35R6aXJ(dX3JFzSvDjWxgvUJb)V0zu%@M*1Gg{HHOw!MuD><c
zoqvT+?{<~75}CC2R`y@4Mh(-7x7lB);+z$g7;rf-&uJ~Lu;$wBE;N^+AT;%wZq4Iu
zA4HZUt<y@{yc#g?{rqwDTn>o#3mm&2Pj85vyazH6X<lVNLrEGq(W-rQPz#~Ehk1==
zzXy`+9a#2^&F1+JTuX8)*UdLahNY)7o4q>hYaeCWr0J0)@y2<07bJ0ZBMbLHapagU
z=C(T}*`ut1EZ)OBe_&*MVCCTKD+$JFWcD5?iFaFCro$LX^u<JZ<_pqc5BT`>t-)dG
z)rgNTc$T1{KlmX9{U{D{$`7Q&tB}bpeu*q#;XA&Vq<$O@<Eh1(tzd56exL+aiBBLO
z)80O0WPcg)@dGIjpKD8ZWqkGdxexN$4`hPQ%SSNFwr;A%e9_5k4%cu^sI_I^D))=A
z@uZnbD(xzcP`0>vbH;BYB$G4HcCL8G$137h0e!Hi_sYGANu$j|zKx-&9&PJtd8+Fp
z$LmA1NWI)wrU!KNcb5&&7k1uRzol+Gxtd>2N$$nHMEcpbmg+>jliqUHHO;f>q#XoS
zkRQL1kYeMoXbFiOQBOCN)vVL~>YQL*ujozrIgRjh>Bn@61H^4^EGxG-$cs9vSu5!~
zXNbYw7R`C*N45BM`)<EhO@k6Bd`p@o#nF+PM>7YuQk2EDa)ThVR-7Z9A61GHk6x)%
z;wC?eC;1mq5Is0_y9M_E*?}7exDUR=GFiIpRCQI3*}CkVf9QV#u*}`f4_;ry9TJKZ
z`_9dgtp$7+e`3Cu=Ewj3B+tHEtmy#K1cT(lGoQ~L&?V;l3Eng9hr~vf|B=ZbfW6!h
z!(fmK`jOUMjCaGJ{XSv~5bDOg+ris(=Pn5!-LsNDyru&e4iH_!`HLushz`B~cAypK
z1_`&=J1k>=i<TPr=;LsUw(Af5PXLy=yLHw3jKt%F8b#>qxg|1mz;}5cbk`}G?wI(@
z8QPuE3h_sjBlM_l=OwG6F}v;}3l^^~W^1y7!@Yhs?*({V-nAXP2}~8Tr^(iqN!-zI
zC5R!u%tuK4M5{^nyx@fck0~wVBMs(zD__1H)Q^viI6!$1zQv$P@Qa9G#PyHi$KM>4
z<vw5e4A=KKmN{7L|0dCD;v|L;{jUEB*kkq@czJ(~(EZDY_XZHVONK$zcWw>&_yFd@
zUGHk{b+Wo0{8#f1<b@NH6bT@DfuJ|uAPT3P8j*bf-a`fhK?rwq;jSEF^axavKT2}z
z`@Uf2`@_Nk6wXl+ZqauO2mY}i2lCcLMTdHa-v0(e;oQ1KO^xsGV|a_Y3-Ngbl8f!T
z_#bok-8%~B_qoHy+h2768TJRs@n^+INY-r;jfa@r%kKkQhI=gTz<od$k-=1PPy<m6
z0F|K9?S;DwhE&4~T)QiVdDOeq4KKqDQ2bEcM=7~Ulz?Gumi*q11|;J66H^N-RhVk2
zsmyIxE}y*C<V<i<%f6=O-q@9kErg$QmpnX0x>UdQPTP}_DqU7RMsXES`42L9=gj*A
zUqUj{8&|nWE3e{Wn4?$Uz2dq3=w#AI3_&gjVcwheObDGnNM-vSboJJcEDra6*jx5v
z{XfGr+Map;B7lJTO!R|WXYOH{TW!?**MgLd+o<#Z(EkKrnM25FOyktQh(GzU?0f0h
zVK&-#^nJmr)2t7UJiqrRF&88quKgoB?jMCc>OmxeKx!LqQlI~EE%{N<?`O}C>h~J*
zk9I0o=Egp-xA`NpA9eCyvq74IK}rDIg?C<GkkCMoT;gX-ex9O+v48g9A9cMN(vrVg
zM2C45LO6p#YG}~x%#}KG{!$$UW>mFS_A9R1SEqwBP8SR`<J1MrdR<UY`s6XOyFECt
zGc@(mP!K?bi8ej*JKe66wq>R5jNTXt6v-03-8IOQuY%$<$gr2~-mO$qt!)Sq3k&vE
zC=1M(6{FPy`Df;ac+)2*Pu&dXpIu%*WHUY@l&l>%^99Ok;mAo!YIM3!<?{Gc>Oy@f
z?{aND8(-#snXcIxS67jexc&xP^TOQT?tQU;AG~pcFSF~C^=W})G!KYA;2Ys&`_wbG
zGDXXnF?XXePwN&<k63Y>Ds{Q3>hXRjQ2jPRQY~i?E8pw-SG-BJkN#pNda&A>fUj2_
zfBabSdf{)-Z_EBil0RHO`kvcfs-eoJ*PzG~YG$fWFkGb1+gqH`gk$&qBH7BO$hBXn
zpKvU5!r2D9_P6B1$kguqFEj@EpAI5fp&%Y)yPv@cwU2w9``*Z!A6f5p=G}jKhwWrv
znX)OBFJW$NJu6>YeLC-7%+V47tk(66$m6&g1(S0*WZeO*rJb)9Y;#M}k4LrHZFa^?
z3qt1hf{iFh-kV?RYMN<#^<u^NT9W0Cq8FL^w&HFI8pr_aR_xlL{?(rJkrM(9kT!>f
zTUtC-27js$t3F4aPCQzYE;wLUN1uX@N-r&EG34Q5KD+1Bagro-reW7`I{J%?r-POJ
zv3^D`)6JCZl7bA)K-;ha*A!13gONFQXspGxb$Z*XtNLK9Yu6EZ8v0dh4~`ux@a73Z
zEgo9MsH*3w8k5;xJ%;4HsO5`mL*olM_s_;x&8$8+r)1l=Y`3OAFp^d{_^^P5K%Pdh
zAW)v>Lcx+eO<qL|C7Wg0^B(!-k-*+noD$DcCwhrm`sCIAHaYEzvC&2^{tjy;1mev$
zC_wm!<DPPz)TkN{&7hATUt8-gWi{$eSQ&f2n&eQHw_K*3VYREPkye{i!WlVb@Nfwc
z*lK-6%_urO78I^8(>r!}Ft?$MHV<qGs4(os5x6)JBs?}d>BM`xtBL_~3%Tc(@uqLE
z(&BBjyg5m(Y4-7V{;i`Zc|8W{DQJGcBi5$v15ldmUZ`fnyX&&B3i2F{RErv{&MVH-
zOP`x1SlKYTuw%t9SGXZ1zOMB-w+Zjm+Q-rvqv$rS<ay3T+Vz|ie-Q_5L78-qSb-a?
zqH6-;GeNI+oQev9j4L!ebZDL9r}K-(-`Y^_Fw8GM@1(fla0?Yyib4&fy@bk6<%i>h
zyhi$IH?@iT(#>;Q?G(jG@+Qh#PChH&bdNOeXeVFk`dryK{(y)iRZYJ@;<Y~5Ew4e-
zo@1#Yi8%~v=nZo7>h`Ovm9Msx(sPb!fmLh6h8N1b%KGI|6$-hMYy%(S5=;_Ek~XdH
z^rYx*2i%-_J5QBrli5AkZCO-)?sX#<G|dS;dPtwS@=bq!)~ZNq{+SmAT0-mgW>axe
z?K7{kPR+SD<CV=NN9Md(*`fqTw>=xF0yoMAwli8|-YwMWtIIYfguS9wzWChn>ga=7
z(#W%{(yGDxiW?fddY_z`kn9M|+nc^!u}Zox`OC96q@#nmPZg$>==IM|*=o3z6!*6G
zznOD&F%*99>^Di!N{Yb%bFjy-ei7AgWWbI7WowYH#O=O@7e%KWM83Fwn0?SoT6or0
zx-WQN(PV>FuLo{P?VN!gSJW7M<$Arak3t+GF~6&NMuMb!2MDW0w>gN6@@No@k=CD$
zu1;nSkGXN1H}%tB%yEoSnmgncU8U$fu&-<GqpM&+Np^qGtgW@1aml_KcNyyhXYGBN
zJy##$ZzS_pd<c2H6Vopb`%v2NKAm;2o_}V$M1>Ay6-8vDFrT}$qcFK*571s@ZzpcW
zGR((?D3gS>_?hLL`_IQ8YaVs?UXa@C_Ou$E+WppbYkTF!z?oTYcKpftYGuHvnYE3{
zI?kPzDn%$Xuu~+AkU{Or>l++=`SoqQH|ze(_^BRFJ+8u(EPFkYfy7^wdg)e;FNR^o
zaHp}#P*$u1Kh?^=tK{lq!`R!Mt|ONbkecG1%?UN$*As!?q&CiYJubg)kc`;|gcJd(
z5PJmknoom(L|Bf*W~2Xv+BgNz3WIM_^6d3q9`8@<Oe4r61K$5IVK2_gNk;{<pAt+e
zInn=l!uFaQUvX@6|D!oGXD#6zXOqdAmd6+j@aL^=Us{_9bL3<~9>-!n`rF5X<$z*z
zgp*iND8lmuq@*Nv=3tRlA^!2RJlQAAjgKN8xf}<|A`3AfzMgSW*s!cW+le<O|6v$e
zsz29-IWmqG{hgFxl3Z;w)AicN5ocNcnG{vMn4wAo6`~vsQc+&&#5xJxi~aqkt2!)$
zG{=DK$fanIQSaa3_Yw+o>?>u*R1o~V9lv)dnO5&!GOf(TFvtIKD+^~H^^E-g-3JGi
zh8Kv>Q_OrIF<?3V;c&-tB2FYR7CSJQ?ZU%s*RmdB7>AK}<3R7Ln6i^;1-axf%^fjw
z{=Hso3piP%k<-|IB-8%=<nw(Tl4UMJ$Z!nCUD*>5QV^f8f1wGm?9Z2$@bA~8@0Y1x
z^CcZc{KpBtf4a|$%cal&P*Yx<#0!Kg0W(xMwsO6X3nVe4-$FIHe<moy=a9;0n2$?C
z2_VHmYGn5rNGZK2*W!vD{l^7oZL0sg9%5tb^#tdgvJ~0J`22lI)GyNLX%M;I`!)h0
z#RerV;;@nKA^v{O?FYt8@=gNC81)Q1gZVph&=@(G2$IVz%6;UL*^4TT4e^i5@sFt3
z%>HpX*0&TfPbhF=!j?pZe2E9k4>t(gjMrg)wqf|G(-D~$u}PUYQF!yH`^ORTS%c>p
zk!icF#=a{hVWm>qnu<KvA&KCJ(=6IzFa0u5JO;_-8kuxQRZI1Gl^77h=b%0m*?egf
ze!773Bm@d(4mUjCm%9Y1QrUARob_eSU4F3mz#st3Clt#-oadM~<sG+F6!VMI@1Myx
zLU&CqYi}Q)(aU6ce<GdL>9~5|mUdeO<8(zCdT4gWFhWtMpuEw{*P**jia4&!C08l_
zMqS!VnZUG30aR%;QFU%_+vs7)L%$RAnS5dQen{@ZO*$RT1o&n`<!zU0vaV9f9P~U%
zl0%*PaK*_&c6zqWyDvkswhm=_KS&~(x9;&A9<Mf9ENb9Cd6i2tLVAqRQ=Yjj8az+-
znnrS!_`?d$V~vHaCeMQCAoCK)etW@4Jce>wgIaQ{+Y3EQt(xE0f8HA(>eHiryS`e=
zNKP!~TBP4!P`wmpIF0!)h`@2ky7v~vWcxS!^-R&N)r$I(ha6Kj@*g<y-t1<S&Vl65
zEW}Q{q3aVVQs1Q$tIVLY5-GIdv=qs($*>Yjl2R|2&s-EO$bPv^UQm&R=Cbv6OoMtP
z%*%>^?3HZ3cJ0}&-G`a<P<Quf$GD4m@M2@O=QG^UQHkC9bA=<#brqe)3D=sdJ0yxr
zcJ&`YCZBp*oun>kYFzc*C9M#q*Sc6tNIz~ePjgHMy&j!60Wpc8vg}2*88hVE9Zko2
zAtv@mbWc6fZ0VQd#JO``#mlG<rim+fqvpf)U3WB--*`M7@1HgchkAFZ-db_z<UEM$
zUe$Qvd44qH%ODHA>{oVrEj7B`UB1bYz|e`B*G)6X{hf7<kQcjJ?5i!ZTmYg?l5xL7
zayoIP$=yOMkM6s;NTW^CB{`qC*5olE_KnV+r0o8{zPJ@Ufb(DNZ7ixHX|1T`Z~Wf!
zkijMo-RVCaefL{!Hz8KO4^r&+P?es^e7==wFB_jBo%Uuox#OzUbN=QS3;8@|ZL*9{
z^H%bli2Mui<UuyX;swYEd2Lad+VN&o7&P{#(}4k%`VuPY4LXgUX%%mu^zZaY?Bre2
zKFtwId7UsBujP=X&wv-<H~H`UUnX%y!f$&2+jRe@kKfioEr-0~DJK+vi}0Iu;|514
zL(3oWzgs8B@-O+TS^4}1#%6~RpEb4|(pwyIz9jri@l<EhU%OJG9YVOb6F%k7xG;|8
ze^rJ_-#K-!#yzJ^_icS%Lm@lmw}bMoX`jt_+;QFNTgyqk=||4jgwGnqL|v7;SNn6r
zN8Ix0@RN|mmmtOI!6tX=>o5NdygwZZ1MZ#-x_c<x)<QZ1Bs2x2qW_jrE%>hyN?Z~0
znqJgHE~S8!xC(>rTgc@UkOIo1OR*E%Y5RTHe$HM<cmbX1JgL69E3&KRatiTvS=z7=
zeKS}~GWhVD70$J)p;18z_4EFCx#(?+nBCkrB07Zqiv1TEXQtf*s4}%i>@uRw-MT%?
zHOezO{AxY4O=jPYrST6B>9GfnyBS$2Z#{tuTxzD5AW@GynhJHs*7F})+Zn#GYu=P?
znh=~B&3?nB(O5hGh_Ex9@<nw=V33QU<P(jZP3{YYqi7+I+L2R(AD^#E3+}q39)5Y7
zY@^$>C>T?|MPv1aP`%=n?}lLB2A!Xsx@N-QsE0v7Tvgi5k6FT33&fwzy0|UdtNK&&
zLaV9s>}4#m{#m@9)`u0Hx4+cANRkm}73S)k)s14adPv`Gp%P~+?zz&mMWeimCaOkn
zB>FE8O*Pl_mhHToT64?tWH-<~?_QmK)--<tU7fTT+M_4rUQDkpqEE?EC+HpVuo8;U
zskhw`q2cO43b-_eiDYG&UWBR0q$aDXK&&j05g2*YhiNo24a@zo>=|l}<!a^rRACWI
zMPbL+)m6T){jq{hO+_DP@E<N@hjjLW{e}lsWzbb>vP{sA#Xs`MW_t0DG|tM&7LK3a
zPxaS|5LT9oL;nppB3o<scNUlmvzeHX{i1)%1HvZKk4fa0*ZqDtFpbjx+sQ%(rf<Kw
zNKF=foxIihw~yM6ag_=^kMYloCIzJ&gPlvp)}HH@5sKFY(aEB~Heak+vl_SpN!Qsq
zcyfg-ci$8$9%}}sZ=&WThno%$PAy3F_nOuz4y0@5MOL$#QyHr@u$o8a)@qHWJE~ty
zdx{aq{c6!m@1@LN<hE!{raP+(v&BU=$YRBdFPzI&e~G`WmM{1WC4a+0-`CEu#%1D@
z8YDG#nvECj+%<^I2s>X|G92CSeRi!j&R<F-C1a!d*~Sx2C^>K|A$|12TWznBrxKm`
zvuqw>0se<FToxG<T%T5&53^~B2Sw?<+_A0C%~_!4pzKDCJh#vh(&79fF)BjXTQN!$
zNH(yu((;iv*>t-fVs8^dEd<v?ku?4FX5rQsW_v8ei=mpAf!`$fJZRyHW@E2XYs>C4
zD*1)!-rkj#b>m41C~xRl-}7;LmX8uS_vz-9wfvmvojLd;H%3M}=wpL!tdNi-WedMB
zh;vL;P)>PuvyEkn+~uLLRGi~Wm)b}Sef~oo0imWM-moTZGcLcGf~{8WxnC}Ormw{H
zimHup3T|*8R{163VXTSy`s-gd{zL`452yXU3~%L%blHOZUkj7;*WdhbjP-Q6tVx$E
z;yz^Iz0AGU>FF#Iqj7(-YMJ(d5|xSJW|{9AKS^yHmsATwv?F_U1)kV+Qnx%v?T2Ef
zbu6rN7$I}lr;6{IwI0Zu86~4mA6Tw@b$)5n(p5ya-Zfs?WKpQ};ikQ8<HN7{6{}E!
zap1Y!Gik*68G>x(+zA6DsBz7Ra27kV_!{VTcnx<`*A(a)+j;Im@Hj2;(xND&I|KEO
z1a?a5-%ks8DOIaJ%5r-0RQfcWESN0p9`5RnG)nrcXbza_v)39YZ{ifk)_cF4^$=h|
zIO*MLBWqeBs3->d7SBMn#cKj5R=nifDeI~orFu5H?_4-x>-{w?{LcEF<KipZpKn3~
zjrNC5bcCw~CJS0Sd3_yEF%DchDloHY{yL~-rvo+N9m5sXD<);qKUJXtJ@=@XUU|%C
zZ?ZCC9TtK*k=~ff{xp?pSdgn^R{Z#QH=_qDVNkGML+<^o#sTRMqFcfg!-ArOYTiNt
zkKQ*LuW4lrOfYX@{^?LktB&y$#frc*B*Fb?S5?54Qeme(Rw?5~_nFvWTV|Pr>-nPF
z6c-xWZ2HdRl|yjubu{F^T}aF%ttl~wUTQ6OT<Iw`l+)jKirM*^*7<a`DoyaZ4$Z@X
z(NfWe?q2eN3v5F3;ziTTvK7l~w_}sdmAUlPa1WR0KN<^+NO)FEK0h#Ayw(R5K#B6T
z%)<m+{_S5^O1ifUN7zd=^ma;mOqBIQl^X;jmtCe~#G*QZv0*{)`Kzr>y#mCHne-2~
zwhM-bK8O3}pgjfX{W`V$X6vfyt_3cJ3|k8y9-o+*ud0hxi}Ri4n{xG~FR53PI4&H%
zJ-TTeGzG;Em`geDLZhwg%-LMu<fk4l$>mn0)Rc7W)Ea-*^dO-OV0qxoF#5@sTbt9n
z{&`5cqE&YF>OlFF0nN+Wb34Qn1TKEUS574cD@ngP+eSKt5djxJQ#s8m@p8!ZOpxc`
Y8^k>m<R#kOS=$AoF4;88vp)d-57(lALjV8(

diff --git a/hunting/macos/queries/execution_do_shell_script_via_apple_events.toml b/hunting/macos/queries/execution_do_shell_script_via_apple_events.toml
index 74e343d60a7..10e6d3f7600 100644
--- a/hunting/macos/queries/execution_do_shell_script_via_apple_events.toml
+++ b/hunting/macos/queries/execution_do_shell_script_via_apple_events.toml
@@ -8,7 +8,7 @@ for reconnaissance, credential theft, data exfiltration, and payload execution.
 for `syso,exec` Apple Events, enabling analysts to identify unusual volumes of shell execution via AppleScript. This
 detection leverages the `com.apple.appleevents` subsystem debug logs and does not require private data enablement.
 """
-integration = ["unified_logs"]
+integration = ["unifiedlogs"]
 uuid = "447987db-4501-416b-b3b3-9176871a6b20"
 name = "Do Shell Script Execution via Apple Events"
 language = ["ES|QL"]
@@ -23,9 +23,9 @@ notes = [
 mitre = ["T1059.002"]
 query = [
 '''
-FROM logs-unifiedlogs.log-*
+FROM logs-unifiedlogs.unifiedlogs-*
 | WHERE @timestamp > NOW() - 7 day
-| WHERE host.os.type == "macos" AND event.dataset == "unifiedlogs.log" AND apple_event.type_code == "syso,exec"
+| WHERE host.os.type == "macos" AND event.dataset == "unifiedlogs.unifiedlogs" AND apple_event.type_code == "syso,exec"
 | STATS event_count = COUNT(*), first_seen = MIN(@timestamp), last_seen = MAX(@timestamp) BY host.name
 | WHERE event_count >= 3
 | SORT event_count DESC
diff --git a/rules/integrations/unified_logs/collection_clipboard_access_via_applescript.toml b/rules/integrations/unified_logs/collection_clipboard_access_via_applescript.toml
index 0525e57ddd2..7e3ab915082 100644
--- a/rules/integrations/unified_logs/collection_clipboard_access_via_applescript.toml
+++ b/rules/integrations/unified_logs/collection_clipboard_access_via_applescript.toml
@@ -1,6 +1,6 @@
 [metadata]
 creation_date = "2026/03/23"
-integration = ["unified_logs"]
+integration = ["unifiedlogs"]
 maturity = "development"
 updated_date = "2026/03/23"
 
@@ -20,7 +20,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["logs-unifiedlogs.log-*"]
+index = ["logs-unifiedlogs.unifiedlogs-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Clipboard Access via AppleScript"
@@ -69,7 +69,7 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-any where event.dataset == "unifiedlogs.log" and host.os.type == "macos" and apple_event.type_code == "Jons,gClp"
+any where event.dataset == "unifiedlogs.unifiedlogs" and host.os.type == "macos" and apple_event.type_code == "Jons,gClp"
 '''
 
 [[rule.threat]]
diff --git a/rules/integrations/unified_logs/credential_access_hidden_text_password_prompt_via_applescript.toml b/rules/integrations/unified_logs/credential_access_hidden_text_password_prompt_via_applescript.toml
index 9681ae8fdb1..60055b46fb6 100644
--- a/rules/integrations/unified_logs/credential_access_hidden_text_password_prompt_via_applescript.toml
+++ b/rules/integrations/unified_logs/credential_access_hidden_text_password_prompt_via_applescript.toml
@@ -1,6 +1,6 @@
 [metadata]
 creation_date = "2026/03/23"
-integration = ["unified_logs"]
+integration = ["unifiedlogs"]
 maturity = "development"
 updated_date = "2026/03/23"
 
@@ -23,7 +23,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["logs-unifiedlogs.log-*"]
+index = ["logs-unifiedlogs.unifiedlogs-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Hidden Text Password Prompt via AppleScript"
@@ -74,7 +74,7 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-any where event.dataset == "unifiedlogs.log" and host.os.type == "macos" and apple_event.type_code == "syso,dlog" and
+any where event.dataset == "unifiedlogs.unifiedlogs" and host.os.type == "macos" and apple_event.type_code == "syso,dlog" and
   apple_event.parameters == "htxt"
 '''
 
diff --git a/rules/integrations/unified_logs/defense_evasion_ascii_character_obfuscation_and_shell_exec_via_applescript.toml b/rules/integrations/unified_logs/defense_evasion_ascii_character_obfuscation_and_shell_exec_via_applescript.toml
index abda49a4aed..c823499a67f 100644
--- a/rules/integrations/unified_logs/defense_evasion_ascii_character_obfuscation_and_shell_exec_via_applescript.toml
+++ b/rules/integrations/unified_logs/defense_evasion_ascii_character_obfuscation_and_shell_exec_via_applescript.toml
@@ -1,6 +1,6 @@
 [metadata]
 creation_date = "2026/03/23"
-integration = ["unified_logs"]
+integration = ["unifiedlogs"]
 maturity = "development"
 updated_date = "2026/03/23"
 
@@ -23,7 +23,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["logs-unifiedlogs.log-*"]
+index = ["logs-unifiedlogs.unifiedlogs-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "AppleScript ASCII Character Obfuscation and Shell Execution"
@@ -74,8 +74,8 @@ type = "eql"
 
 query = '''
 sequence by host.id with maxspan=30s
-  [any where event.dataset == "unifiedlogs.log" and host.os.type == "macos" and apple_event.type_code == "syso,ntoc"] with runs=5
-  [any where event.dataset == "unifiedlogs.log" and host.os.type == "macos" and
+  [any where event.dataset == "unifiedlogs.unifiedlogs" and host.os.type == "macos" and apple_event.type_code == "syso,ntoc"] with runs=5
+  [any where event.dataset == "unifiedlogs.unifiedlogs" and host.os.type == "macos" and
     apple_event.type_code in ("syso,exec", "syso,dsct")]
 '''
 
diff --git a/rules/integrations/unified_logs/execution_run_script_from_hidden_file_in_staging_directory_via_applescript.toml b/rules/integrations/unified_logs/execution_run_script_from_hidden_file_in_staging_directory_via_applescript.toml
index 3fb07cad1d6..6f60cfab684 100644
--- a/rules/integrations/unified_logs/execution_run_script_from_hidden_file_in_staging_directory_via_applescript.toml
+++ b/rules/integrations/unified_logs/execution_run_script_from_hidden_file_in_staging_directory_via_applescript.toml
@@ -1,6 +1,6 @@
 [metadata]
 creation_date = "2026/03/23"
-integration = ["unified_logs"]
+integration = ["unifiedlogs"]
 maturity = "development"
 updated_date = "2026/03/23"
 
@@ -22,7 +22,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["logs-unifiedlogs.log-*"]
+index = ["logs-unifiedlogs.unifiedlogs-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "AppleScript Run Script from Hidden File in Staging Directory"
@@ -72,7 +72,7 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-any where event.dataset == "unifiedlogs.log" and host.os.type == "macos" and apple_event.type_code in ("syso,dsct", "syso,exec") and
+any where event.dataset == "unifiedlogs.unifiedlogs" and host.os.type == "macos" and apple_event.type_code in ("syso,dsct", "syso,exec") and
   (
     apple_event.decoded_payloads like "*/tmp/.*" or
     apple_event.decoded_payloads like "*/private/tmp/.*" or
diff --git a/rules/integrations/unified_logs/execution_volume_mute_via_applescript.toml b/rules/integrations/unified_logs/execution_volume_mute_via_applescript.toml
index 9dc69764359..f149df459b4 100644
--- a/rules/integrations/unified_logs/execution_volume_mute_via_applescript.toml
+++ b/rules/integrations/unified_logs/execution_volume_mute_via_applescript.toml
@@ -1,6 +1,6 @@
 [metadata]
 creation_date = "2026/03/23"
-integration = ["unified_logs"]
+integration = ["unifiedlogs"]
 maturity = "development"
 updated_date = "2026/03/23"
 
@@ -21,7 +21,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["logs-unifiedlogs.log-*"]
+index = ["logs-unifiedlogs.unifiedlogs-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Volume Mute via AppleScript"
@@ -70,7 +70,7 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-any where event.dataset == "unifiedlogs.log" and host.os.type == "macos" and apple_event.type_code == "aevt,stvl" and
+any where event.dataset == "unifiedlogs.unifiedlogs" and host.os.type == "macos" and apple_event.type_code == "aevt,stvl" and
   apple_event.mute == true
 '''
 

From c53eb7bcac0b7b61c3de65af1a89a8b19f912e7d Mon Sep 17 00:00:00 2001
From: Colson Wilhoit <defsecsentinel@protonmail.ch>
Date: Mon, 23 Mar 2026 16:40:24 -0500
Subject: [PATCH 09/14] Fix unifiedlogs schema dataset keys (remove version
 suffix)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../etc/integration-schemas.json.gz           | Bin 7975251 -> 7975237 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/detection_rules/etc/integration-schemas.json.gz b/detection_rules/etc/integration-schemas.json.gz
index 54b156d00f9bf871b6f4f5af71d131f0b2904356..5322c7388724d76410866e4b705dd8bbf0da5423 100644
GIT binary patch
delta 13190
zcmc(_cQ}=A{5am=(c&aRSw$sV_EsUItjgY5$=*HIAs&hl;wdvDgzUXXA|qta)3Nv7
z^Lq}}yL!Jrzw7h6uJ3hy|8T$dxL@~t?xSsJ?060451{rvaY8)X9e{wN5O53vjza(r
z1mHpdhJyzICm`S?1e}6^(-3e50`MV#00IyYa25gxA>bSY5J3Pj1e}Ke5(prL05S-;
z009>vfE)rSAb=7As33qE0xm(oWeA{w09pvR0s&Vc;2H$bLBMqgpoahk2w;Q&CJ11L
z02T;fg#b1PxB&s|5WoQeoDjeT0o)M40|C4czy|^R5Fh{nf)F4C0m2X<0s%K6;1&ej
zh5%6r5Q6}52)F|Q5)dE>0a6ek4FPu{;2s3XK!7X+$U%TS1SmkjeF%5}0S_TS5dxGT
zKp6s5AV3uY)F40|0yH2%69Tj#KpO&dAV3!a9zlQ}1n5J60R$LAfDr^dh5%y-cme??
z5MT-cW)NTw0TvKo2?16RU=0B_5MT=db`W3>0S*xGG#3Dw9wB>*gU8x4(`2gm69Lcg
zHhuq;Yg|c&@(K@b13eNUWE*FB+b%5buJ;C2B=k&GQ0Q%kl{D$zO(1;4Jdoe%@%i12
z$7e47&!CadxDo&VLw*K%F?-n(v;wl+O)rtx0a<)_SyDmqoAvg}3BlfR=QobJx<wyf
zpp~J*V$|R9Fu>6*I;SL$m?2AXLc+&pDb`T@sou2~LR%clQd)k;57M2=O*G{rnbal~
zCoPXf97!~<_)xI+^r=qh{zWi(w48K5Gc9zT+Na!J{&f2>I9Cru;H<st#D{O`gY>6J
zl5n4B3b&tog99t*gBM^{eefhKk7)o+-u5E9MEJ5kNQz~g$F<v(Z-|5m^+7r;jf>k^
zBl?jX&eQ|1z!iGnNxUM{q}8U4TfaDX$myk+&_$1T*ck3=q&T_!3dsTD75p<MRAmpp
z#N%CZdJv(Mnp&6@P!waHL_Xz(1$~1-38#!46dr&Nva?*G{U8}zvp!*yyJ3-vW=<bi
z4edj@l-V=in;{Fv1YZQj#%sR`%FAqSc>kfvDM_R$0=JGkLg$it9Z42sdiL@myxg~Z
zsc(Kx)DwPZ0J7kbWVx{FZy$%F3_!LY1kvvV9*j1?^l8BWB*5Kvty{bJo6zYvyl4Ot
z<DTxxV^@ad4MB2b&v4;PbOQBoRsj=>Z^O|48bk#*48E~E(@>R_!NlYwrLv~?s?(;T
zHQ=_;Hrw6yvs^pf?F%0_P(76qNAoQ3M~*}V9DCZ!a?2H$%?7L(oqhbpAoJ{-;nPSx
zg6qfY-Pj%9y-bTg=6U3@@LA8tN6yr!mWhw1a@^AH_Ed=K#^H9C(INT?KJ|2eGAiUb
zdCdLhrL!k+{sNl=C-kdtq&1cuXLmbu>3AL6_SYGK?D@trQJ+^dSjch6u)K9Z$YUw7
z_8Ea3VrDKZ-gw?dXndwvU4<kRGSF33>D)D#W3@qEc=G&WQF$Yls1EGc9@}GIhhymH
zSVixhC0d7dDOGBrL2Y}+YCL$(2&93VjX+$ym#0U`Q2hb0pAkq0@P4kbKC=${8-dqO
z@B;o;A1H=Ne(B=j4&Ubc%mY_oY(pP|c))?F6<lrvlIq9#>*<_V!BuisEIFEzG#Z1k
zcGvq(h5@badOH<2EYDCJul*gwz11Uj>3pIV(P<)ey#1)%O-gyZzkn4<d*&&L)%eZl
zb8ez#h%`9E7`zP68G|Qrg?R`Hy<oI4NClT0gQtPbM&1$c;(r*poBg~abnxP1Oh+m%
zTh@(#zKn!*jX|PNV~`BToMP!vb_y#qs=XZBj)pUh!An@@c*xBW-VuPnUG)1|UK}iV
zW%K=2p1-}3l_p;CX_YW_RW{(|QN0SX{{~~nbQ@>C*C(+Yir?IQb|Z44zLtiEa*Ye2
zovi=u_)G~sz@XHr(YE(I=Q=a1B;;dto<DL(LQf%^rUXfZEIDaW6+RfqQ~FwFdfF=R
zKCP0>yNB~)AIdKJJYmqYC*|s3<6`Vv?@=ig>&lzW&NJ^(?Z|_-d<=|KZ3@q+_pW)H
z$a=M)y+yri-j7uiNo}SFCaUc@EmBWYne4}GnCvq=&BEu`V)<-3D7tGr#&jhIjbjs-
zYP*eI`bPim6f)^pvKzxYM}l`@SEM)`rld8NEpsp{Xr@N5rzr?MR;0agTP~~BW?ERA
z`}&rzu7VqjVX!X9{!&YDCf9qc&3JpQ)z@a#>1inwM{1#^Lb2Iuc!$L*+hBdW#j4}C
zo-#GH9Zn(7!S}{(i=5P-eG)(8C)?cbJIRvOvlV8G!bidlQsZ60tR}LoflzpK0*gQz
z3$fisVSokc1KcTYdKTTa9sk$iCC**NB~jMCMU2my)K@o`LdaJH^j?RLpdCid*P1hm
z4ErtGy06ZM%5-++36xv8_<!FvRiH32sO32m&}5$}K5Ji7v#bm1?zSvF?n&5+vU3p^
z5SN3?vyczO?Rs?_NAiubb)(bexSK*%vm%(i@JO}zO|v`RI)L*DF=EpWPn)YH!epwp
zTbznrMFcwnIVhp5n9Sz_-Ko4!KO09o%-e-W&1-EWd)df$^EPiqKuciJ8_HbtqxRXZ
z7?tkvuFK7IH5Z&h?m0#k_~J`UK6*PqihHNmC>ya74f2Adin{aVPetDD4#4@Qpx{w!
zc*PXFc1EC-ytA#>Ay-XC!w6O|!>k9C8OR8fm3J`k2EeRlpeUAc5_fA)X_^_1F#~B~
zc{9vf$1(-CzA8<xe)s99e`1iErKb8ZRY_^uJ4a1Dpi0e0^3~P4bNVN<a8#c$-3q;Q
z_Xnwc`;{5L&J%%aaEuK|kHc8K76zkjKp|Mi0wlsQzmUfRyW4<Lu%!)%3ouvPH)NE;
z?&hG}sSA1OUb7wFeIDI~krp5ma$EI$-$z*URmF~O&t^#eN2B>Hhhc=s?sI0z`FY>`
zHF`>67G*A!J5zHtmD2K1uk7AbHf7q#DI2J;N(0S0e=4!9bqJ)2(z@uHDNssgf1~(~
zW+RIsX|``q&CDbF#nGM`xn<+#c}->N!cU)r<9E;1Iz4ab`eZP~ZuPd{9?Wh9a>4vo
zm^0Sd+-lPcX0rl$urxVtGcyb79IR^zo`(gkKt?Q+5N`>r8J(^?53^W-d`eg!o19kQ
zx`Z>YD}lET_eHPyMw()EJJPzm_2nh`o@Wtd-ntVij;A`rOli0Y!=KB1+M}Vd?+~L{
zZy*{dXbzBVB5-sLcs?R#O~V%$A?f;B(p40`Yz>ORuGSy|SW3Sdgvp`O3cLq@w*v8S
zcT!%Abis>OAO)6Y#x|#c{o6E~e(rFcHORoXTnCOschS;01(!~Ct(a_a?QRXNPNR|-
zg9E<Qj_57j*xYCu)mvf#;gY+9LaKwa$wOrxx+eEI;1(ND4#%u}kPTL_!5qPs=HMB4
z!5pN<>0_>5gIjGt8SL2N;9|xWMFzXsfYR8(1#m)jw<F<O79b1Zwkke$DBXSzB^}&v
z3sU1zU7jB#NUMXt+k(<WUy4TtSn20OU)craXrFzG*RUQ2>)K<kH5qmwJ+9X4(d{O9
z(E+>#>)3+`-1Q+Q?QD3_9=r)x*kS5{x|{86p#lfmfiig7q4SVxS^n?ZRZJ+0e`vh*
zSSHlG2O}KlfGJ;vJtlW2h0uA#@3d9uJQsY+9+bewKZ#p<y<t5OKI#CnVdLRkTjy+W
zm_{d3XW~xox-51Izpt(xO&$|?H41iDKhe_Y`=VW%UmXIsJ_RXoo4*r>Q^4*ZNCw{o
zG55BHr{E=Aq(R~a0ww@KsWW55Ha>hc5ksuA#QSg{#sankK^nHbo3d8?l+01%=*jnJ
z(&9E>-OJgpRO^`ZN!U-ng&J=gUe=C+b~vNgb_QJli_I{25d;}vHb?L}PV)>i3T|=)
zAK<(#9aV=H9YGeX;0msAcK(jvKZ?laQD)MiB~(xO`!r{vf{Pj<`;4l7*#?{C!i9`I
z519Slc`c0L*XJ{uQ_hM|xJr_uxx5iqQMQ42<8Kno>OE*g3eL9VNR6C$qE_~~91M`T
zT|PL@>Pc%8wbp}Ve)xDGsmn>-^hR{kHJND1YEhGcB;#qWdCJbgbMoamiw|BRH2{<&
z+uGgjEz1?B#VyOeJ{1WGdu56!4__j=(D9UZ<AiDB1m|LImLWFPIiya<@UWuVw#w6^
zHS<bTVc|PnsRjOugB673gzxOKb9HzHQ_oHDFn^zZ6xQxsJJh$LqGofclbI#G^p0@o
zmYJ58Z2;Z*QilZN&8=yT^G9k+kb1e=n_;6V#m+f(WA7QP+fjXkx6+$+j2fD(kPB@j
zsJ!{5gyuqYjjU0OrulBKVhVp$Zaxn^SHsxV^C8CDeKJNv9(H!+2_03d%$hX={2(`T
zS{w12;r5c3!=i!AFo&~hZrxJ3kMG9&8{11vS+$nu<`)ES>#fQcCvUjQAfql0er@tr
zS#<*wEk5mW`=whWt=dl7s@M9nCdrb#H{fQHGi*XSnQVIHzHEc%brNU82E9KTL`F+&
zzDTXNPSqg^2$-~uuyy5TomJt5P1RabH$JBox89xt@7?9dU*>o+F#g5q)OdnaHB~*)
zhRzD(TVYPh4;@*F`dP^+W#q_=0<pGS$`?+}R0}~xPdnx+`@y`*>+OgpRMhS&nyGUk
zWKdJH)TyKLp-siCS<CQ;mu&_cCr{Lh*9x(AO|Wy`EjJwQ#Qz3fo=ZS~@Qy}LEmJfr
zIRxhzZ$7eLcf6UGKEHD(VZV_s+qAH-fuHl8Z>Q12*2pP4iSlRL4g2R#rVJ?`K`8G_
zFQKnD1Y5QX<HH|aK$@e?aEl9g;V1<><pMrJ%2E1H%4!GqQdv8wCJALFm(^7f;S0$r
zm9F}Eo7hE5u2WZ~C3ZCJGjjS0?nLElf1k*6Sq||Jbs<iim0EkFIIqwu9p5k{DBRFh
zO&5kr?w;EtXdYu;>p%<G6*M^)bcUsv6r{uCecX-SA;Tf(_wCEy2oV@IXrna;%79nu
z)QdDzYulWfMAO0R>zD<Hl1mJ3sZ`3A=YWVlt?0fH8E;s5uD7=OIMQ%GQ`)=Mxh@w@
zRm+=p{KngzwtYTH*ohy+t99`bpSGMyaGI4mIdO{30l)F6O$7yf83_^{^I?OnFz}39
zp^ZnOiNn7ofLkHz=vY6jhy+>bz7mX?_uuI1PK~j=PI1b+s&thP*V?215>FlePaxn>
z1BJR_K8ftL%ItkH*fsd38+ZaxLzEe2T!D4mFgF0Nbh~jA9+=P#bBtkxWG69<5ffCS
z_a`{q4ZMQCz~zjuUEQ^i`_*|?0Bb^mw146Jaj^ui%-!NU`3CS8(7f)vee{rL4{RuP
z@>VZ&lr&Q*`6i1NG$#x%kdNH6u}tXs?p?}Lh?b$ag3h1WL_O9V%<1tuQ6sW0tIlnc
zB3qoqm&9+Tt}brdTQqjcu-0e*XOn+6R;|5--?kUoAj_3GIJzYY25WM6N$;*Ze5!S6
z)Yg&-72=WhT{l&8W=W}u-Kcae+|i895q3JUd*5z$d_!|axTG-Z8<HnbJp3-7rh`(m
zp;~@DvWcVtZPiC*qjf#6uUKqgS}{~vE^Er2DFQ{B(t5YKphsa>HGA@Pr|q|%z1TCu
z0p8UDe9lSe$3B|9AXqYcWKdfL89_CZwP-1*GJsBEM9p_hEy%p2GP9EqYojaMe{qMZ
zSdO%Y=<77KBj^d=d<I?zVp&ZHclF_m&oI|8re`4Hpt-6drrkl)J6{jPm4{O!MAVR1
z5ynmQ9A$YQ?1lX6bLKW{{EH0X7!QyVe&>PtfWb6)K$4uX#6Si-_YAyw>biY9T~6HI
ztJGT9-2-#g!YJSX!XGHFss_NB&p_@_56or2MOHvMiwf5D07>ATXCVH`B3l6lC1+wp
z3w+TNq{Q95)-)9g>w1DB@SX?e_?8Ll;DM<<L0*`_6U4{sFjnI6NU4M`d4i-TBNeiH
zgWu)(0`M14kREwmhWdfAk43AP++ep0Ls90!_PHl{t-S3Ls%19xv|S1InMBDVWo1l7
zrPEV*X-dy}TzHo@6;H<|`VOGJPIye4m}F9RX<qWX%T{g(u1qSXZ|i`o%}9f`jpNxJ
z)|@FlU1MtUE0uK;oW+b<`cJ<qHdSBL^~<=ULYqq1`5cWD6!Ko45h>w#Jibt=W?_&L
z)z4y){g4Y(k%`K@Z8~vnE9b_lgj569Vx3~<EvwetC1S%bS>_6`k)n-NO4@zqeV0(g
zTyU-FQhz3yR{5r!6n9UCAJV9e_EcBz{epxuw=3n@h|l1P{sq1Y9{t{nbA-t7$h{+M
zM=LPckqiwc(uNxAObw<kEcuK72jaH<$z@2`D!M?fpKgw5{lyRRm(D@APMCOdRb9Ms
z=oTwF0=GaQG5^c}-4P8$+Ark;(P2nzWSO6t{Go7=8?5UOk|KYm<%aS8vxeA2dHZnO
zKC`zxb(7<udRN+y+j4~S2>#9Ee}S(8g5T>`j<g-WhhP(`z#^796l8dx-K}&ey8qz+
zQotf^J7TUhB7xC$a>x<7C8Et2Kj=dxx4Uns&I->6QtZ`~3tww!O-GyZgH+}l>iqTO
z($sk;`#jC6xOKxbWbRS2*;TZ=Pch$Z2wM7%(CXxTRwUZe_)O1`q@A>$3;$-kxLSNo
zmy=*O_j-7PP4Kyj+Zkt>a86hL0|YQ63cO$Cck3i@mF%^S{4*?av#W*67GG1et0ngj
z{x1bAatyxY1rlE$625R~2D4pv|E-9}5oZM17QWxcBPUZ`P#VSDxSoT=co*I5JJCn;
zVYwHeD=xLu(+VE=(MwRC;|xOQ=L9}s@@e5n_3<+ZHo=O8BmYtKBRK&=g5QhbZ&)7^
z)Kr#cu(A*6iWlgOw?n3J0hWFay5PEuppS~cC|}SO5MEnw6FCEa_r<V<w-($?4np4j
z{~z-6Z+TT8*U=#(1H9aIb;!D5_m?0s@-XNBVKyIj$8DYZe>b#eDA{Z)T7DZ^Htf*W
zJ=42`9oj&x$AKiM;YA(wR*ST18L^wV3b!7To;@#yg};FF_=^)rf;5=LAM`xh1!wz%
z?iBrEp5#P?_r%x;E5&fINJY|(CoeC?eZ~OzmLEuhdmw?Syg*X(pE^32xz>Hnln68R
zJ{?;9Fqi)=+OOEG<}_6wU!1r`^X9n@%`+^b(@w^9$4^18oh<hc{x1bAayXrkL&9%=
zn*9puY4+&Q(GP>9OAOCX#XkEJka7{C?Jc<q*nehykmHZ8VSsD&ixc?K9Sg2pZ_kWp
zJF9BGR=5?Rc59|2P9l`3csuFi9fA3nedIdQVLL7*JZykMbE<u2zDWypLtMToZ42he
zWu2>AN-{(ywo7vrJ7-sYXxIx#i!GYjX{VhW8E-G{?j5N95~AER=g(3-6*WlDr8*!i
z$J(+c?5~%cTgT$hI6x!7zbWY8tU%fmc&fRPkt4magnhaG4+Iy>@_}y!V&+qJU(<m+
zC7pBG2mcfB=y;}k_f6AF+-J$_?y+k=d#i64q&avmD-38#VrL_5#I>o^_yhDevn9{;
zCb7rWzhvM@Zu|@JNb|#RUq(pEUZD#j`tkzvZ5?~6`5z_1zwKTgq;)O34{LYe?MF7x
z50bl}X!!80g29~-EOG(Pc!Rkik&`RhoBhN6B|boIbzyby{1cvrPXRLepR_M1el|DC
z&+hA)ow2tUD2^QX`hz?Si1Bz(nZsN%-4A+<{Mnl`|1J);R6=Bm_Lv!y(wNGgUEj#S
z@fVU|g5~PbWfAqfm=Uw55eSS-s&eu@Wf3u$_&y`vRiLC(qm<8MTbyLiWJ$w_@FN^T
zUAwO)c%^LyHFYg@DjK=xu!~UJ4Gl*n?+ef6sy1+>M(*cmwah4$GW9;bZ}qT5E0jxc
zxt587Xg{%lL9o70>3y8`)nOAAUTyt=FGC=iJ#R|+Q%dcA6(TX7$+E1?wr=gdhpFN`
zlX>>(&V3rg=FDS7vk6_>%Gm+5+-8~Qr?`dZde+o-x~9@NNxmVSdBakd3^dcf>1~^P
zE0`i!$NS@=tEZ`CpOR!Ro|JpnT`-QCD=n#2p3gXMcK_@YcbXaLG<TBO=rs3ZS1x>|
zZ-(N9;aj!v@YwO<rzLjO<v!H$V*?NGUMwH0X?Ef3G?fow&(zNA;zCDiFqtUVjK4CY
z($YsDCS#c%g-5R<*Q&<itg>@fOV!d%_B6Uue6oreLXx$8hG6cU2SEsa!RakOfzqIa
zCIRPWwRP+Eu}Ik+u0E>FFA5gz^cHf_!3s?*{+q>k#3g2SlY0a~9oF2DLSL0O)sB$M
zDhD_yLKGj$o#xH*6p5%8gOUeAbH5C2PRwRIlQE=lIz2Z=+6~xemgUp7PdDhVbUB8a
zZ~8i~WUIx;oaUeP0|#m{9+bDZI8Zjbr#mGV5+zy%``cLzctxIS_V5dEimTtJFgG3U
zp6{q6k%%03WS#@f!y#ndR>_16ZZLIEhV3BQYF=?*P`39=phU;CxvUGbgn4In&t!gL
z6rP%`_P|BtyRvP^V581X;??e^*5+|f{D2RNTKOU$w7>xwb@Gl3V|7tXgHqNUU}M)n
zDJhn$Rh3Y)kQ!UntS{bp>yI*bXj@2cTj}=6AO6~$)m%GrnKEkK7)B0JIL&Q~Kj}5u
zlH*UFdoi`#fGTLvmfD;C7&X{e>cW*jL7AH_xQ*nQ?G@&nOX7Ttn&ToVo(3&f(w;d*
z*DrNwT8W?<YGPf}*Da^bWpp+SSQ*~Ka#9cdlPDDUVy(qSpVt$H&@xCIG7=cyrs)?2
zO-lb8vEb39@4R)YjWB`sp2QpfzK(&kIeWYOlw!?+*(nWkWryM-HcDOoDqGLV6BwoA
z>s6(eto^5d1M}X9HsjjLXfE?{wSNBsN-KdO`%kma`v~)C%_R;Q6M0znj`$u8GO)Z(
zdxUj~RPiZn9D;d%a}EIs4;s@?v(A$Rkwb49aF<Vv5jN`G50;X-#`U&c|1abuMo9Zc
zf-OLYs#4J0)IqP9yl<d;?z25lUU8=8A^RDKgK^^Sgw`q`or8V@%52R>r^X85TcIE+
z38IJ@;|K98r%m4-@$*rzWGLp*SS=Kj7q&rSqLlN!N$gdyQ@oqiEFrfB4u}peOE%&O
ziENZ?nwDi-?;;&dGd3OV2V?tm-yn+0sp%-6gK_d*y3=X3R<8cX`H;o5e5CiU#@DyA
zKWMne%#qvpFXWzN$Sa1+ino(JA6{6}sq?su@De1$B1)GLSmwzO=P(YWCC~p+`@@mI
z%1b>Ten|>axEd#YC*&o=1x5B`{U3}|{h=7PPno24JnJ{oN#7Omt=Lm?umTKn!sIZB
z4_m?@a3&cQsbHr{_#m2{R~n{z2U3WC*|@68pJl5*S@+F~qbR&};N_g5El*tWg@L9C
z^E>c++Pe~={!Eluor*uttwV~Hg??NO){VqG5$;EVu6Ohcg5oK7Snt*cz8?O~k;9>H
z7J3Qz61~KI|9FZ&&cI)u*I!EU<zpT>72aS*?q*kz^_9_Aho|1bi?ZxPv=rPL1~S1n
z-+)&%y%;Z~VFIG1|BVD$_m?nXBmLbaOeXOZn$O}Xr1*lY|FcV#{T$auorB>UZ$T0g
z0$XN`7Xs{a_OBxlGkb1DVjhea!azV%@4w??GrB@w+th&VLcw7*e-z=Mz<29guS#Ny
zL`#qNKb(3d_rE&)zpew_sK#Avy-DEGw_rJNgMPgByYxS!E&hLDv_-DMf#H|{mf>JI
zPT1>ZZ`eHoGnwEp&{cLam_XUb?$zP+417QQYs)&=v9P-s%Rkdof3o85O^daE8=Y<2
zYqdZp)3^Bmj)?(D&wtO$p)?l2EDsu&z#ppxvr8>TgEvCoVSXA7fk86yD`pbC{#dnd
z_Wi$Yls}@rpOx$j%%eTj`D^FF?nCcqo!xRGO)&0AVN6qwvuG^9gN;B+ax@=n9P@L9
zVpB+}3Wf=zL2me640uuZr8c`OW=Rgie<Rpj;tvA<R~7!rH-7d%s=#PA9@}PLhMxu~
z|F7~uAeS@S?3bdf1UBCp3Ca%cT<ujY+!GPv?k-`B%%33X3_jTZYF0=5s2+HKtiBQL
z;F3NlNOm1rtp84f^VQ=^*|Cj2?2PrP*Z+;Q-i&n@JN^PVhd(mtxZYWuKUlgt_tC+k
z)M;A$fPLknBogc6KT3;LV2E}1In9U0V<+E@ymzfyz96w?|2pe;jdC$S#t<ePCM-X<
zY)I;Ok#(|Pjv#zw<9(F1odQDqNzG8^>Ui$nRo()vU~di;)iGNYtM!spS1E3!({|<J
z%#AMz`066@*_BC;r;s$>Un`4LugfLWD7MM^HcWC?GezS|WLtHOQm&PJsP;8L?<2;u
z7amZlt3*P@!XB$rp>!E8%=+6X>R^RxC3N|dd?qT!Ew`e8jE!UI$mem0c{4R6dc4b;
z4>fWTKNi01Lu+%c>{_r^qu}e4qkfn1@P@|R>lmMck8h}dy@Sl&6)6Cp7D^^;j-CH}
z7P%$wEC3iVJ4AnKcH8!)B}Hk4dRE2M67Zyiuc>IToA%ds>Mkw?$dISfmQGO-?1w<8
zy)IBWQ@r%!i|+RoP37migyfD9`_Waedf?%8ZK2}m3Rd-G#`9*c$|UAS+W8sf)YXse
zc0|?Yb#g{m5g<uB_iJY5%y;Fy$5WNpFXai_C-f#!dTTE>(K?ZfrEz%YvF-7ZAc&7-
zZH$*^e|h@4WY39fjsAsj-e&8-{<`xD<7}!>=|eFO8F9{y^u?6rz>qI48@zOQD7WtV
z&62j*{hrASUQnEVkFjPVow9z}?mEHgIK1)7<VC^0>ElRR-{iOY9i>xoUoAF76XD3F
z<+SNB-&B_YQ}(^`z+!-wak=~LtfeB1c)y{rli1*Wj;}#N>3r?}{=~|nxTLMV;^Q@6
zQRGU$-XyXC#xs83<ze#CyHj*JX0^rfu}}_`8sZ1Jf&US2CT6|GX+mg)$`MiOJt#UK
zgFK*JCFb4#VE@z#K(#vc|E~X2fGDlCm=H2w{pIK%f%o7r&k7alAVw`bCsa?n#>cwH
z7!hO?-kKaP@`0;0?6FMFH8rA-FFM7LCQI9D!6sPLB=!#ph6MLJNACQajkO;v=Gv5<
z_=drRZ<*Yu+y`63@1@LlHE>T$Xz69}1Q3TTf8{_;TFe;^k5>=NosP%-cFfp4=cd{v
z=2s*W)%iC?4)J>=l7Gpjb8d>{9_syv2>JM@lRtzlUB>Qv?QrFL%tvN=`>_i&AAgVc
zQ?*R~w7yF2-x0CWEe7Tme1t4s{PC@CRzkmq>~I9jQ&tPU9SqOJ>8;q`9Zz7A?K<ev
zVF;Hgk|gP!^@;hEPDzt^u5TBO{c`T4e{B8uRnjP)gC@aPD(6bl%U_ejRbpC~E$kQh
z=Unl2*N3Cy!SmEJA8UE4LjFsO7dgGC3ExZvFC5!xfz>e(4oC#akUJl1ssHN357KI{
zb6D=brzfw;w89D%+Ad+eN86ywN~rrvI$fN?s*>xLQoJ_#s}YYb)Q(CF8A&4v;tS`t
z!vhCyk|OOQn~98cRF6i9fnRy{qrkyL-<n&S$UH3~hI!*C?(wknE>91K!g}q&7m?zN
zM!oHqE$a7MXBMrvnEf+7h~(70Te5X#??1a!uA3f^>r&{b<Vvbh5S4pfC|4`><7t!n
zk|C6LOd<2v+Q|nb^BZ|2Tp~rgT_#E+tXIuupM{nytdFA9h_o~I#3>(^$BeFD!o0(5
z%^-yZHl$~mwW8U*MlWYAADvAr*7l5J&v}(8=VCFb*~;k|g4UZ}5aVGjQwh75b;Y7o
zBi}(aEs5Us{g-&b0q3o$m_44@iDeW2<t9<C@ygY>z<j4=cg6X69WGWajq8pQnY0F_
z6Qi|pYp;5>-v|nwX`oDBVrj^CeZ5qPq|ZaX8Q3ki&FR<ZEz|PmxlSMQT3Y(*`=I+$
zAL1Y0XTXpWp|5$;4zNE2a?JGU|I(GNZ<Ch(uKvsRhXr_F3Ow!1__uG23wH}R^8@C&
zh)4NvVaV&m(AWPJmx+ELD(**azcLd15Whq49}yTaKWO}?XN^BP3738VPax&~D~XWT
z|AU8${NIXnkjPSe(9*wskVoHLwWo~WkqGX2qEV7wQ>(JQ@E}MgsMz#=gvVZ_Oxr|q
z>P}ouJ}<Hi-h8x1?4KsSQaRP0u`kbSTb0l6tbnlZSqSE7fMrHA>w9WcLbB^sM^mkp
z_);PizcLtM$U@OkXP42~>~E@*skTb|jFBN<rH$TW$^Q4YWq&Y!$_J#4s=WTvM`8_>
z_)%wQ%I-v`Hw{|to-Ah&xT^5fq54Mg_8qF%0$jdpvg#cHw>CL6cO=Jq%8jdE*pxb!
zsFkz>O^i-LFT##}v|79po)=MRgl1F~^z+iR-yKki7e@y&!IQ(zZ+Vy_K87wvFO@<~
zsHLzP%E7&+Z@ujCy1Tnf?Yz~<1%IX}U%xrSY^kt&ecWnS5SZV?dv==}$D}sMg*s~+
zLcN%26rHN4VA6iGO`1)o?s){U`pORN=7jQA_plIy&#N_$w3vkZNaw*Vz2ZRnee{hB
zA0BLV(05G{+xhT|N5;x3Bqlv*rzcfQ?8m}iY`!#E;}j%&m>fHGvQ~j2YZ7Vu=_%aR
zXO6c@-)TMmNSfC14=In4UYv$3(*Dx=Kw6gayO}&|PWx$*-~3<=)uy26UyiYi_S37Y
zx2>KVIs{ZB_f@V8>nl(tD6`sJx~=)jYZgH;m@jy}*p;52@|mXp=tllKBNxoiW&|FV
z-JYW6B^Nt{V_-Y<3qK>@B7^kk3Z303M37)JRl?-cf{0n6xVj;Qr{@vq*HL4UUBc9R
z!nGuFhM*eN69Ee)XI*X=GOy+vtk)j+3kU|TUJKNHhs^BowT)1udmcJYL9o<H6V8e#
zpIxj8znosZD%Mugpj1Quu1!Ft<8<WUtEGwAoVIOK!c(cB6%3X!`3J5cCS2LKi~Guq
zf*(yjDN{}p3$+Io&`p%g*@-zW7QylJCJgy1O}^&`I-Bo&(J$ByOqUx%4^J+9pf(>I
z-91D13aQJb$~C{@WtJYWvy)@05K-ynvVX5oA-{a}jo`iP(I@$d&r{X+*SF+y<{h$y
ztpWeksOD=u*CQ&oBI>K&I$m&H{${luSRhF^`9R@u&Wv@Su$Rl4FbxU1iyl#qHcncq
zmb!9MBw*Gk_eosw!nDID5^?6X$)u#bo*j4HokV1oeYWKiE6UT_0A~JXY|S&d^5S(v
zarv{}w?(<?o}KIImL&9h%^CZhF(W6YC4{tH^V2nQ^PY6`r|&uS?tX#O3;RgZd*Ai-
z%CDr6)F`x1n}m65SBh^}YDOw=MV5E<**cPRe6tg8(d}x`&zxBzdKfY^E6~3Z<=xDk
zBQ=S<LV@1Qh$wLtQ5Q6iG(aRb>@)GGl91}ZUbY)`?kGxF9@?s)+4)Qz@%V{jU$6T}
z$ML{&6emTAtF?TQN+XHK0{?P`%VM`)7RBzxuL;4H{<8b3Wo4?Pd<Fb*bKD!54H_M^
zF&umvuDqQ|TjP_WVG`^6%G`by=eBRBQ`46rIlY~HN=%y41v_7It?LB7c_vAEKVk;>
z@?_J5#6{mm%~!~NVJ&1|jYF|)c;3xlULuLMop9=eohSco$`}m!^r3`GjwkL&ApqW_
zx>_2fC6ykp{EcxkWJTKXs!-kWB{#uKh`P8xjgn}09={s@94UAS8Stk?X%N-OQH-Zo
zcq6U9hrvd5y<YcV#WTg&iZ`HIN(2>-%G<ANcwO>nLw(?EDbvoGc&_0Et<R$d`&7=^
z4Y=8s_tgx7CqAPyA05*i@wIaIAY9*g>#)@Bu+%BAd1rovXMTjd6d8;X=@xj~IF9bx
zS?#TFupAHL8a5@=s?bd@$&S`veC0K0dV`!&mSaGxKoU+7kM9}K;*cXjtFnqlcdev;
z8!`^?ULFD2?|zoKORe0nJGOM&d!kcofn4rdrdr0vcwNOX6^u9Bl}eEInMzQ}37lV@
znyD1!@~|^WUo!I_MsAPX2p8-URI!oa$uXLY?^3K@%@mN_KdCsGHNn5ejbeK4Oc3rp
z*7H?zxk-c-3B^4U>~^tyD>#zri^S9RTLleNN>ZKeVC?^}Wa`Q^85Nbr7x@!|(|M#H
zQE7Pw;^12*Us{pVtf{V=U|{0)H3yW}>{Ya{wqQB|qo}TofR9E^H@GFW;ptFjm`MrQ
zR9P3Oam{_`meLPf`O2Y<{Ko85-)79aCy;h(+xY}tRdQK+8P_P|iPbIS9`eYMBm4Wu
OkIV<B5%2Om$NN7(M{{@p

delta 13075
zcmcJ#cRZHu8$X`nLPV00S%k7FdnZXEvbt?q*_$rwR=N_35Ld`bA$yap`;kq^UfD9T
z_xfJ9dU~qo`TSnr*X#HD{lWV<j`LXOaUR!sUgNGAojlfo`~i%C1O&2K4*&?jfq<hB
za0~))Apj2o5D7j65I_JS1RRF|A_yRcfD;fv0s*8Da1sK@Am9`PkVC*}2%vxfN(i8W
z0BQ(00|7J;KnnqM5I_$B3=qHw0cRoL90V{y05b%fhX57`V1)oS2)F<N7a@Qh0yrRm
z69Tv(fExmMAb=MF_#l8E0xm(oWe5;}06_>4f&gI%5P<+u2oQq+aR`ur07(dtf&gg<
zkb!_J5FiTyS0O+S0<J-TJOo^a00juR0Rf5-a1#QQAV3)cZb5(w1gJv5Z3s|<0Cfn^
zfB;Ph(1L(F5P*UJZ3xhT09^>sg8+R9Fn|C<2rz<xyAWUu0VWV&3IS#iU=9KIAix3w
zEFr)O0<0mx1_Ep$zzzcJA;19w93j970-Pbh1p-_lzzqWK7XTpVU37mbJo#4vkJ8w1
zGE=}J3(wTkQdWWKZ#3$kUp$v_O(g}6%S<l$rz{NVoa)gnv^8w+*;m?!O%x}Y{?c}5
z$e?;AWBiHwGVnj)rBnM$+W$R{MvTp-MwUm3O^)?S3qC(#;zVK+c3xp6d_MCg8>u|U
z;<4Q$Qutrwqr?xXDpCYik4Ra7HW$@R(mn;Bo*I{H4p{tnGoE>xK-68<c~v(&Ju6Di
zyWUu;%ZL06t}u@BppTlv{L*3-=YhbodLx==-&l`pLFzPmKAw^y1<&$<c0A=jFfWrq
z3!gLrSz#U%kO0p!g@u<8K5GI}VtM?Z{|NBxQ(R`1VO0~53T89`Dez{O6C%W58558V
z%j4l?1o~+U!C#EQ^Kh^+NQm#!t1=t7<oi>CkM5d~<r>46;Zh;`e6)a@z|!Tl`a+<O
zOHa4B=etk^Qt9<n;fy;dCsRfj*+CVd&nK`@RL-JA(emwe(sGiS>5e2VQS@|Qp;uSL
zWwErr_1gwbbDUP0CU+J4_wAd(Q!H`{QhY2n#&NKsTJ(krI!c7-xs7nObm4O@6QbUe
zSH9zw!YP?TgF!z6IL8#Eg|khO$?Ry>t<%B@rXUBF$3Nu7{@_VrK2wkjK5L3hc76W&
zyucsh08C~IQXaE0&4i82Kyui?3?w{W>(ncyB=ynM0R^8kL!xn;fh1^@E+s6%2AA`V
zP)9(fMyNaMq1kggXEUaJ5*Hx%b)$%sbC#PG??$YaD)W3rj#(Sf*5QaR;4S9sJ=`TW
zoLu&4oNWtjynBwfmhB^*3h)BQbXEF{o&p{L&XqD|g0>^n0ePN*4Jh-6l6i!Q;yHxY
zN29A)vwwhp9y-TA*wOA3?$HO*XHOFR0n4Rib&rj8BfaoVj+~JOo*S*l^tzc1M|%04
zJ|~Ao^Y4O@hd-GoDZOs@E^1q12VQbay0`SY6=idB5;cCv%}(EG959&N=l^_Cz!@Eh
zWgaury{~NAGyTRRtA=nd&$52w!H8xD5tUcYX+9=}m&`%>h<hLrK-IukQOpQGHwVwb
z%J+~(c^WuD{S6K=2hU=8LcFotA|JW_)+fgM2su9Gffvj{Myxp=)_fHHW)4!BUZbzA
zV$VLFel+bqo~CM}tOGIKvDzv=dt$o8W3`))jlWO}13?ddfoqp)FKnlG<_l+ZhXN_b
zW_(2BN&bK_&J<&cpc#b~vOyd_PkP;Ic-R7DfEO%~(4N+GjwfIr3nWp5Cj^#59O{JJ
z{t@6U=Qz~4!SnaP3;1822S1bD_kox0f#)MEkk;Dj5gxyFI7Wbs1<780hxzH65WQUO
zP<Mjvs9)7NdxArlsyb&wKi@K1LgGr5eYq&tkeK?|M<2fbh9<lZFZ-**RrP)h!??zx
zZQ&bowxV-Z3>E72Z}59S4Py25^!G`73>K=|`p=J3jIle5)&zfiZ6<gBfE9h8eCUx-
z`8hjx?&z-WF{ZcI(xar`4L!N-C3w11{o@?BWvY>-X5m6!j=O)RO~1L#U~XQj4bK`y
zV@vL&BTHfaJZbkU;slJFA4#BMvmaaNvH|n0g58Z#sV<4Gec7e%ebk}}t#g^~)7~<_
z?T#kY^?Mk?NhZ|Sb<D(DHE9a83Z6QShV&Ypw17gW*|*Q(#gilVkV~jHur@cE1=H+O
zxd_FYBqn!xN!qEbQej>n(Q9JGESpf5-|w*^ZBFi3pHHNkn%P)%M48=j8hP#7KO>Yj
zJY!TA{%&|?;!U1cLH?$NJ3+Z(N79&u<Wq`U&uG=B-V~DSn&hnse665GbHiaRS!@Pf
zuk@LSgrt=8Ty^y>%q%)F4s$0R|7>$x_ru&4{Y4>gKhq7An4omg!i_GPS()Gvns)nm
zL8u<H&@ec+VC2$VJe-uHIK&m5o@L|aJ+@6(z0vzxxT_(^j+!BQ{%&C3d_dq7X8FT*
z!bDrH(wfBVc7SU@EH~N|og6TeU%gsq*J_55G>Ef~;>t4-(IF<~E_3cNOS`nNJftM+
z-?gw9>lb`E`q4(hhU=d9{ZwXi(c`AF#$;~UD2K(T9g+(}je-)x<%=38rsA_5V%J27
zCRUvJ#4Is2Dg9ZpIoYjQvaz=UF0Hdiu8KQQ(FV2G@R#x&f12NFM*4Ml#eSJP^}`T)
z$(w(t6E3g@#c@30WowX?IDF{Dti^n^b_Q!^9^7gJUW27<KmZsXvZQ!b3-j54Qt+S+
zcmmJMBW*1L=CJ`~4ta4e<Fqw*`x;Brf?RD>M!KdZN7|a6c1DK05trQgx>F{Exwxo@
zoH7w-6`!+wXM1m*s}rQ>EubfddF{Z9xZy?~&2WMfa)?Pgf$X?N#Qn6ej1$NY$2)-x
zxTU5&LvWiDs0e4<f_V7-RG4*3dpQ_w2XdknbM{gK=DQlXuN&@X&+Rt!cjdYDmM;0B
zy#u+fFDwKWt(%K_>SkJ297DzWNu*EK6vXV-n2YJwQ%oLrg5H0K8=_E7PORw=7calO
zd)LjKZ|<%uU+GJ|CT=sTyujX?xzWbFKy*v8M5UXa*Z3*gTcPWUbav;s4ai~t#=lJA
zPJ2)Z_kGO-Ev#w}GQ)lLAP=ErQL(3@E-N=V{K+0v2Bs+BEPO4P&mNSxJ<;*k#319+
z$mT`5hrRcxD=r1j*>>uk?H_7gku@c9+-7*3VEpx>I(d$N&sA$CL9(5&Cp{YE4g);5
zoW~@kL<PjAmn4`%$?N^cuR1bqsWNSyfZH5E5m?0$Ij|NTkQ)Fg_`0_uZ0`u(gnb;5
zO?SDKHPiqOaYRl=gujTtOYT1|1cbsZjv$k?xFdr|@GJQi=BW_0Zt$x)rS&9(j;ycU
ztFwXKS?I*fo06=IVZrsa<6~NIaDC~x-ZD41VFDJV1?&KiGZdQP5nH4Qr0tNVm@hQ)
z!2Gj@$B;FI`JBKju%R7Diia$rw-Fp-3rb+ukQ`U%@w^sxg}KS*<pr#Z^j&d|uK1Zw
zX$=*|!XwTgBaz3WG7qt0riD<qdbrOSyg@4UwoK<rmqNR@%$F0K!&dN!E2xYQPk5+C
zEKtE;TtHRaz&y`pIK&OS0av+z03J{Ca=8&K;|gAd?Oi}(Tq?7zAz0NFyd2>M(gDLn
zd7hQo@Q4ejf*+XcSxJ(42Uc|h1+ca>z=9mAV)z#U-a-wkq8m1H16kmBSEQ6YZXh0x
z8P@wHw&4!W;f(+1hVwug4$ip`(gK^r$~pDbun`Cf!k_Mg)Pzgst^o(U$uHI5?E9b+
z-u`FhrMREN_`IWT<EN85+D0uHV)bdfbHvK2Dfx*ap{6Tl=klJT>Nrg(mnTqlQd1qV
z!==GrxD4P=?w}I9=#Csj%aP?sTaJLBFqWsmlgumfY=oQLkr{)H=Iarai*TDe(k57C
z^z!?%i7UGM;d^Q`4c)$J)f!usp`F4y5eKurrJ)j??F5ztc0=)=rK4SK`<M|wXEJ@K
zO_gOOD$qX2qAyAO!m=+Bj#Bj1p!lQ-tKI00p7X1-Ui(*s`KK)6_PVb?UC-Rhi)tuW
zdac`6{V$8>cRh<L)L$7gn&-k<Q>2xuLD!isX5brF=JSxsS5oni7L`A9aW-+Q84)QK
zUNQkIZp4_C#F{k}S&cD~giY+@Yf4D!zby!cs8n`sClcP*qniR|?@XMaTcX9$7SbVl
zjKQ!ccy}DF;7(F#cH^v23Vthqe|K<nxzB3c_}%d2mfXhu+if1^Q4v{{EgCrXO=vOA
zo$xGFMM<N4ptXJ~ll)%!JpJl6v1{P~-3Gpt&63Ryx83$DTKzd^%D#!NEWLu%F_ec#
z*zG)P{oAUMg_VQOtde)MHmtO{bcfqD1~S6TJ4Qv7jO+?|?Cw*=bzhdmOlbsi9;6jN
zF`&t7ZDsNxW?Ld@WxlLQT96j7(2X89$MnD7I+@16yRiDKXE<p|;~S5y=mXo?o+Z4_
z`q%kQk0<KWx9se=hO;9aws-00^7T4)vJ28zRxU_|XrO{9nnsuSVuHe2S|{Jr6HSFG
z5k*l9_qYgYUzZ5Bu$Xl9zLv2g4&E9WxNOlQ3m#>B>V3Y$FNwK8d;L;m`pgEJLd4^A
zO?PXjNfdXNP%Qh05=tX6yMDvdGk%kHt^3>dlvbNJ7BVx3%4ZByMZT;HPA{o{{K~(J
z`)KU-SS)Pid?xBGW1hn-@U`ruTgT#OOsoAG7-XJSs?eA3$ye$ja<;$Q&6~NSaw-f}
zI51#JPxDD`_EPG!@>)rvLG|7QIoeNSiNnV)4Sjyg{>6lXuqB!VPW1wra5ms(FYpY`
zX?V&Dyo;6+qw9#NU@eds|CX!bVWQy`0<qD!$ELf_(vo)1NQQiqdZc$NE&4#~9woRb
zVOLqzX0tQNLC>{wLAgI{jxTK}@pbrhxCZo$$nv{&xl$u%aPN5Qq`-RTh?q-pvuANv
zRGL*W4@}!H*yI;J7EW>CTKQ6f#H^8VL~pPHcz%a*iD_ni$Ek$1i)~?H%CiqG6{CCw
zU#Iy>^J(Ri9ezgpFL*kbgL>gam#DoBc6x@DbKUy6mc5y?3S)+)-?ZYl=e~~9(`}rg
z%)sPCe=A^PiRY*q5a7j!8PLcRTMQbc22M<74)XmYpwjlnf9X_9$BW;D<5cx0BoiE)
z^bs*6dHFktiM=d!sMR&jd;B56{sP_cjlQYVbtfEs2hIxp4f6vOR1rSlX}msgtB(tz
zm|!~}WFME<jH(WW4Sm21u(S`di*&_g4Ss=T5KSykaVRA03d!=~V?1SmfrEWO4qVZd
zf-I~FCAyDgx!~gp!zNJi!0rp}AK;p>IR8V|f98u0YK$18wIb<phbxt2L^3)EWB2@0
zb9JPdFXQ^q_+uf5=Z}VSlhLnTzz#E7rqc%lVm7@^8KU#AC*x=GZEPsoEM}uPUed?8
zkdM#i2U@Di&VI5$^N4l+<qpr1PH4FH>T;|N50f!&@S#Bg)cU{$uAw}OrT6KSfus04
zTgz_#?b~zbRuwx7;>O%^b`~eyZyXF>rL^Ima2`ZSL|Y89AMojL`qkQaG=T{{whO0R
zvb0e867{M0x%S=$>DO8%#?0i`%$t+cv^x~ccLMpJN->Z~O)VxoPQ2)9F}1Z+c<esf
zXwShtyYVAt$<W0wG1IeBD-9#W=bqn5Po@;Nxz9!e&PnQ>z9pQ6p57v(Bnx~3lRgAl
z@FX+jR%5W_1=#)}NCF!^1c{ivGz0Hda?n2Y7La1_&fmYm&>p2`=4qog?@kwPF}RXP
z@6rsb`XaX=&watOc#Q2qB}Q<<Lr@l<^q&0QIaDx=;|sFGt-c@y?p=8=6}a3NdGNRQ
z1#z(kGz8l(U0;|;xSocqeZg~tE?-^M(>E_L#KU}#KzjUbrKnD><^Y)V5h#lrbvca(
zUPNqQ`$r%LeriX$EuiHKFZqI0grbRN1#B`lRLEV)BjjP~%OmgvdMLU5^zdu{*s|Om
zb!X#|4VKT=i4G~jxt>$EuVpID-(^!rdwQXqJ-Rzdbu)1DcI?Mj(kQRqqAIP7X~XaC
z?z$_MSt?Bf8+tb_Pj{s0Z&WYO#2qvwE#aG`P2AJW%W5u&pY{z2zUQh{R=4;nEy_>e
z1C7zM>}z+J)5$QPy8+2mFZ#aur<M`lf}sXYiT8R#X74PQv!ld~p`K4ls}{yH!J!dW
zqakT`eMetgO<ZgWH647--I_W%s;T!@dw++Maeytjcl@0(Uzzs`nzh#iBe)-_6nsI~
zN^vBLp8!^U44!5s#uHn?^|2y9a`Ol;P8IGEEK%i{qsvLvScAY1c?6;glRgEhH2&5x
z{E=uEfz@B%tq#pk6XVHNtML8?*+Owg>?Ml%|292T{NWz~0h}ttJvI7^q(fZstpT=g
z<Qx7we|e4mV1H(YM0)h2LfBltSd$;2X_Owrk!-r}v+hVGeeBbb%STT90b&b_J{%p#
zZj$m!RIMJt5>*cz4C$!xKO*p(9H#O^UXU!4Z~5<D^=6U^iL1Lc&h~@l|8C4}<SxCL
zy<)#fb+G-CQ(o$E-q&%9;t{*A7wj&0^{`r#7ZUbAviTs$=Th|<M-4x<h?7gP!B^@&
zs)JyLMCKAvP$Wvl;6nH1BO#O)A(RFSONRXecHFH>H;xchU&%hniA!|#2Ofgwm;#{?
zz(W1PQ01WvA(l9zC)@o=!1)9MzsY|p91?H>vRW7XcTB#U>3)dE{iSxq;=GGhRlY>@
z)`lk4R^g>^))SBd|41Lo4}X9LRu2HZ@X8lPa13BnAn1)Zw6W-u1z&rDkPBY-s|w(o
z{-8I$2Lr>RjlC({iZJxCe)yh3;#G@BFvo~Vd9egFHSqX>ks$(t@KOLsZADD_KNk0=
z$*&21cY+-{@?T5pF^oC3e;DVd^`8ON{=W^lfH{_V0@e;hN`tKjEj$nis-TCw@BiO*
zgLBm<9NAyG0fX%ZW}=`o*lv(_Pmt6046gOHk*j=9B1DEmaTQNhM*ZY(u=tFPX;-9}
zpRD>SE;-rFtGoz7jQf-(@nZ^~B?5x5_%o2&=H}J^QRcsGaDOzYQFOM_cP~HO{dd$+
zRwmu(Cx%Q9{Rvo^ULwTNYtK}TKT``J5Dix&A=O!#?EmYc{TBAq<nW5X2JB(|?&OCz
zpX09|rkrJe@*CWDASbhh&piVl;S|A1&%g)h&sQJyS9gAC_-Eos%DmV~AI^Q-hL!2E
zrzU2n(}e$3>$0hf>NPwEOT3(wAO@83+_%I+n)x!n{o#Yb`QS`jOIIi7cWQZ+S{`1t
zr)306XAD|CR}?chCPwYW+~(+<Tkbrb%)KL35-^jyq89unEKY5K=dP6-DVvtQK&e;>
zahivF@@Es59r1GM{vF|<cU?@S!kNy2bJOE1150vxCi3j!@JKMSl{GYRxQdm=47S*s
z7v=T$&d<62V1-tYp-Wkk9Zej9CuyIY_zSpuEayRwwDs9b_0EK5p^*y6b6LG5&E>>~
zDqUWxCOoI=-$3d^O0HF6!&CN4sZA;Te-Okaf>@~|6IvwX)ph0bY}m(bcJV*7ezp4_
zN&fBI_(yJsshX%qs+wL4KciuWB@DS=5=}mQ{|DGwtM?YDnqK;;_8S4{(IUoYeo1cp
zDn;xMr|`KDkX-D{e-+KV2y1s3{d=u`l#c)JJP(TjFTMh)(1z;0NVBB#=QT93UrKBG
zgTQ1qBhsfab;>4ex#Ye6b5~toA72n)FLQ8@i}(<_J-?{!v^GinjS97yRj(E!m#?qs
zO?Tk7^!#QXIyE{w6}=t2&6vN<B~+<#Ao;BT)p#jA<{)4H)10ORPv5=U4(jMK{Rjc^
zm0C_Z@&lAE1;d0*T6<e?=#l{EE1uk1lcmeVVy`+4%7S=o(+OWkI~(-wTFhnHuy-M}
zPN`OfO{PN;rPH8m$LwBOZ!KALVb5_FTE-1)53YSH7cCkh3rRX9&8^%_t*<#=MVJeP
zep620+FD0UN!i2$dp94ksi3U~R_r$PhsM&}dIAJ561dQI7Y4e}elA>gp}kxg1#np8
zy&h278*6k}d7vjgR1(ZsLwb9~HkIX>!OG}V1)Y^(%8ke#p8m$DMP=@Yg0xYmIzdvN
zTt7c&Rmz;^R(B7hm9}D3-?n~6w*WeGRzt2=FZ@O)kKB?X?f%7je0p@O%ihNreT9xm
z`U>+54-v~1Ww!k&o8X@D6rq_HMaix8DP~l)yMxD$4;7X;qw(u4MWS06%+ox%d`={%
z)t07S3Hm%-z9HD3>K}Yxq0_dp&t%DYbsZ&19Ig>1@mGF{ZRwriezKW0Q~qr$3B{sa
zImvAlSNkWtnDvikb9Z~t?+m6ZN`t1VV2REF|BhmX+L9t$j50J;{js)ObplNyROm3b
zF=H5**y2=9xglQE{6WgZOMf-#VSTXm9npow;*C^WJGS}py2Ke%q2!7PW}(^Mxz&EP
z)?-{HS+*xshP}!gE?HRxxX(>aPdR;fT>F`wr$0_Tt86YQ<C$d-IzJ=9vL}BbEz_3z
zOr~8LyS|6f5Gfp(Up%_A`SNCMR#B<NX19gAbxps+lzH!z@$z$$)}8!DDTg45jXfrT
zd4WAKdX0^%Yg-d`0~5jL50<oVEvyYyMCq&s^=ZZKg}K@=(zvP9<Y#Tr1P-o=3%hGo
zm)|non#nAVTiCj*imvSTD0V4g<=xGt3U6OYKF=<%9+X0-D)QR#>co=<vT)|_f{yT;
zTKszT&Mf~T-gZZ4o}N7meI@81OJcrRJ3nKq<yKnK-#M81&DEtStyE9%We_jDk?05K
zM~Kb?j}iT1s&CK_IElrLLBFs0V_$-4ik!G$n{bed!dYh^sF;4A2^~^dXE4sQOtlq=
zY?Z3v$ooGq93(|cx(p~gG)+7NaaRZ?`QFvPVGWDAY03WwfgL1kVty&l8*IoRR9Kob
z_-x+R+ReC>wtujP`@6VW9P6a2+@5EEXyd~#!0~d58E<9a7Z2Z6u>xx5m-vH}h-bf_
z>Fvtxzdn8omWe<fW$r|PWY~Ws=-6SpCbjvLl2n%7sdBcRvbl2$;Q2}4SVqqwPr+f-
z`+X@1!5&WuF}t>T-X{FP;ovZmzsgioX0u(o$AqP7AH1p@3VB8J?$m8l%gA@8NfD9S
zX8$5s-`uz!{+#`s#+6iJkaxWLIle5z4?-O)e56i@IAD2m{AbbsSpw{MtZb@@dVNZ$
zDof&xYvE7X&uH-f5a8K1B4Rm%H$3fBUjtX=wwb(CAvRbCMxLh(Vel+*=R!+LN&1s_
zq-W?@V3|0OPR?XEl#?DMn(J)xwfM|n^R(?Xw@W3_ZG%t0nK=t3HnxYnWmc4r2*T?8
zaTI(%AE@9LNDqueAw4jyeLLt4og>pP+dt9+IFZQ9dY@O|af4cW7ECy?7Qb%&zX*lf
zLD4YF#PtS;UxJr@&j)^ysQCN^^F{gFB>#0HaliEV_~sSz<q19)iF`lajRC!{A^{Xc
zZ1p1$tJ*)ORC-45b`ZA=HdO_Y|D2NHw=-dm6|l@p#GOqvScxleaVqT}?{fcdy+?*Q
zX0pJlFOjz@Ofg_3@bblqjXlf%RSot2|E%Ex9D*FMln*ko3vur7-U9n7A6d?n4`FaZ
zH1?ZEG{~U$-%EJ7sOKk&K@_&MLWw_C@1Jf`5Glb`5D9fWKjHJ|UB&lSGFNKYl7(@Q
zR)Q5?f!@liGJYI2qSwDSXI;C)Z+p}rcH4sgY0g~dFTZY6->(?24V37-@TPCl{O(1V
zHx8tr%BQ#2=?luIN3M*Jit9fv6r@XY;=$|i$#{@Jzjl*l41Q|B?_K`~5n9M>BagMU
z5c_k(M3QNDeKUW(Kjct{<d2;RyHB;d4$1Vj6u>xf$dyuMV<Fb=I{p0${hmkaB76{s
zeAFe0N4BEB|B=F>Fi0(@@I5LvM6urC#DCqd6@NrM%<NygBGJZ;{`Z^tF|^nzQo--z
zz)FHP3o!%ay$Huokq#Ohwh#kbi(@=LU1DIf+dnm*u6q#2Kx;h|-lF47G+TeT)s4C@
zUkiSR=^A<2T3Vr%#X$U`QlDRio96oE=O|S(xkw6A%@_YB?wxIue*NI;F@M0(uH0jG
zP-kJteWR<iXsCScyZF?J^Jv7!$^WPtR)L~Tx(0f+cr5anH%nMO@9A$AOHvI)!riSQ
zGGV=@f8GBp>#wptDE6bG=tdZZRmA&Uvaa4|*%0lV`__A42AYs0vwM7mSTjO|UUNW#
zE6pIZd3ea%Ufknmt_7xx^s6;5dsGR!F2O0=ma-wt!l5(2W7M&vnYYm#(`G&30{ThV
z%`DzUZ608@ICo#vQfiuyWVRZXmrM{^8xZyGZ`7K6&eqt>>f;Km4Umlg#>`n!HOn|U
zjq!-?GT7Y8(QOfWf6aH=^vP)5t4CS&Z>TPjnqC2o>#83VgJ+kI$1-X+MdY=itq(|T
z8T7eBEh<2W@2@z?)5AeBsK!CIrAuG-N9$^erdSf}r*kmPGf5JZFfr{$j>{eK1LF>0
z_Ig%{9|mnYQgmQCq+zXUXT{`t(SF6Q#-%mvh}>Ac{oa@A>Vo}^X+qn*J00(BJQO-C
zY|Qn>&T!@Cg6M*&oD6~H<ZKKYT0=YRgy|e~jEKzENIc01j(I0&Sv#WTxl%U-gv>T2
za6Lr_)f~g~;oRTS5<C+e3Zt_=O0u-o3QCpi9K;5DzlkYGo(i~^{q6~Hz~Sv8nals4
zlyPeO3++iAkvKQ)RkWxCCfoi6r&z}9>Ucm?5qcq;*WI2Wou)OfT#{EKHzi6zb1+SE
zX7{m_vwLr^_(F+oMO|NaGwawvz<>ZXDzdi4+Apod^FmGV=&+vTi#n8KZmRJ9fm?Dg
z&z0BAX;<<L=(ZD+859q=3>e;o>yu^{AitPM0x8sl@)@%IhGZ8KHa>YwORO@ula_yH
zH|fjqzx_*!Rq~c!a7g@9{kwH#!bWi?-1-K268Yre*>>nLu4Lmva8GjCW|sYpSet8U
zw)=0ou3EhoXp6e1l+UV7o>9MGrIcBKrTl*%@b4O**9oKjw-{><&UTG+Bq$=(){zVa
zm)$8jJN}FcgVz3ZM$o@{=)CxC^%k*K&*aMY(a+*Yf~B~gQ(h-}gV%o4;z7Q&cD&p0
zQLhg8WD-b;*V=K^tNW0|N65Vdyml;eS}ZOZZ(Hpjle52gkW?cwd6NID!@ozjuW~&%
z>V&J_f)wbyd}$$ZVfyDJ(`vPA_ayQev`I7kx@2b));_uKW_FF;IIMa+&vf9gp5l=t
z^sKN+e)qYWpcB75oLHHq&72X^b=~TXKs!x&{<R`e=9rL{Cohv&+Ct;`e|p}e&+x0h
zcgVu4N#IEUSzsX40+vn&PXl>H3<d;RhYOFpn^CI;2PK14jOf`VrNf;5Nb#OT%dop=
zH!PV9o?$@$Yw&P7wOcyDQa^eLot`1z=JBXIa>yJVu2;Ke7*-bh^jfFR)`(7sw~cft
zslNA$F?9D1ua5Znj=4Cc!QMO5-ZL!;m<n%mr==)?{gwbZ_c(4!{E2>drIfN{u<w;s
zg+4jS&;&c$o6VK7CeA|5uk7N1d|quW@(ZDlB+BA8^jBIR7AO+Z>^&|QM|Z7H%%HaP
z>_^<YUax+3&ne_izqk^BW_&zZD9o5Fm3P0ks32vlZN5@Jj|t6fVMUd{`>cfLpet(g
z;Tq3O{Pqd1O8k*%iZ1hw-fFG8c1znY_&7;JVo2|~4el|~g(pByy=FWV7Xp&br4uvi
z__39MOEv8#p)BC+L`iw0BU(;riCKwt;_D<vi*&7$OfJsA>6INrst9Q&<Fm5CXwr0d
zG=3VmG<u~?EP(#vtX!)ULxJDt{SV_)nCyWi_Jv%}S^0~MyNWqAbKef$CQeMYudj)g
z$tb*gqkfzHV)%<2H(1_=-bPsQ+&5(o;aKX|0ki^WsQ_mDCOcG#)x3Rl_^0s?lZLPx
z4LV<R{_ufyLFmcxYcQ<-E%u9*#W#Krhs~qljq^WgsQjHEcvs=;I^B<4e`YwLz%rrr
z9|5%$wv_(N;?VUtO!f{WM<bz2|08t9n_b!eG{dd<rBdIcvxUDvm;C9YcT+dDX!c8)
zNK}*N*r*qm<i|cg<SW7X_l>MIBGYlbm!D-eG)QTqJp;!)B6-ZDFl_}-B=5w~tTP_>
zQ{L3{<C&@EruAMn+sb_>t|?MVo#v=1lJ-iYh21<nuK_iYj<9Yiud=dqoi#-{V!~T)
zn7_?yM}18{WJ_PPbpIy!G5%iX>&+gOU-i-74f=0PMa%rvJ-t%UE0!tsMawk#{P6`_
zVKcYkI$y_Rv$i3Nv~9i%=%hf#ui`swHo^{>TESX@Q+@HEX%?HRTD$;vtVu`2rA<yx
zmcZn;?8eMW+Q9q^;-M4#UaxpolAyd!{(ZHIqU<dl{k&pKe<ey==kewA$~Xv3V@^F3
zQlpmBHfSxV5N6STEpU8<FNVAHAhK7S5S>`NeZRLoTkege-JQMNhoxKw=PMuY?Mvq%
z-5rV?e8CdPms<i0sc9NZ_O;sD45>oe$Yn-`un^I=1~HBq%BsmJYM(F8oOTHim5Xsq
zaA|mk;OoD|FUDrjFACWcx6ZF*&OkbA58Y+T<MmZ|Qm8%?%|Ko5BijG4c*tl%j{fH8
z_U~E|?jvcxn&GWoQ7m6n`or+8{$}Rij<KF(%2f<_PW#<+MQ;f2F39mKQ%)GUuZiO`
zea5rs+5hsztJybq7Jl7vu4m#-5SqxnOFpl3l$XFyNqGEYn(92cyFOKH&;7y_o%Llx
z;;x0Qv-K-;Mo~e2jlDyc0yr5Ut)-L7UoD2f`HqnVC+j7Xh~$Zc!WFX`Dl_C`^d{ZP
zUH*w;3^~f~6#5K6qf>sp7UlBr9@sK+mXRxWYk9Gs!JzESvZ(H@%gv?M8n2Fumiuay
zfBJgjV(^f%Sa~aDLRA!%TjW&ZD7D3b&o{O_gTZx)=+lZ?E9H(Xx%rKO$L+q|i`=`}
zzaglwU6JG%*jaX`&1TQ~#m&e4j9c6186;y#;<iU7^@du}_D9cXhH0!Q+x4t(*R|ei
zq^vn(-Luj9g4Sh6C%7JSStrxgBcQHi4V`sxb;nz1mf8GE-OQGC=(7)J(p%qgzIq3b
z2=UMtG5QBOhwgJ8e-@#~-CmpBIwb!W)2`^mh>-XR4R2xp^CMF^d+C}s&Q#ueK|QZi
zOhxG_It8Ppc+pP})VpjcmG>v2RWj#t<wTXfvBpRuKa1MXQV~-tat-{ny-(4?RC91<
zeOUAbozY&(RO7;Wcv_d{37x6V%A~<K&#kCZucg!zB^f8=7A#fi<jO0Oz)cF>e8z!J
z@a^!HN4Zk6xhj{Q7B0PO`Ay13ZYdd!i$fI{r3G-)S{5DsLiqz(ENNr?>_%SASQlzN
zzGOGfG0fCK=9-9sR*P1Kl_*apDdz{f-D>}&q@oP^>-rKWw|0~;)w68)Zv$(r`3SNu
zk@iysORzS!1&>&Z5>8F8E=)8=YsC7dU7E4=Wh`ydkT@k8hMDj)ewK=km3#v_AD~S;
zHd%9cR=3e1ql!+&$#tb&yA8(8cbrHm{VzUoK37w3`#e2D%B)RZFu9<|7~jrdD@#Ca
zLTsO8n!x3e=oR{eAQkx(=Fem^2rKXMNKWyNbgb2L{BhNGj<4aXH{4muL-iH1-e|S^
zik~H|JGSg2{)dt1hYbL<9YEI~TfXqS1;<wz2E-E%D9!L&7{tLy=|ge3Tg6e7ek;PS
zR#(cmY;=NmXB#UeTN^m8RdqgVZ~PD}qkZZ00(eh<y|sFyRF{`1IY~p%-<FPnWAc++
z1p}2ZgG2D^`HDE9p;qSM)_(N#4mi6fzPz`4%1f&9zErTMROPkd)-0-hZ`KuXGXwp8
zd0Bk>y;-xc&Lb-O9)*QDHkA0A1Sg%QYkqmkMO57F6P9EaP*HbNnB4uY#!q;H5^4GO
z`^HAZ!KkKChmQ8zPRGi%vQK2C1@N)jFopEnockjDB=2i$Fq;$^zE<c0{NPUgU61#!
z9*Zi?J%fE#KG9>Fl3)|-EdkOl-K7)FI-*})lpMU~NZKo9n@c#|L(7|mh?wFqlL=tq
zrA5z`R^&%0Db%E{jJm9(;9UEcYAs_g*E5tn90r3Ex3>7btna9;MB4Ja%jB0EDw&s?
zElRUNsd}<Dj@Gq)AWG9Q(9%E3uKi%J$jC!sbCjwz4bz~q9>mlw>>BHRN^&G73uP@o
z@+zAyQ}dYzyX&b)f%286?l|Yh*kxy$po5^a50Z=@{IgT{)9jSCj$aWtkUC%-_Y%HF
JEBpli{{UPd9%}#q


From 3eaa3fec053184dc15a1b2b56602c60426ebaaae Mon Sep 17 00:00:00 2001
From: Colson Wilhoit <defsecsentinel@protonmail.ch>
Date: Mon, 23 Mar 2026 16:58:46 -0500
Subject: [PATCH 10/14] Bump version to 1.6.8

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 pyproject.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pyproject.toml b/pyproject.toml
index 6e030095472..73358dd11a9 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.6.7"
+version = "1.6.8"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"

From c1069d4e09bd68ae6bf42a445760149fe2d4ffc2 Mon Sep 17 00:00:00 2001
From: Colson Wilhoit <defsecsentinel@protonmail.ch>
Date: Mon, 23 Mar 2026 17:17:27 -0500
Subject: [PATCH 11/14] Fix event.dataset to match actual field value
 (unifiedlogs.log)

data_stream.dataset is "unifiedlogs.unifiedlogs" but event.dataset
is set to "unifiedlogs.log" by the integration. Rules query on
event.dataset so must use the correct value.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../queries/execution_do_shell_script_via_apple_events.toml   | 2 +-
 .../collection_clipboard_access_via_applescript.toml          | 2 +-
 ...al_access_hidden_text_password_prompt_via_applescript.toml | 2 +-
 ..._character_obfuscation_and_shell_exec_via_applescript.toml | 4 ++--
 ...from_hidden_file_in_staging_directory_via_applescript.toml | 2 +-
 .../unified_logs/execution_volume_mute_via_applescript.toml   | 2 +-
 6 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/hunting/macos/queries/execution_do_shell_script_via_apple_events.toml b/hunting/macos/queries/execution_do_shell_script_via_apple_events.toml
index 10e6d3f7600..175d6b44e6d 100644
--- a/hunting/macos/queries/execution_do_shell_script_via_apple_events.toml
+++ b/hunting/macos/queries/execution_do_shell_script_via_apple_events.toml
@@ -25,7 +25,7 @@ query = [
 '''
 FROM logs-unifiedlogs.unifiedlogs-*
 | WHERE @timestamp > NOW() - 7 day
-| WHERE host.os.type == "macos" AND event.dataset == "unifiedlogs.unifiedlogs" AND apple_event.type_code == "syso,exec"
+| WHERE host.os.type == "macos" AND event.dataset == "unifiedlogs.log" AND apple_event.type_code == "syso,exec"
 | STATS event_count = COUNT(*), first_seen = MIN(@timestamp), last_seen = MAX(@timestamp) BY host.name
 | WHERE event_count >= 3
 | SORT event_count DESC
diff --git a/rules/integrations/unified_logs/collection_clipboard_access_via_applescript.toml b/rules/integrations/unified_logs/collection_clipboard_access_via_applescript.toml
index 7e3ab915082..cf10d37cd19 100644
--- a/rules/integrations/unified_logs/collection_clipboard_access_via_applescript.toml
+++ b/rules/integrations/unified_logs/collection_clipboard_access_via_applescript.toml
@@ -69,7 +69,7 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-any where event.dataset == "unifiedlogs.unifiedlogs" and host.os.type == "macos" and apple_event.type_code == "Jons,gClp"
+any where event.dataset == "unifiedlogs.log" and host.os.type == "macos" and apple_event.type_code == "Jons,gClp"
 '''
 
 [[rule.threat]]
diff --git a/rules/integrations/unified_logs/credential_access_hidden_text_password_prompt_via_applescript.toml b/rules/integrations/unified_logs/credential_access_hidden_text_password_prompt_via_applescript.toml
index 60055b46fb6..59cb0fc803b 100644
--- a/rules/integrations/unified_logs/credential_access_hidden_text_password_prompt_via_applescript.toml
+++ b/rules/integrations/unified_logs/credential_access_hidden_text_password_prompt_via_applescript.toml
@@ -74,7 +74,7 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-any where event.dataset == "unifiedlogs.unifiedlogs" and host.os.type == "macos" and apple_event.type_code == "syso,dlog" and
+any where event.dataset == "unifiedlogs.log" and host.os.type == "macos" and apple_event.type_code == "syso,dlog" and
   apple_event.parameters == "htxt"
 '''
 
diff --git a/rules/integrations/unified_logs/defense_evasion_ascii_character_obfuscation_and_shell_exec_via_applescript.toml b/rules/integrations/unified_logs/defense_evasion_ascii_character_obfuscation_and_shell_exec_via_applescript.toml
index c823499a67f..7dfd581c2da 100644
--- a/rules/integrations/unified_logs/defense_evasion_ascii_character_obfuscation_and_shell_exec_via_applescript.toml
+++ b/rules/integrations/unified_logs/defense_evasion_ascii_character_obfuscation_and_shell_exec_via_applescript.toml
@@ -74,8 +74,8 @@ type = "eql"
 
 query = '''
 sequence by host.id with maxspan=30s
-  [any where event.dataset == "unifiedlogs.unifiedlogs" and host.os.type == "macos" and apple_event.type_code == "syso,ntoc"] with runs=5
-  [any where event.dataset == "unifiedlogs.unifiedlogs" and host.os.type == "macos" and
+  [any where event.dataset == "unifiedlogs.log" and host.os.type == "macos" and apple_event.type_code == "syso,ntoc"] with runs=5
+  [any where event.dataset == "unifiedlogs.log" and host.os.type == "macos" and
     apple_event.type_code in ("syso,exec", "syso,dsct")]
 '''
 
diff --git a/rules/integrations/unified_logs/execution_run_script_from_hidden_file_in_staging_directory_via_applescript.toml b/rules/integrations/unified_logs/execution_run_script_from_hidden_file_in_staging_directory_via_applescript.toml
index 6f60cfab684..f6ef16a7257 100644
--- a/rules/integrations/unified_logs/execution_run_script_from_hidden_file_in_staging_directory_via_applescript.toml
+++ b/rules/integrations/unified_logs/execution_run_script_from_hidden_file_in_staging_directory_via_applescript.toml
@@ -72,7 +72,7 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-any where event.dataset == "unifiedlogs.unifiedlogs" and host.os.type == "macos" and apple_event.type_code in ("syso,dsct", "syso,exec") and
+any where event.dataset == "unifiedlogs.log" and host.os.type == "macos" and apple_event.type_code in ("syso,dsct", "syso,exec") and
   (
     apple_event.decoded_payloads like "*/tmp/.*" or
     apple_event.decoded_payloads like "*/private/tmp/.*" or
diff --git a/rules/integrations/unified_logs/execution_volume_mute_via_applescript.toml b/rules/integrations/unified_logs/execution_volume_mute_via_applescript.toml
index f149df459b4..179de0965b2 100644
--- a/rules/integrations/unified_logs/execution_volume_mute_via_applescript.toml
+++ b/rules/integrations/unified_logs/execution_volume_mute_via_applescript.toml
@@ -70,7 +70,7 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-any where event.dataset == "unifiedlogs.unifiedlogs" and host.os.type == "macos" and apple_event.type_code == "aevt,stvl" and
+any where event.dataset == "unifiedlogs.log" and host.os.type == "macos" and apple_event.type_code == "aevt,stvl" and
   apple_event.mute == true
 '''
 

From 93dff1ce29ebb1146e2097b20e9961ed88a5d49a Mon Sep 17 00:00:00 2001
From: Colson Wilhoit <defsecsentinel@protonmail.ch>
Date: Mon, 23 Mar 2026 17:44:45 -0500
Subject: [PATCH 12/14] Convert Apple Event rules to ES|QL and fix schema
 dataset key

- Convert 4 non-sequence rules from EQL to ES|QL to avoid text
  field issues and schema validation problems
- ASCII obfuscation sequence rule stays EQL (ES|QL doesn't support sequences)
- Add 'log' dataset alias in schema to match event.dataset value
  (unifiedlogs.log splits to package=unifiedlogs, integration=log)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../etc/integration-schemas.json.gz           | Bin 7975237 -> 7975266 bytes
 ...tion_clipboard_access_via_applescript.toml |   9 ++++----
 ..._text_password_prompt_via_applescript.toml |  11 +++++-----
 ..._in_staging_directory_via_applescript.toml |  20 ++++++++++--------
 ...execution_volume_mute_via_applescript.toml |  11 +++++-----
 5 files changed, 28 insertions(+), 23 deletions(-)

diff --git a/detection_rules/etc/integration-schemas.json.gz b/detection_rules/etc/integration-schemas.json.gz
index 5322c7388724d76410866e4b705dd8bbf0da5423..8304e95eccf42583323c7cbf2bdb3f71badacf45 100644
GIT binary patch
delta 13265
zcmb_?cRW>p_;`|oh-7CKq3mRYYb8lSva+-Hp2xb1Lq&u*Mv@5Go2(l`b_m&#z4so!
zd)xKt`+I#~uix*Fd!Iet&-0x3`<!!c?dSydDEb311mfW}Row$101E<+LI5@d9D@KH
z2tadiApj2o@FCzh1Q0*~Aq1R&03rw=hJce0Kmq}$Ab=DC$RL0m0w^GW5(20ofEof$
zLjVl~&_Vzm1kghO0|cCbfU^+52mwqGa1H{PA%Fz}SRvp%1YCdsHV9yc01gP?ga9rG
z;D!Jm2)GCVyby2+0{9?+9|8m*Ko9~hLx2zj2t$Af1Rx+l6avH`KpX-jAV3lVu0Vhk
z1YCsxX$ZIm0WuJ99Rg$_;06T9LBLH2kcR*T2vCH8TM(cG0k<JQ83I%wKotViAV3`g
z?m&PB1ZYBl76fQRfDQ!cLVz9w+=T#r2rz&ELkKW}0AmO+fdEqoFoOVd2(W+vO9-%n
z0BZ=afdE?wu!8`52ylP^M+k6&0A~nrfdE$sa4Q5rZUfPUkGa<JHHWM;gp_3u%uHSK
zLZz8xT&Q{94>i7hEBzU-o@x^{8Foyd_BM_QO@Ev9fMctPZ1PD1g^KKn0NBm|EMTzJ
z;an6aL(adTNX4<Zr};aWm&~MrPa1(NFt-tihvS*b%!3b~F#;(tH15wYJRG}J=UD|<
z$q1x`8H_-3oY|FxND)}l2xP_3I5?Ss0h)sFXG8ED9AXIK<2v`=nvGrd{mH>ac8^PO
ze!-RGyhZTwXdxG#h4V`lhCm<ZPdy0F*I}~65*x{vGw*0P8Z$Uc4c-#`cme~8E12cU
zTNhp?uOyoo?~2h7#7^}Ud38tfiKO>!+}3NJ<FL#!GLY*(uxkNNF-yy$c$lpX<6$}F
z*v(tW7$Jfu)|aa!ik@&95%iwC@(o@onv^UW9t^;PbB#e7IL8>hm|flX8@O<SG02Xg
zalg{6f6>J7MPrZ?K4Xkt?8g3+dH%oT08C;GQeayfXTka=AStY80^%R9ckC6H7q2t6
z*MQHOprdh_fJ8_QZ3<YF6|T5ALKO)a>ucQE2+NtPKa)A>lgI$MZ|Fy+p0(J@eLbSJ
zjLP>F!nPVd{T>U!fU{JfbARvn-H8>SrvCP@CWEs)^^|qAw}7Wu#%mJPI<h!;SXVsH
z;I$v2dX(=O*r;K8zcL3u5s`~;bu{)ZOU`%jFdv!wu+72t)Ul)YB+i_~`wOg;k-Yae
z)Q<MTH9A5q0X)&)i0gGV8IJY}AUi9Kfu`RWBlmw24^n$w%`RwKU<6U@6Yj0OuEjYV
z90X0(c{v%oO#^xp2fQCo@;f1;F@!%8?Hg3{zVQOLlrox%I>WNST_c<mOi+QEQ}ZW=
zmrX&sNHdTCplrNY`Gx_0VhWyx70l302?`viT7W}M!7~^dALq+$p*qeV`h+-jkVB9y
zyl4tCV9aqa=3n3iQ;^d58eRQcww&V`N7LP~)s&i~><MYH>)&3qBcx5luHU+6_?hZ5
z5d1s1cB%gSPDWS3<;<QiAQgMYNB9NNU*HQzsv&vsjO;4OAXb1UgLV}>Y!1@Hi{|Li
zo;I`&Ctx3QbfRb)A6SXDe^2cCi-EK9#{Rt`JZ}b`$Nl`I?XlE>54>y!o{Ka`kJk3U
z<*{!vJhUuW>gwy7pRVzdD-HJVPtYC>czf0k?<<&md)At6zIC*e$b~Y8uQ=~6Ar*F=
z&&7X(W}ND%{;CKio$q4!n4xfcM2NJF@SG)mrAk8*?k7;0P$eVdP4Yg8xss;tljG!H
z*qnrGL+W0dNV^@fAl*oZ`~)kQY~3%!cK3W?e041&M&k9*!`oi`WL+wCb6gf_`W9+M
zi}|_k53{WMO|1v>^3$xj*U6h&^Cldaiwfq6d!7*{)DQ;{1<JJqu!gPZF)0@AZH^vh
zdSvVejArkre{K+%a(hFS4-&7ZMCU*G;7{5to!2oR&?J}Q!-jluJoRXr&y0|dMcBEP
zf!FNzEj8`O(St@AVk{`<A3N(kLLl03tu1rcv-iamx4$%2X_UPGcmt37a!wC@jAF`s
zzYKS4*W$=}UUSYwwe);Zm#rGAtHzC88Pzo_Yr1P;zTCNX(j88gukZAvVt;;GFtt_I
znziJ;$*g6EmmpG`i#1M9u`)xb;wpuWcTDMAN$IVRBa>p4IycEv`;$uidRIkm+pMhU
zEUvgWa?WJo3D|Z`HmTcuSPW9K2@4pGDC-rknTfGS$s5AuS^^q+{R?|_>q7Sz^QG-G
zBIt&B5CZ+R6ovidlx+dy(7IGpqH*kuNB27UJejD@K_gOuyvy8oI&}DXi@#T;STCQJ
zNrOWX6}`6GbWV$!>CkvZtpBOZ;So_{26F-YMXAO4o&6;hnN}yVM*lj-g}eEqpQ%&4
zhAMij-77st(oeTa>VHAZI#M)FP8+y<^bb@j)(bGukJk%8#FLrMsq#*Pqg(>CuL6x-
z^vI~p<6Dp&$cd3L9TlkJaCF~j!?jJ>GFJnIUG(XtYp$A=ijL~};Yg<EWA3vD$O4P^
zF<cC^HigZN`R=I4?rN_3;avtDLs*N}MMdWVmHV2gO><qMO05_UJT_m2)603F!VF@i
zh4nbY#p*#nLB6a^u4L!I(Zw~JJBpUWT^9WIaa}NvH7EfOTBEmzoddP>&j|RQH7E&-
zqZv4}yIPsW@Q5|YhoMg+W<|6zdwki|*wZ7r8ZC?q^E5Rw89FSiMUPuvV3dqJBlm>)
z{V5~-yki>oIlhzL_>x7_KCkDa;4@C(g=3k7{g$w#BghNCa0Kab%8Wk^@xUXFpa`5}
z1Cqh@j-cxC%F{*azU+@UYa?MVTaXPoZ>nlltm`6qbTz<uQhliCc}3IEWAVK;rlK<y
zDDI)Y6sN5c?JiH;JOr`Fot8jLk?r(0my$5{X7Y*Sju5Jx{h5MH;3VkgZoXB!ux9Y7
zcFw@%Vp)_<GnWZveqe7cY)UEKk|K(7)$tlTMWYzDAxFD-mP?Nme%SQRc$63Ju><9f
zy{R3iftBn)Cb-WI<i-~(F7cGpX5k`*KiGi^z$7`GjjIk{v;#$Nk9WQsA7oe_*%G3?
z-)lxyc`0ztrc38c|4>_#lre$B4!wVZ;q(O+(%griu39k)kn9FN_@qi|KftZ%^hHcu
zm|tXSS(Gu1wBg~{RR_jxCC2R&aJxMy1mAK%pMXpD=sOBj<aKX3*v<jG3Hvypckz{M
zmM}dy)B%0eqUj5`djt>11c5NP)d6IbKse9~g*=mKWtt2{>V`a<lix_z>&%|+S(^>)
z$wnq--4tVC2oGtfANwK*hcuLp>8x;pn?_)9`lDSU|4i8yc*F)h4idKD37q*NeUBPA
z!4Z9DBjE_LVHXqj!xtUFEAU-gkQmcTZ$miL1{B5glJuCC|GX=v)m$X=ru>)&V*P9&
zJmLg05P0~Ndx(@UE{3@_z<o~O4PsPMxz?3#*$!{X&vYEamhgxRsDKNPdniRNqHlwo
zL8W7X`JOFss4I8_e(MYZINU8O75cEG3wRZ_a|Q{IQJQQI!AdS5U!*HY3k(zFd!lmT
z5ohogZeX4#ia6^ItmF#vV{A_Yi_#jE;=eI)7Hc&sdtiN6kQsjA0<r^}FFA(eO)%as
zu?}}~3}*(!d%vSd+T5(w+I>pI0H?<+N<>cT6Q_gr)~v|&AtH4LSQ13{$Oi=R@Wp(U
ztsHn#qLkqrH&6~|FCuPK9D^zzcYK5@P~KzxE)wS1!WOEXb}Ddt9*_e2>&+=}`$NrF
zOwQ&%(Rj~cM8QiC4S9kTE1jNws~(%w<>TnGfZ%0#$sIh6BbHz6Sp&DYgSP;%$#f&q
z79Md25f~W-&UW+Air_C@q!?VR{h$eHdKg){vi{k^PW7PJh`%**9JxD|Wu#chcmH&C
ztl;_KtP<yfL%XfBI(|L0VoyCgrRkp;#uQy3ezf=bibN+%C{wEW_UXe3Q33pY_juIF
z;AXJT^sw+&f^(woqIGVqr$8*97vl-yOy|Vp%${=BJ05Zp`yF+P7m*Isp0ib-xaVhU
z+81kQYpiVz>F9cO?A?gC6c8HEvu~$FXQf21%=eW%s4;qTcuzGXMBRMea0G`8r3ISV
ztmx&B3af$GGJDs2x?8&Mk1XZfNF6Tl$qqEXy-F8o+i7Uta_>%YN%_X<?K?BYAlNSY
zTxD%2I(d9H+fnrh?J6?3%X{21GJ9dAoiP?pd#{AF^}wwV^Nr&atlzIv)bi}FY>E||
z^rsYwgIwOMTdHTyxOEQ=C4J<Gg;i9N=WPY!9ujwV?Z>DQ^b|XhyUvdF7L+I`e~O)N
zq8X}%`5(6}8Fw)@9kOwa!gX^^`S0m#WXo$-@g8?c&8Lm-@*_bDHxWSwgD&iexJr`U
ze!j}a{aSg}57u-dl`n)fo<{cOAfovX=QGD?x_K4!Dt+UMEZrH3BAvbI$652(nsV=J
zAjFb8?K`%6%L@!gwDZg*^G9jQ7OoMzp1jD}GSJ$V>KxCyc;Q(r%L$M3il2SkvyFB>
zI3=kyJr8S0^VUO#=F2E~ie|EOI^|X_tB`aT;`M|5K;kWNKBUJ+PeA^i8g+M9=k*0u
zT;&$5;$q2=6kY{*g!K$9CEaGZc4E^9j{TU&T7uUnp^{kt6nby}^fpI?)}VYx@_1nH
z;4D^eW#uYO^ueY0=DhI<uGtShT$=Gp(ynPebo<8_xDS!68ISa^5Ze3f4FQQ9iq%TH
zeA?n=6*MMaXq<Io3z1iPYxv4fjBBv%)yao1DFpRzmgTpLuUfT_RP^?yE?$~-a#MpO
zi-}#r*0!}-8yr(NY9!;yhU?agllR}{6l(-fR-mNC$_XY*^tanG8Jf<;9&{a0n$QT1
zE)gZwbj2ZuHjlpYt3I#$c8+siQ@Pu!dxX;}{i3DXW(L3I#%*QCg)H5q5OZtue3VoA
z`A23v{8|X-%gG{M@)jQN2aOXp-ly#_5-9SmAvD&z1?jW8ych?OcxBJk1P{|caI7qO
z40+#6?B8fn7uMWRdRD~RYp7NsBh4Pl6}Y;^p+_8#H1ke3DBBf5#1?;24_N#-BCtB5
zX_=KZQmJcW)z8DA7Obwe*S~MDaXE?;3AsA&o|f=_7ns_=*y$vnp*S>*zW$NoaSB&(
zwOX#UkSUz(4A4J##@)#j+}o4r9J61~Mn}JTwnsP5qBm<+_RHO}1@#v@bJJsVw42lv
znKikw1Pg_%%rDsA4)F8f!t_Y=!)P25qykP%WDQ>Y#h}#m#*K2Ur{%$I#&Uf7H%P(5
zp70U6OBD4d5D|$gv#-}S%=fQOusctCe6xF!?EMJ`-+?oNKfwF|Ic1~|NQTn~ZufDb
zF-F+d2YsT5ZpBoE!FPSY^RR>u`cAz&E_?7ZEQ!{{(Bxm4_}!t|UY8h7>D9m?J|O!s
z;nl)Lj0pv@k9noAZk2uusJv(UndUFxlCU(7`;FI6{aH)n3t^4=s+h+e&NQMCvDn}m
z+b5S=s-jJN88(K-`~~fw_zmYxA`_j#P7@kNvcmxp>)z%};rW*nFJ=m?t;yTXXJgo-
z=;ED8$7TxxEtI5YKbRxAMY`U(!?VQW@-DsF?CZnBBn+Duks!au#=v>bp?ve@HyIRx
zqqw`{E3OYacIM8m$#oURe{s#-U7B#eaX5ID!kTN`X;4En)_jodkY9@<px)Y}8BF+O
zvv|rmTU|p}v>^>Q&(2#f;~KZ<7ZaIv)0Sjq%}(?!bs%q$I6aa0<Whov;sqD;$?@eP
zY&WF-zP)=+Q(evSUFU$rEKihrdX3;k_ku1u68ZS81J={voR|)o;^l1Q)Hn$RN#FyR
z_&&&tQ<)*X7LGyB!*=&UBKYookbuccHP8&jP7`!s<Bixe+mApb@uxIz^(FVMUuNqp
zoum|*iGi_vK{mL}7u_X0Ul8ZmD>~;ISjiWCgY?7~JcASeA$Ug$M){&oQ?&RPhItxq
zC&}fhk*Et9T!qp5!KVV&h33yUxWfr(9r*2i5FdZ0V?OoHvJyf9Ch-I5@YiGc(zRm9
zTOPs0exT$resi^9_?{m~3)}gD7w}Y5GzJN?0CjlD7o@;<zSd%)c)yS9G~DKgep>wO
z2NEE?ZoaxuDNQO08g9Oxs;gd<OYOb(<rahScI&Gk?byCrh17$soxG`ytaOGFO?;Eh
zk@u78oDZIJxgbRniL<gZYhAQm@9}X}?Zu3@r>Ivf_>OmpA4bT3A#PS{YR@pyi?x(&
z$7Nz@pUZL!9T8IJC${wCuRg8+IOp0OCjZqnJ=)g%!==_2aW%M>6%m>44rS#nx4Xvl
z`N6v5xe2jTopm1>m^pjiF{#%AwbDI}%2CWsrP4ajRa<H^OK+f`<ut@f6zTID9P16-
z_9w)ddyQ%Y4&vlP&TCuBjl}Tc!Akxh84Dqf$m%g4OVT4ZkMLl<J$3|xymiRc=Adk<
zMT77BNVF<U90XFT{?NJmHO&l?Zam9(->klxlM&)bRo&wG1LU~IAF&fH;r(IyRq?xj
zG~ma2i*`?i{48c4U!pj`x<I=5aQB_p=y&pGX6Q&i>VwJkvlZ!)(@hdzu*6#2d^Q{?
zC9ppn;X88TFCenG<ip;HeUq3+^zGUa4D$A#{asor+&VP)gAY>%px+3skZwQRyXws-
z9vc5%ag6ml$@|TiOW$2$D`(Yii}G+MibDqFpFceYmW<d=pSL~l^@+ubv<Sc7&$?RR
zqVwC2SjxC*#T=Y+jlSY;8l8AEM3R>Xf}=HV>7DQ4I}%D^9!jCNxO}&Nz?Q2`{>Bl4
zsw+7sIgSxr{SLnZ&q-N)L4cX+>D^oRCGj!H5gn<X5ByFi(BKdLPlc}toPh4u`G>nk
z-^{eDUmW|bc7zC?rMGW=3Fxfu8dYgUl)>2#Kyut8eHsC{1E*n?N1*qyxe=^kSR)Wb
z9@|**S%j}WKx1BRZwuj@4?!eAPrqbnXAHMJ1n*PxA>J+>slg^B=D{FTRDl0I{kv!&
z053lRsVoVJ|A(gjH2FQTZ%#0xBmZjU?xz~;gRgOZTK^qT`TuXgsT%C86R>6=x+LgA
z(7*$M;4S13((QjY1Ws>1U`hQp1T~l;U?K>n#teasdxEs4XGp!TwKVDtkst{c`BfYx
zNtKg-fTcKA#yz1DUXrS-$4E(TUgbd}gvWwTC)TB2v_Jy^81WdSvc7rsf2i^gn`7VS
zQa?6F{+pNY?*1Khl!Z|{_Q74o`w#J07^Be0(QA*D3_nuwqd_cOg$}90!f5xeYjq*~
zr^(j~0Tb{O%Qq+Az4;t}c|Y|G+k-!Vn>{Is4Se=7=!aDdCqD-7AwORA>#yqi-1uwZ
z=#+Udi~hRy9WNF}K2Nop-7X{EXKgFS&PvyC>@9F|SA*#_6y_EZi%!p%2OJC^4$g;U
z*;u$ZI=xoTM+tg()sso`m(A$4eyl8EYD$dRkGsv@HMi1oJcVmly!6pb-l}p)Qh2=b
zBDaC1D>19OE`OOwDPg*Yd&);6=UqgFME~yP;Md)ZWtX#@0_Ud2RtJ`)b&O=#5b#I{
zdIxK4W_J-OiyLgUF)hyT@137>`A!P1qD7aoD?6Im1y0gDIPnfJz|Ot*Ny6&Pr3NQ_
zldx!6^y6ZK#c968#<$u$l+8GfReu2Sn$$eY#Ks`DOKHuiyni8tr2-hP10zx>^x1WV
zbF7%R0BnfAw0^hyACmmx+wgmCUsE+wiB>Yc7D26Qf<f+bMG;KgfAbfxu~O+RR5HHw
zQ|%7~(4j#aQ~#FS*j4i9-<`r|LqSpz>VFl@v>0ReHTt(&eJ>sFk37E?173OtQX=oF
z^rD9)gEzmine9?~^Iu3!RtuUN6!%`ih&7M2_u<@CmzT#EIoZnX-Qy#x!*=GEG#%F`
z2p1?dwn7>l<D?68)x2pBEtj9%%txlj=A<EahS$Z-*0pTB(+_q_dQ3Rma$F8N-6iw2
z*7M8~Wowm?%kCQ8OU(@Vb~pFpN7I(h+iFDwdq)Ii>yLPbin0Vw>VF!^I2d*Iv^SJL
zIheHDIH72Wv{ufg7)<K#t5~sid|Xx-HCq&`yQtS97W}E8RxP!EtHiY5a#=6EtmDr0
z)e*D2M%cOHM#y{_-L+iN@@I}A-bC3Rmq#?3>sS%@kOp6#Bg-~d==CaU)Cy!JQ~OJb
zbTay16h&nBzu4~LyCWM*K5jF^pcfoVJU6=B?X}0|{UpX!nbUkPhEjZU{7$~4YU4Za
zUfmu)SBKmT9rAdoBG4^V6p<8|_rTh_yPqI7q^_l-d()yKYuiyLo2_vnO(o6y!Xv%D
zB}G}WDdbYdtl+}hjTnK&B~i=4CZ$+c;pHAHk9RCG6-p`PqFxHu_{%O&EYjavD(ZT*
zD{@_}sn==avevjImepk)(IHiGhopmrisD{1dCzxpX)apb=$a)Kx2@=>W^~M*P405;
zuiY66zLm`#-mW*RQ991O(%xnf>d!S*AUNSnS%XyAzp^>#jKHm2cs-%;tWI9IyTX~q
zg$+S0Ahz(B?eNgfkfz={o2cmW45G)<zRj_pV^6AkQrea+YVW=Ot5u>9kL;NZmkxzs
zM4GOv<BX+{L;mv?1(fJI;={|`neHR&gFUf`{G#O4dYfQxF;*+Lo0%)6`?Bkevo?Kw
zss2d${?lpx^1GEYGyb6?J4I=ug_INfc5ki+vR8(LG&t?Kl*RfZ<C5#u%IRFaBfZ2}
zh^Lpz70dQWCqFq3bKmaN?L>AcIV-Bf>mAhT9NbvZvt3^sT9{9NBfXgFHQtLd@7YMO
zmw6?*>yn-ONvF*>(Up8)R|WlE;?eH5E*AxI-J>Ev%hmE|4Y!BVg$mCbFCDIqKWHS0
zU}BR|2~MR|68grtsMFxY+!=9Go%cV8d)f4jT%y}i!8~;O!qrX#Sqm=C#pz`_gYz>s
z>aJy_{aw&BUMER1(@hzSP6_1#<T0ZA9f*E~;+|0oB18un_98u_F7M_a^pg}b*~kn8
zm(baZd}Bx!*P_`Y+$)sZfqT*ijL1+_YBecr838iDU<63=^$YpUa8j;*o~&M*D@ukZ
z<Su=9%uNg4*9}Q5e<89MVHM&&cx)AK!rriqrho9$LY<3XQCaTb<N0rFl4d5f6XF4a
z&FTs}?%%<EP)wPp?eQ-U7*&`%62vF}V2$y*^&`#qdSl#aOR#Jt`r+VCBsx>f7xJ6`
z?UpJ;S8!UoW|)_ldtTct{mOG01F@;?s>v49)wqb+!*)a8mY)1oib0|p&ky_im!~C~
zX`oUfEmzUtRY%(Q+x>J6Z=SH7RZWhJ)-<t*er^0;<Vu>K3jXU;x0#a~pWsT-6M{Tr
zRZlp+Vkgne8`mQ+4z8qq{?U?O4I)R&XPA><Z5X5?|6CNrMy<Lgy~F4gT6tYBiMxYR
z)eV+}(JyQ7!XU2I{z6b%)1#=Jr&UTFE=luLD5JfwWw|<T>i-}O9igw7<YXd)W7`LV
z7EGK36U(RvTc&KTxn3&epwke}b26HKkJiEd?|H!$<zX)?)B}g2w{D7iS<K_t8_#|{
zwJ`6l(dR^JbvT?5i+S503)1Tms`F|$*fG~c{1-VlUIJ>|4o;%|J^1&0WQ9tP$qI!z
zoE!J~`@H&gh?(AOd_$)#3tx;vzt*sh1*@@Q;j_``U)A^GKyPVuL|Gvl-N>g*7wW&S
z>bHgJ+z#fF!~~WV`s*zGen2j0ggaEq{q&7GCUjv^6UK@`yO(_iRv$$_cmA(duk+tU
z|K$9?u73LhJc3S$d`c6ulCPEjb^8EgMT6I1pJ(84o%(+lACrgd?ci7#(?9!5rN5Qu
z>m0yO6Xl+u%O`W2=wCMt=ppD%dL|CrqlW-yj02JK@lGYTGkl+Zn<@^vKX;!&%!c%9
zs+i<(f8T(<P5TgW{HxAjUvcxk)_6EH0qr;Z1&G4IPMX)2gO}q$3JTnT$RZ}|fbWw(
z9f-aVULIG3&&H$wEb;aQ$f0x5yJ3s@3ml}!`xlZlf4x5xZ7b6k+~4&zncwp(pfeZ2
zTrU_M?Eh>tcG(4Sfr|Za;E{Orz!Q~lqP-CPy#6p*kUxj9;?ciHpmQKJF#Mk`IoTf>
z6#T0=zcOI5{zq|i%|$5VidL=d_)Egzc1$t;FNq)v;zHtz!Z(BZ8*oLx*sn}*x3@N~
zA5P^~P3TOQOBd%n|GJS~$YQl!ixRe?3*IiD^;n;%lGyHN#vXrp?<#gQxv|<)4J8xl
z{~`~8Qzy=yzRvf=?966&S@BTC`a-6wZH33|pceNxb~{o6<D=@Y?Hav#v!fMmk(^M`
zevdEyq<3o3h?m;GT9orZ4#b+=VdgdCEeoOw*@}n~Ec?*uCOhfv@abGV_xjWHK=<>v
z*(pLY#k1GBtE$#x5YMU_c~fd0l}#G2%jIqN_Y()3hR6z7f7&@4cjB5fQkhc7iKx5f
z3dqZu72~3*tx!yDvTb!a=5ZO<V$P&Ioh}E#p~vNTD1PNr^$f?rI(3G6G2-65<=Otj
zgQ%d>MaK`7%8ZxqwBvsC@~fqE+n1vCa<lE+ArMDJHf^)?n4PR3RHBUzU*eBmGnh!Y
zdES;#=<-QH;;Xt<O;Ulq4oHER`NOJ~nkH%97Qt*D|E<n|(f*6)E#K^(^9Ba=Xy0sY
z<eeiU5_Kuj7%ZqC4b%T3RzwsCBdz-G(oL&w+HHk!>}{Z0%N}vgSj)fT!m&BXELi|g
zy)Z*iXE7iymvkS}i&kYaSPB<gbDIli&SzL65~bAy7PB`HMTN=RWJs5ioC9tfq{A#y
z7-3pbikrKhd#UT%{N=qzw)DOIXB^^$3ZUh-T(=iTp45sT#>v+uj;#-;=PJss<+g+@
z9H1r>^~_D@r(ZFiwqko(g?y|R7m{&vp{8C)XbX6!);bwSvEQc9#=}9&+@vroEc%9V
zbspt<hf4G^vD)LwUR@*um4-^ox%359250XY2H}c1tLLsdf_g^tvnJuohmQyNsWhVN
zTde}pOFhrmhK!2qh&_F;A(oeR`QT6{C4~FROQ!TI`FgZFiIenlhgy}0>+BWu+LodP
z^qRz(0o_uw3F{x+&AyTKwq~Mti7Ntzq!tr4KX^=uuF<<AztPJg?!*JXv43gp1rL3>
z_DlblU`o_mYSBLZhoj#GYxJmu&8_6GqDrSlCHmYpaG7D`DWX3}ZE#OE^I`W@%a{D^
zF=p}wNEXfT;hq?6OZfs8P14^b7_wovm__ivY>fTNP-cVc6&QozYlhEkwFM3tX?me_
zi!{VnPWx7XNvY3VpKmK59R+E`8R(IkXE>iwTqj7v={RbBuRwyK5@#m?gTtqi!Be<;
zDL6Z?aXR3W$sidLLrDG9{KK$PfnY7=H#ffty<SngKWY9)knhqpNb^ihTA{>m%9s?;
z<Og;0dp2%%!e{6{z`?Wa-};37(YGy~%=(D0y^_%TK>3Gfbc&_jUl;P#>6CJ@#5hU@
zsaJSSlPNQ_`?_Tkzq|Eg8|Q1nOmQR^<>g*7OB(;2h-DE?V&C?k<X;0qsCcgP$H4qP
zKc=>#l_XjJwA$7RS^V#`VT|n$y1&37DIodT5AM%U>szmX4dd^=Cv8O!V9^xtG!kj?
z@5$BB3VFGSmwl<C?SQQ;c(#fK6s3NgR=m<#%(&m@bB>|>V50tbZO+{yx9iEhsMyl{
z+z<O5aZ&+Z`>hkBoR)iW<bi8qIvhle#p^M*K*iMpp&ri)7TWSA)q@p<IgUr-oykO?
z@&Pi$BqSu=+&+lznOmQ*-*X&G_!QsH2@kJ~`KGS?m9o#(>lxD1uh$K%b?zunkROT>
zwpiPXDa7Zw)fX40Znw{)bn_XJ7tAdw3-%tDavyfbY~5eyo_Vozf)j;15=-7~y4hQ$
zZeY8-^YkJIacCT|nd{&_BW*+i6y!DIA-9NplzcXWkU=YewG>>g?Jx>s24}}hE1Ddn
z<(JvzS;nU)I@O8SQ6$pwdXCR*>C=RWvlt$i55^K_xFd1X!R65_?IMrpF3d`Ei_;ed
zd_1Tgo7TUx;1=PkQMsP@l=wg{w{~vf@KxgYM90RuaJi)H>m-%iY!@P)-nha1D(to_
z@^um-FR9!<;`ZMX&_Wi>{8JfY`&{kz(c$mLKYcZZ-)PkOto08U_@3;)f_>9hWV?WR
zbK|?M*^flfc@!o&{UZ$n+35}1uetsVcY}FcmU-Ou9|1LGx268h;;ZK|nB+A`ie$Th
zEd3Gsx5$}Ed;c~&R{671KccfnJpHea-YxC4;@QvTLNU#1Uq-z+#p?P3;=`=M28_c;
zY1bC5Vy>whk27#0D{Gf4nkn;B?3_4X604>7?*~*TkXCk$1fqYZ@{cdqsI+1WQEla_
zOM9l;%4Qmo->5O3;h-jzjwb2YCTH0x<04vbn7+#I(3s9}QWIv!kds`mRttY;{E#oG
z36lyu{aqjV&7i1b+vMaj|Bk2iM)0iSmTK>Xht*{?!M%fmD=!9KYZSQlrFj!J#!rvR
z2)7-`(<nTf?fTL+`bxk|w|7?dBbnLbK-S)ZaY8Wyy@pY9zPY^F#X3gL;~_?GZZb?Z
zm79-P6$TwXUF5Vni0t85SlY0S?2bHpVs_Cq0a-`w?`pKHZRI2wE8k(%SJci3y4_4^
zT0oizC{_<o<%;PR@mZ0)?xRsdm4CKrqHGwh@kYM*^m3A+K?c=PPrs<7<X6Dpbb>!(
z=gVq0L;vHO+r%La*W)^}72c?&q$+>BFhl12NLV`VrNWyJ!sFM_Q0WJ|(cT$(Lo1@)
zGi>|TdUd9|WW@{JTimIX9|>k~)~{Gr*k%4A@1vz3?r?iLdi|*-SFxn?yV-sBgjc#-
z34a;h=H65J;TYrTg>Gs#<s&J+GNcFXK|LciYv2k`g?ltM$;^E|E2Q00<+x<;x?KD8
z$vFp(dK8Z6Y$E!9AXI)eEVK?^x>7grD>4Watq@utIX(7|0kfN)PsYFv9{Kv3ajQjY
zX^N2QbT_<|HNM62jqRmPp&~clrp}dH{b2qmLH=|Nk7qD=G1_5Z<Y9*3LnI;g<4oP8
zFB!s;1&B$zCm|HQp5T^s2=@>nNSDPLGoe$&rhpYURF$SXwdVg+#x^Bx$TaZQ-Il<z
z=2c_+paP`CW_a)L;D%@{nVkA+g#&Y5K~vyy+Xb^|(O2^xvFE(>l;6}^=w?h6c?;ZN
zshJP)^g2b%pctUIZ@0>|Xo|dik1)L<4NMWV^6(m)Ofe1|B@~$3HEn!cx}RA;rXRzp
zUM4DSG`J()gM8_Qid_%AWM{PQDbR3jgs^*3g`)Li(^4!P+#m8zT39yz(UnAFIB@Oa
zT>d6WE*?q&+&ZBs6~UmuD7yt(iKna53_^M+rlRu}(F!usg)I}rgvc-A5rwf(IC7ii
zDSMe!s6u#|Y>Hx%_Rv20$JURTgNy~0NGSjMvbg_#F%h%O9r2m%l`^mKv_jRIZg73L
zb3w7vvt_W-tqU0J_J8SGcs}^0u3jf%?>JW<@xn}b$KqbaP;zH}YGfAseWEg5mOx`T
z{zV#@?eIwQCc?8Q0V#ijbp#LnugkIZ-QH3ASq_g|ItQk28uCicBtFY#pG@!OkE86t
zr5F)B_<U8lv%j0@TsHlKz5V2o&+Fm79km8URDM0t0rP?N^x@-EJ$3?devVE%Z7b_7
zY;9Ft)Xv3KAvzOj^!RZNBP%tz*Sf?N89ET9hp0Sr&+t!_?)%8=%ddn6l*e=|y~lG+
zGTz_@z9YL@`ef8d5dGRxFMo<Dwo`L1*S9!(uP5g93LO&H$xrwST|)3JnN+5aBr|x<
ze!|s>!qqRCInK24zsFuVKOM1l!=1SzOjkBLNxg%8T9W<=?idy*LI0=G6}k}_UxeTS
z5-ofBr$xlt8Dg|2AH<oE-@{;{E=fr~f61yXA6Ns@D(q|z?G^3I=q8Vm*9_12PZ^Jx
zp2?&R*yQEn-rf8htHTuqg?F&UUKJz?At#+;)C(e@4cdxV4Vbo`-7cCpkimU{y`+OA
zdaH#&M2X+p5=r2G_MrC}7XO45)jXM?3|83e@s?DYv|QHmqqK9QvojTM7(J^)R1-)?
zr(iLpTXG#vmma$^v=Ia5;kCI(bH%vuDFmj7(zk|BHgHf2a(ZcVZgM}<netiEjJo*z
zrh%8ua$BhWg6IdCJ@-8<b78j(3ZzbXSc-3eg};B#sh}2n&v=AM_+$*OrCZmzIp>bR
z2N@xQk~@l1C2%cyL`91r0b_j4L;_eu+LN<AIi78&5`<eu%oQGh00f9CPtUG4=D2BW
z&u}4I;c3H~n3y&v4_W8Oh?Q<@ZcUVqb<?A6Aq@%{Zvii}JL<Y`xwwqxEGkd*%T-gN
z+;r*G{FA-N-drhLT?=2rU-WD-5IH{SH*QyGF`%3q{yu3h&b0C%No(V2N~hhPt2X(@
z_DKc5uEM|>E#=DlAxoC?f_1h*!&In?-iBgRwl}v>hr~yY93EmHxxJ&oC@S>;_x}Lb
CfSor0

delta 13255
zcmc(FWmr_*7q5yOR0Kp6R7ycb8bLx*1q4(|rCUlQhxAZG9Z--Kj*=n>NOw0PNQg)b
zJr3PNcib6KU-f<e&vWmm`@y|>t>4~zoqY~_92y!UsKfmO=>3iyk<4`mAmAVb9D)D>
z2sjJ@gb;w!5JA8Z2sjD>#~^?h0**rf2?UTr02u_FfB<p`I0*q15O4|tPD21C1W-Z1
z83;HF0p}oq8Ukn_fEEJiAb=hM&O^Wj2w;E!MhLhF0hb`)G6XO|z!eB!h5!}_V1)oS
z2w;Z*4hZ0c04@l)3IW^@zykr-Ab=MF_#l8E0t6u7Is^zpfDi--Lx2bbh(drE1l)jt
zn-Fjd0>mLe0s<r<;5GzEL4Y&_$Uwjy2)GLY_aHzP0^}e-9s(2~KoJ7&L%;(FcnASX
z5TFbJDiELw0csGS4gnevpa}t55TFeKIuM`>0eTSd2m<sWzyJaaA;1U%j3MAL1eid;
z69_Pc05b?MhX4x*u!I0B2tYu9H3Zl|fGq^rL4Z93I6%PDd;sKpBskWQogrJhmjrl4
zwi^VbUgk|UQc!$w3+RywJF|X5p#AK^&RTCsRbtOn6^;H@L|Kd8-9++7>;r{eaO@-S
zG@SkjB!c}Pfv=BbXN0fO`&Qb++4>;G;ng=?B=AiGkog#8GT{>~(T<a^4#SED;8~c{
z06YpS;08cTprgbt3BF(eQsEV+3GFr%nxbKH1CR+X6B2gSiKkQJ^Ie3i^ueP<C1%Mh
zE$cUbX^4>1i*ex#o^S9q+|{WL=L;&P1WHy3&Y03wJp7bEbl&MflyX{HaZX@KoJBJA
zlsBIA4TdBhGj>pX06xggaf$VZWNpp+L{0BTL@Sv)z2`Kt59d|k&VFZ(EE*Gj9`ZIp
z=T%5Sc5BnS_bpDzVl7dG4SZ3$=QSEAb0D)57xw9ezNPbh*g0`8_>CdRK}4D3!fCKY
z0LK`DTt5Vg-vuHVV~Cs6ydg+RxaHcgdhR!)69K$n2%aJ&?kV6_ffbBEYGluF@l0$Y
z{cuhZ8;4)h(El}w32hpDWp%u%CMS!H%}GXeRX?c9rm8LQmdF;@-HsEy+ua@W>Fem8
z>ZpSSmLwwwVge66?d7=XO2}mcR*lX+{$!Ya;?*!QQlIn+L8BYD<C_;535UE6To66s
z_4vT?I<*SP(KMc$I^AB1G2Msx++}qsev%J8-5-pL`HvoQzj6M=k;8wHje#QuwO2Em
zD+svVj-MxJ;M)2;Bb1A6t`PSPV!%_LeTCJ{?}7qelIWNb$~(o*i|3n9+lY+MlxnC_
zhC_yWYN}m3hI5=Y$g@wLohzwq#tXH<{W@d2+-q<g^Bkx6y%Q8`upX^yJv69e&ss|a
z&l!UZaH}y$Nc4hu^bEQ`5cW3)nE-*0b=Jq%-~eOr@(}?b0P&t?nDUn|5#jKy>mT{y
zDqL*%V~_~=9*Te~jX^4d_yB#~)2f8Z?n-3`Q<F#IaMAAi-_GDjo4fvY)m5wGGz9g(
zlla&Ar(C+8s7G~~$`EuMw7Ws8K=c<uP<CV=lUhmGcsA!IUO|=tXPJN(;5ifUD4{4n
zX|XqqF#+k|N)wP6*k~3Q@hSaBLAcQ`Fv0{cJjP9=>Vj3n_{R%KSkDBc2sZ)G9a`MC
z9K&0T>o2_Rz`)ri;CXy%BIL%1zz9I<F8=L=z+pTIviTNN5MXbN&>|`&R*le5;{skB
z)UP`8-(>8NUi0j?#$=9t^Q*faSEDBy>lyfIS9!^FQVhNl%#<+$EXrM)?YqzNuCQ}T
zL%xX9g3&`#`ii*>Wk?ES*-^`y$iZO#@|UvH(}>{vjLNca9%3clSDf>G!lG|a#oNin
z%i6crqgpP3DwxeJu;@|iEPywC4UN@oicf0vuKJkDd4Iw9i2KyN8>^*|*~kn|Qr~r2
zpr58Q-HTf{-D7#0Ln5fn@zHEhe8*&r?P4D0uuX89?G|S7EAyLU$mByQZY*ycN#8_V
zl;Lrhx}&*dm4|zNX6p2NT0$^mB|7W3<a63=rbTu5u59}0DY|hOh3bLaFSLbc@_okI
zO}19s{A^a7o|d!mq!n8!mYT0bc3Q4*4K{XIt~h?}sZdwnz9!-|_|Bw#;Tru%-=vQu
zDK_`}j&kJmY)06kNsw@p%s48P(^QT#7>bNd<Pgf>IAyn99B4`PfN+YBnL}@NJK$wx
znKP=iEXLZegw>-(V`XD8jCxr}|7GL|#$nWAwKc26sNb@^`w})>whL7tREcm2__k%H
zNMmYP&wo6y#Xehd*1oQ8Ne|T9`Lg)9Cvh{z&P7s4QXa0%K|YYQ>(zA}DKyU2i_Mhh
zYYA7&iDLIAqS6*L%k6ya0Ads4B&Hpnw$@5T$kuFqaVm8c6YdP=p@nkdvY!ccrwKg$
zXcFsywTq0wYOkkw+bDDkv~EU0i(tts+I-BTj#*TkYWFzmLMv0<S*Ngjjxj}kBvO-)
zUJp<a-tINdMJ~sJ0w9%=9=7tS*z28vr4DtoF031S!Gu=YX=){v(~X6r&zOn_OZMo~
z&*daG5&3Aa=PsrVTE@q8YIPgrzshr{a*9l6|1|V+)%v4a8f_v+pU>Wa%Va|R*TKw$
zZlmDODoqKk2s#XjziFzUiB{pdP&sv1d#^*jx~!&gKD=lSUV;_OL55?EPYm-bDmz&O
z0^wG3P#Uj1Ot`tLJk1U(n&X~Cv^mHwy!lyqdgYsMC*C<nT`fILS$WzgPhBIhM%`CB
z=u*Q;gQGcz)jZg4hM&LtL)5tyWG<-tMCdXcX9F@HX02U~fH5|pNVqNTwP|s-fFE|Z
z0cBt-8;}rSueEQ=Du*!^pg62+36hd$de3%#^L=zT`(5{aGv<O*8ZgolWJGSMo$gDA
zwSua)^?EkK3e%0TIS#{QVmr^+rLkDQ!c}HkQ4SSev^!gCEuHexP_NwXR4#4C$T1tJ
zxJDDhi9MFo-Zli%#b}>%%@!&@V}G^ul~yx{5ml~VPu<KT`-Rb-I{77&R;-o^ees8n
zp$R)D>z$r8p*|Q6aU)(A-GjLiATKP4z`eqqEf5>tFc$*k$IH}&t?V4=ldzr@?o&Y+
z0kYzi<V1^L-RN}nX_x~6URTEF*tmuO*QA^UTuFU&`ObM`n;A+q?5G+F)|M6(dOV^k
zeDo$%9glTNm@)8?M?RDNu*<+;-zh<})<iK-)EX$)Lh9%o_-sVNn&EnIl(g$hX;*Rh
zf;A`syIO-}z+&d55FCbT1b7erh5(5Ow^N^wpx^}rNQ0Nz@dGiicZ*@e-yLqS23f8z
zHGm_rC`Kly(DF&tvgs!8&gRg{G&-3zH1JdXi2mZ$jrEpM{Y4HCF1tG@qBc02GF0KI
zXL_Fp4z>Wra2rWRSZdxq$OS9f;9m1V7Pxs|v;>t1al4B?17Eeob<+t;9FW;?y{%~c
z=5vs5sgdA!(Cz0AGQs_}AUzS?1?(VcMg#oK7Q938sdQw3lNlQxWEYaBbK)sc(^>?q
zXOH_>%CZBQ3AJC2ZneM*4&Y5#*B*ypZHP@L7hbRjZ@^V{xMe`!&2_d^g@f%tSt6Zq
zETmRZ_`7!v8`|<8nP}}T8yf4$3I{vjR;|h&*ZNM1;aIZYWkfiZ7rto^O5y7tB`m+v
zw3Y-PbO5>V^$uTNyVm3|jY*=<CY;=HS?CgdS6e@tGA0x>3U=2%(bnwyq*Gp48wOWA
z1!)LdznzMtfptJo5WWH8x(I2Qv`z-QgWwswOa(VR1up<YoU^C)KEb*mcpaX93LfU#
zy&;DXq-Bp8$4tJ%P?fg(>0QVTQfpu{pyVcg4K?2~x}XySZC{IB-5zuSEH@(HHb+nn
z=5oYMrgerLJr6H{APZh*B3yi3KB@t?ID!uj=N4}J|Ko{l9c8B)T159$zRPeHDLSVa
zw#TaGpKG{LDO$|h^MKv|jraT*Nn;_a1?{XDjjJ>jhS!Je652MHX#7>8d7~$TSkZ|u
zc`_qMo~T!RtONsPZ&ePCb9yn_#H{up*&jY0NJcqnm|cx+xhxwiT`O)nkZdx|i>2)v
zJgHEbxA5QvQWHQsa;@Io+O%4BTG+Je>r<7IvR9#r@${pR4<AqMFiD&?Npvpd;~3&n
zn?ve$4i77-Z>c^#Scg@ni-_Dtr4<Dz4OWp?lE1Ob&DRwWPCGfp&;D)tQACGx{ZQYs
zs=CejE_RO0^4p@}o95cuwt-Bi%N-I;Ha4d<Pami+L+a=2Y($KvmOAG(jJ;#A?m+hq
z-pp*(HEwD_Am`gD(FNGW#MWX=ot$x;mc>r5QmSA~ejz_IZ`0VN(_toCeX_<wo_2PX
ziJdho>{@jLf*>DzM*FE%qpd}6hXq5~VIF6-{D#F!U%&NtSGN|~a_X&4V&{c#>8~i1
zrmVZlB4f@Ces1wmU2y}GEI;h>`Da=q5$#89HR=O6ljSJi8S=5o8?_*vOgFsqU$nzm
z-K5!wL7#NP=vb+Z=V^`BX}Xkwfs?jTwyu1fv#J8HnfjNs^^X~)ZMUYtdv|#Xmw28G
zjDK=EHl8R`OV>!TuDi_oTJ#$2`_7ysgPat!3UXvd@sy5y>Zfa3X_mrDUUuv?_Jal0
zS31aA&@nqJ7`CqYut6=Ya;MJfhc;ES=3j>2zi2mHKYFBIvR;G}HNk!DZl%$17s*%f
z!dxQey-zG=YKf***&#H~WaE+jn&XXvOzigU#Jy&wT(jchCc$fO{JM-Ewnb0bNmY7m
zHSHmfrVgnbAXC}9vxvFU6l&EWN`h*&z<T$r-_}AI&BiLMa*<eygW<<25$zYtD27*e
z=FFB`g*9xSTH5nXZ8Zzh#wh81ne~jm=pu@eS)@tXvHHSPSBTh2Hxau!W8Q_4#99WE
zVQa2isP5WK*K>bLMCR{7J+}h{$_OT{?2?dc<u{n)xO}O&obHx(z2uFwdrI8*q&cEf
z#Iz-%yrUzkG?i*nUtObjhI4?$m*L#K7D{>AfJr%>&|W%g2eo98oRo@&8VV8-dFApI
ze;-r3Sm`zTnvA5*mOa*Me!|-^g*x9R3S5@L0>WKRCC$pLzEZ*}w%ti+8WI+5Le(-M
zBhV?`bGxLiW9+M)7$Li&7U!a_h*Z;}OqjZluh}PTIPCPEedQ|=QllmvjMhK}5JbPg
zFtxgMO^aeWbZrgy^rPjILcdfi=PK|(6d#uLUWtu2EkDy=U3naBw3mIyr{1|CA5K#*
zn0EXs(4Db$I$6|75G1O1@s^ynnn^@D&B`2|IL75b(tOaSiiV5mU&NP7m-H3EnA`O~
zNU@D)v8ltqoPT8aA2H~IWBphEtN?Q&!3&p3$1M7<qPo-Ktgg@;^QkFcxlU;9*?*qD
zf#fF<a;Sq~JvZDRj`rFW_I`Ml8CGz^eM6{|RTyPmgm1cmlz0WvKLg;MX*X`l4_|cy
zFMrn_#VJNi(ak;|;5avs7S3`5NrCzN&(5<#-{XnwpF5{7l;Qq-#T7yV6<SxEw+>dg
zTYjTnw+Gghy98?IJIh+>l>Jh~i&_(h=cz~T*;pm^eDf*iFUH8yT*MU4Y@i=&4d(TD
zAE^^tlhfd{NtG*2zMd>-uAw1m+gmbr%&6XY;P8gv>|6DYFM_tcO>(^1gQJ_`V5k-!
z>dwxZ!-sm8W*u$Wa1nmw9ltd*b!U#$y0`1quEpD0Z}UW*j_lmGn;l=*nh`B4j`@n@
z50;F)dtJ*xxz$L$uo2lp*@Qv#(b;HUDd;Pe7?@THSCP+|a%YP|Q>C`uZ7u3i+)>M&
zeA#9DwP*M3@!>$9+Uw5An8&_ay&zaNdtgvU6&Xc0le1tYtU7=>pUjHJc23R9zMwO=
zlagp>s@Qveo32!zs*d9GG`%C}1&eurSAe&irsO*Yu$~7<51;b@&tFoN(CK98#Wn)*
zm67yhV(Q3CWF{@lJQW4+?L`6_^X4|{0!obFSr70g(M+<uiPS(AjP(G;h-a?YcQEC}
z?*^sS!@-^)8yw^bo(4qU(_T^wgsVMppRIcyAPwLmCv+!=4$krb8A(fQg;<oGPmz5|
zd#rqo6(;ur&k*ihZkY;)5ndn%9OMO(;fEuKWg|NI@n%V)P7`H*&(v!8f)_}2G+HsY
zH}p+`9{@LcflNrnh%2)64@`V5+a%-%yIojHvgfx>J}GDu=#WyYuwiCICE90Gq=;2i
zu$7cgPZ4D(d-S*nEN&<fzfJNRK!2X_oHjMhrbTI;_rJ?kX#_4$DrIizf-9{^!}fK8
z+)nFjsXeGMb%o{X2B~YMtl9=oKP$D=p40Qsx~<BXM&70W3?nS!vos@C#`Ac5zFOVV
zFg2#1!!q|FFQ_UTlYPr<;__zR)fFk3Cf<bxrR<xCw*19YMxSyl6k%f}8$@cxefB+<
zaI(43db7p;>@(Vx8}c%IJz4%p<95blsNVZUiN|ljZ4j=r#j8IHAN<yP_yEO$dk44<
zR^gc}O*X2gI_qprHq;;bUk-T2ZR>-}kSHRyNWPzGj$-Zk5Am1J_jw#K_2R8LcXdB4
z-gJOayjp?l)bXE0?7KKKz;r;9EaO+~ch7wUcp$Prf&Jm|9V$%z0;EFzMCpbr_HzyK
z^AYGf?DmoS%TqUb9=bQ>{e)i*TsuH=gWxanSxER><MM%af_r3KB2{?CN|)vg(MNZL
zE=~6z`d<!s#%)`|l|d{xwm}{_!n8=S@%)Fp@8ov(72OHZ8DW~;x=PW@O>LPNGeMBf
zVqHV9k@^mO!O=c1^BO+A$Sm1=v|M&o9qv=?cbh^MzmaKoUGpdr|I+NCZ$#Na)yPY7
zBSBI<p$_FF+|9QZ*<=%Xvg%gW3AV$;)&CGAPDF$EYy58>1umU=sjJ|DXKtXr@Y<4S
ziKD*c|DpfofM*W<+PFXV@$7yQnCpuBZ%ax*c3hZi{@X1g>N9Hd%A*`^z?*}Q51ezO
z_(6XV`!3AELRjuOh&=4{w2B|rdjTr&94FKL+1y7=Kg=JfB{)vTC0sRs;6FCxKwhAT
z@V8R94WELZ&dMBC_60o%&S;*6WuAeqhet36#o$3d(BqKUaTx7~(`?SWnSQTx_y4`l
z$KSxz66orlIRkjR>*=29hTUF(r{G;*5J3KqX5XKJ+Zz4<-Bur`<+82%^4nH(;kUZM
zL;p5@tAn*42UDVl7j!k+EHi3lC2kNZ-h6oCv;>Zj|DZVHJpTL$k~9Nm4*<OmqTrkW
z(4D4V!i$=M{GJ3Cd9}o0JX4i?^~sBK@gH#nzTpp25`MS9wB8`qgP%USxZdl&Y({}=
z#Si;YKf)D$R{f`_1R<vdLrwbgBbOOoJ=10Iz%#lXXLxV>E9!Tg$%oqla0~UtAGc8d
zqn}>?jQUm6%ly%Po*xO5&$B!`_SWN1Ld8ptvA5za;{FNxJH#I|!x7im=SN6lJLg?_
zUmqXObym|tzEr#!rG9g!EM6*{qI4@c{k9M`Zf_0guoa&g88JYkHPtbLZP7+wl~icS
z*o1lVIp-P{lZ}u`9d~$3opWp6H|+*yye*m8?qHl88Sg0V?j5N86sFQL7r;?F6*I`p
zt2Q7i&-rClG(bNkzkwrwb$~%ga6{O^S&^zI_*iT6K~@+O2%b6U3*QLF9j>{3EoIzG
zjm@c<*Oq)qJ^+shvfaCHn4RZ4LEUhVTg&6Mfl-Lo;Jus(pe31`i>jH>rdsn4(%;IJ
zGSi#P9pCtZg(s!?FUB*&AE$j0B`tT6DTLzFbKI@K+heW&IFbJy_u?lkeBAeJKhQk;
z4(_ay(Zkn@hPT7;%-L7OV;;r29DfmNY9)K~f4qLVe`ju@@Ugf5fx~cJ5i<VU8~IO}
zj~2#-xqUseGxqjErO^YQe~9}Ca4Ekp)jqgv_dk~4_`eqmzjPvJl<aZ+lG>cco!i*V
z!t)oCWs1`xS@fB5D0-gHNZ2z71xF{>IQbp3j2cXOmzCfuRMw?ge%*6Rl5*E{QPY?_
z9S)<f-%}U9*gk`vx|}u@yX&w+roIy%iB8!Qoy%8i;z^6%%hUccqg>9``}jWMVVQO~
zukcbm8x6%?QW1-AW1sT7c%4hbrm6xu27#Z3z%%v&$kfWGv^xE&6cYTC6*(L2-8y{_
z(<J#P3+ywU`!t6w*vCp{6H!|#xq*y)=GmvG_(bP=R@JvrQyJGNzd8#<q%9h1Wq#G)
zvhYzfBjX(JkB_aLrjvV0nY(aQ{!Mq$IC`$UtX>71b=v&?i7CDebE;{+Wb@H!zQ?Y-
zB+6fnB$36DoAvPU7(waNGCTT8U;2cxfrod`RgTrQx?JxvQwZbE)+s>oVxl$KOjYW}
zgUso)4amqQ-?BZ5j9po+8H-2c=B<>gXPWM6qEdZxN?F2EbbN<kzU>DgWP-xeoBl%O
zA&D(Q&aLWe)*WNfa@)LpblIO2EjySk<zqt?TaX+98>K|2%FOL1cS%D!t@)xwJ}Ymi
zAE1^~33O0`Xx>*kVa*GaDCieLQU=2FKMie6%;q|uVM)E_^vuL=z&^X8kg;RB$zU1f
z7;drQ=e(S&o)AYYIO`7%)MY)W{Nmz3+v=X_lu}HQga{3=vmEe_KGy2#ALta{xJP4Q
zHjM1Xc2-kLMUOkO&w&<^5VB#jY(kbWl)fj+b`XQWDh&+E^?nML>YTQab77aV=*sPx
zEKG_aQn%F^IQOPv%Q4irtLxNCcS~FAxED#_dnN5cvG>~GfUE{}XO@YEIBr0zXbo_2
zYoe8v%2sR2=sBoN5Or${S6>I9EgagB^O^0--M)pxpIdWU>qjoo#;lpZ$RQf1xh=^j
zy{4P;f+=&)r<R(~MNK*~yVL10gMH;LyoD3A`I*97{Ik8H*XEM1Jx0&*QkG7GR?8V4
zPO*)PomvPnbW`11*UUAmX$x81bwf^;cd)$7!+>NO#p`daB}Sh$l7}&}NIeWd;x&n^
zuQLovLMHG0o3Z5AV(z+mterfO@t)MHfWFRwj5&L|!qif&f!Qew6^GIiE?Pao8e6Z)
zBRC&|wVHA(&VJ(G2-b(J-K4%cme*ojy+5Fc79lib|6%r7A9*38g;amQS-fVV06%U^
z?lK^QD;so1I2Wmup2CPQkQ#Oh1Id34#7O7KqUfPlO@vEF#>kuX?}y6BUgmw>Vel7o
z6lY|7CB+q}OIIyyVdkJ;O5HcmJ@?U`zo0Z*YhUdF9>yhccfx2FQO!ZW5f!dh<6~pR
zzh&5W#VgK8agmj<<1&-|0=nV1EqOWyRtU#|RS(C3{W%aLE3dyw>Q%H;x|`D~CBF&|
zhz~AFHxr47t(R?>RpeUlARW!JHXQ8--}dRfA}gt+XQF)u#w(!orZeght^owsk)@2+
zsqSA&XzbvA&~%TTC%^e$%suI_AeIYCw^F<wo?X;!@Vr3gEqrF5xpfJrJo^45F2Nn?
z(|_#A{tn@T%DrGk7(7FHtUp}wQoL`4v`zx&SE@<BWy#IA$K+vh7<UP21>-KUsbP==
z&ykv^praM-)W{#iatqw)4alP%hF|D#yM9`~^lwH@Fvr$lvf(R&rzEm%;KiJgEq{FJ
z*@2b`i`(!!#=BDC0c^B*pQ=A!bo&w~2lKc(92bd45D8Wj6yk1W4@Q7gls8Zz))z;E
z_TO>eZ@%RoVr1Z((YRj^-b8{#THdT@GYpDCFn9jVgjn~Nu`x^C5BM9815Zf;jh06O
zjm-5B>;J@4-OqD*)HxJZd<9ZclG?K4vXJ7h-G9B{a9x0jz;%JbE8Opsy3rt&mi~W(
zz{9%8T;I}!pGVRDdf@8+f^@gB?UHn3@JmK!qW|$?Grj-W;s5tyFpX;7h25iYw=3Zh
zU?p&sdA$DHonQM^bMO+Z7mYLSMuSKRZ&sN`#8M7^buDiHKGpBt5Mph66u%VGjR*h!
z=GkwB)`*u&KKR9@g3Dinu5y#1q$<94LHo@W{BHQq0||ddas1O<29s5PpGlnkTbNwi
zUc@|;Y~RKMxGff>I{mF6kJdy8*Y^xA!9N}Y+!=H*7Q79=i35q@-8Uem)Y;05=2G~k
zHxc@3-~abX*w^`PR=O{^fN|gFuX6=|%DkI(cFT)4g)iVLQo8khwNIG+vj4R0SH<`7
zZY;<MpLl~iNq!E*;c?(8nX{D!+addv6L4h^r6qqK#_-R|cy!<XKG&$`!U}8_OoaIH
zlcIt#F<|A9x9#>7BpHCpFO>#zDZAZ%F$N*D@y1wKZgBfjuUhf0m<V5Y8EbUm1Z7v~
z_k*f#WyGKEflqqv)mR6Y%t7HZSCFL!Z#1t3JwBiNw%M1PwK46=znQihZ`~ybo&zUI
zMg|?%x=ITN%U9;o9W2Y8rX|0tFP@V|;&c4R%HbVY-n#n|U&jz}Q}0CIyIiYKlvKBO
zh4Y(cr34^r1d|VwSDsulqH;XPIoU5y8acB5F2>qUkxcSQ-B9+*c>eAsfg<ftA0Ab;
zF<Vu{T3MQ_3?I^It9oJP>Ze2!4Y7pW>g2~$NCuzJ)g@|I<P+<Z+U5M3Ci!aFVo9WO
z5vWnx)w1`seukJmvhm#c2Xq>$(NL+V=gL$#Q<e+6!4{f6RIyeWQ~9KjjgEEGtt2pO
z{ZJ<ISv(omTpfuSM_FG-kDMcU3t#YMv^iOEIaIq@_~p@2{|iJ!Lu2j@tWUwmS2aH0
zM&|B_6@gESr4u*CPJcXs+*EKD0u0$5Vn4LHZTT@$p|!)kYU1ii`BNiTRW-TI`s=&&
z78V0#snZzCr|3xc!XWf63RKCKEKh&l{jRE|@-#|B{?I9ZrrH%xA|li#I-aR$MPGKj
zVD^%1Qhv0Zzj0ne<JeATOnpJuwb&X`Bvsd5-K@ODj=ax!n#$Vw0#W<K-eg)IorM-g
zCu)fd9-jiP-RqQOrw-(-k5}e?dit_#*NJzP`MGGpM%%#Nn)5R2Y??^<LkUk=$!qJG
z3#m)NVV_*q1(=A?ZrzO=W$kbGdM3|$L-7VZCR#~MDh3rhYox^SMB~*d3&MTV1WJs4
zDX$GW%ctT$Tds>I!O<;C8Pj8aX)Xh1+`E;*r2r%AQupgwD<zoh-MZp-Qj^cg>rGP1
zr|b9jCYBc@rELwA9<Ta|BbWR2Cy`Ask;yxhr)fGYmIR(gu9Kt_&BU#JahecWrgJ1K
z_Zbw&?u)KcSoeQxaZZ8gHmCl7xqpwYx112MSot&0kF>-5%XH{{CwNYzk#Y4p=Pqj$
zGQ>EtEhSRyJ#SmYW7)jR>J;hEyCh5(x70&TzjJT@G`!^n_qs-IoBm6U4<9V$-H@C3
zisM9Yn%<|~1KT3+rD9P{eA80e`dR#er^1##^Pnd!=ZuEOYlr2D69~T|51F{<-B3Tz
z9z;1&TX;k42QQ7c{briZyCIgp@Ae-i<l~<?{xE()nYizE{FCK3<D1NmLuVP%3BSU%
z@4%DD3I$>V)qKj|9Pohf;wB6G7ZNf#q6C7?uLu!!vUHy=@#(mgFOH8z^5`m4SBk!V
z-=YcP&9{F8Mtz^veomJu%H-{}32bVYv}pqG*K;QRdABpu+tNQv8z=BEP$rtl<XudD
z@hi2f)U+N~1bib2JaqxrAU^H}e^vf24$q|5^VfuZcViGhPA_QvLiUIIXSCxs4lo>?
z1X2hGE)~*=<<tG)khd=mZ>QJO|Cd308nN3oEdQfp1x%+Em+3HeiEBMNhA4zc_r*-6
zc*PZE*G=UF9qOPFPZWAvHSP>$GbP!lYg-Nv9QY_pbV_U{vNF*<nq`LmmAQ|C2b28j
zZf+E4Q?Ou7V)(`*GErWh4#kZ+gU_QS7mRy5E?741waqLbc-aH8Jt^che7@xB&ffR9
zU8$Fe49s^ac2sty(kzO}zao;aot92)+E_M(_K7QI|6D)$fD*f2K*=jsvV$^J9^t%X
zKI;))skk<ZR;SR(+LfezSQ$6Eb{=<?vN<Cvw0>uXT|1WBd-Oui(!tq`QXQ{&?!2IE
zc^At`t+s1kVHo}Cc?o{b3e|{vITtO<H47cokQvF$uJ1l22oE@KPQ~r=znxez4OnUs
z=N+$Ji4QJxT5?yyVs&{rwKcCeN@X(|mQRe<$FBzU>bw#bIo?E@xyaE}==yT88p&Mn
zYG9|*Hm_f^w?f;8{|a;1%R6^2y$iW7^FHC>eHNT375<Vx<2(18;SLM4JUesdznt$h
zw%@t)P2*Saj}Y*_3`p$E`gd|%3U^C5`#tUsh+pMzW7x~2@R$E8jH}DWJP;HA1Kcl2
z!tWEdN&lk)D>L#x=7h_v`Nu5b^7r5or2Kz@2z&WIGE^1*wo2cDEGC33{yPVC?A;Z6
z+9-ah(4HrnWtnyLs$269LS#cq&F)8e?ncYDPo$)6$JZ4KAS>XFN2{j-G9;I)r#iCs
z6a;K*3I&}N$?SXPL;0Iv+0pFAo;uaA+(xz0G;8JSsZmOwS&VUFvG}O7%jnzOuWFNN
zw#tI6(P5wO7{9}d{qJlm{!sk158N@X@&3yni4RZ~L?36UxE-6>GKknYTFD}GN%5&e
z?bXt)+jK95c>Px8G&%!sZt!SrOON+dn$$kGDR(SWFY5qWSe-<kM;uB=EL@B%h^jWm
zu&N3Bdu!S645%hZVuIP=$zkW${OnQb;R~^g<xmTHF`|xkaJS`aFL#38&JJ6LKrM1U
zfGx()f6gdZCgNTnpZY~I-0$=~JFU%QGV9bLUG+`j-s}uYPPJ1oRloTL!-i8gmh6<q
z@;2kfgvw_3un3E9(5h!fT;hGC^Wdg_X)yC1=IYt^4>miQQB$Yvd<7+=-^wW_B|qq3
zrczJp$J1Zx>ltz;sYvb!d2ad??II=4WU3D0DZ&*G$D8GEv>&HaWpw@{D&VZ=rXkCW
zzr5a4RiyqNrofrkK`i!L9(<ts6cqa_F<#L@ys~l&@yy5}uok(edU4o5kuFh%)8_mw
ztsw7NGSb09;VY%C%!0HYS^=Z$g>Q^qa6g2RdRldRiCdJN>lBTH?J&>%jr~dtGh?fC
zcVfswgj?wnC!ZEY&5Fb~3@JW6O@?_HGZu{!rQa2;r<6AW)#;uHSt>j0@wuGwZoSHR
z`9Xk?aPZ3IV7)iU>`p)1C?%$6;o~%<i){>%oMe@=3w4nfGHX{P+RK`h>zLoP3#oPz
zM-K)qPR!=DZ<&!FO9K%wSiu$$yh=9V%Dq+ES799bX!1#gN`^$ZJ*bFjp=Hla%5$*{
zO~9J66sorPogV0Fz5U6cXeT&Reh4!>IscyCVsLclI8zW(k5`QsyX<YA8MwWjXQmic
z?d`I6uUN6La^;oqz1-0!g-OrSH1^gu<@2x(xuVuUKw3=e<(?~1)tga`HLo4dx-NZ1
zYy}rdGfh5Fe4IC99W3hYvMS0zi9s=wRbot%7i(oM9u*6mHO_w$UphbS@PSg2y?rt{
zxu9p;U2i)HnPZ=8waAI~vNnX-znWO{PcA=y*;HET(fhh2U&E_wEz^pUdABuduPbik
z$h4G*j%#72W`4nwZo$l5r{0}UaAt8IRc7y-zFvjp49Ysij%m{fADwE+t!k}kmCfi%
zRG+OQW#?Br$uD}SCWGvmMT&=EL$gBt%P~H!e0egH$cr?XjjX6LS1}D?i)cf#l%_p4
zel<!egO^Koqt2ZriAzJ9RSer7>7yP$aqR1LAL%3ru0&s>DRZ?}C{b;u^qd!5%5qug
z*3Y5YIrlj+)G9!3PpzUtZS;DPVEi24dUlg$Cu1DXbxl`+uH?<}N%07&wLKL+f6J3w
zw=(IOE0EWGoP5hnTQY^aUhuBz2EX!<rn(<B1AKb2VM^&@V59CQVn4qcwx`acR56To
z3s8_sX6zuJI%4M~c#Ad;Cq8{BrJCnOI8qFNH|Q>vhiJ=WCa8R6oeW#P<9JD=fnd>1
z_&ixd{GUO|jN6Zc#y>_2pGOA%8BrcWH*ye{DTrvK?e{YHs;*ZW9xQvMnji!MYh}dH
zk?4ZGhNhQgkJdE?PL#84A5Y*Np4a|3YPd(|oZCd0Yjt1UFm&Q0Ci~GLtr0(jyC?bD
z`fG>94u{1qp^e+v5q|6lbvZH=E!Hjcx_KOf+Ft2xY_b}U;2kz2*RImbEX$2GSP1eS
zG`mVoE5|dST_g>sN+$FSX!FQZV$?XrV^Pa#Ux!QreU?T*?z<ml@6xL@?Tjtn@|oz;
zo~M?-oUNX<KHg9@Oa~JUqtZw-KGF#*JAv4hshMhVUQavI%tiBnVdU1x)ktBKu&RwL
zf1dGV0!pcNC0j^(@2Jvb&V=A9ADZo%GijvHSkGtar4}(xBozNhxZB0*weU!`ACgGN
ze+4vDElYE@gYo~LC0kFn#kizAp(NlGI9))Mj?O4BlmuV1`7w$SbEdg!fx$^vRvpmZ
zvzIV_I>MQxtm1mILcW@H-QcFox|c(RQ8q1PQ)6AE&O7(MTgD(_`7@6W@+-SjW4npK
ru29CYE$1UlH7OOD6}+RYM^-kGyT}6v4(#m_9KeQVoZ8`kM)ZFGyiBKM

diff --git a/rules/integrations/unified_logs/collection_clipboard_access_via_applescript.toml b/rules/integrations/unified_logs/collection_clipboard_access_via_applescript.toml
index cf10d37cd19..5b4299e7f9d 100644
--- a/rules/integrations/unified_logs/collection_clipboard_access_via_applescript.toml
+++ b/rules/integrations/unified_logs/collection_clipboard_access_via_applescript.toml
@@ -20,8 +20,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["logs-unifiedlogs.unifiedlogs-*"]
-language = "eql"
+language = "esql"
 license = "Elastic License v2"
 name = "Clipboard Access via AppleScript"
 note = """## Triage and analysis
@@ -66,10 +65,12 @@ tags = [
     "Tactic: Collection",
 ]
 timestamp_override = "event.ingested"
-type = "eql"
+type = "esql"
 
 query = '''
-any where event.dataset == "unifiedlogs.log" and host.os.type == "macos" and apple_event.type_code == "Jons,gClp"
+FROM logs-unifiedlogs.unifiedlogs-* METADATA _id, _version, _index
+| WHERE event.dataset == "unifiedlogs.log" AND host.os.type == "macos" AND apple_event.type_code == "Jons,gClp"
+| KEEP @timestamp, _id, _version, _index, host.name, host.id, host.os.type, event.dataset, unified_log.subsystem, unified_log.category, apple_event.type_code, message
 '''
 
 [[rule.threat]]
diff --git a/rules/integrations/unified_logs/credential_access_hidden_text_password_prompt_via_applescript.toml b/rules/integrations/unified_logs/credential_access_hidden_text_password_prompt_via_applescript.toml
index 59cb0fc803b..52ce39369ff 100644
--- a/rules/integrations/unified_logs/credential_access_hidden_text_password_prompt_via_applescript.toml
+++ b/rules/integrations/unified_logs/credential_access_hidden_text_password_prompt_via_applescript.toml
@@ -23,8 +23,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["logs-unifiedlogs.unifiedlogs-*"]
-language = "eql"
+language = "esql"
 license = "Elastic License v2"
 name = "Hidden Text Password Prompt via AppleScript"
 note = """## Triage and analysis
@@ -71,11 +70,13 @@ tags = [
     "Rule Type: BBR",
 ]
 timestamp_override = "event.ingested"
-type = "eql"
+type = "esql"
 
 query = '''
-any where event.dataset == "unifiedlogs.log" and host.os.type == "macos" and apple_event.type_code == "syso,dlog" and
-  apple_event.parameters == "htxt"
+FROM logs-unifiedlogs.unifiedlogs-* METADATA _id, _version, _index
+| WHERE event.dataset == "unifiedlogs.log" AND host.os.type == "macos" AND apple_event.type_code == "syso,dlog"
+  AND apple_event.parameters == "htxt"
+| KEEP @timestamp, _id, _version, _index, host.name, host.id, host.os.type, event.dataset, unified_log.subsystem, unified_log.category, apple_event.type_code, apple_event.parameters, message
 '''
 
 [[rule.threat]]
diff --git a/rules/integrations/unified_logs/execution_run_script_from_hidden_file_in_staging_directory_via_applescript.toml b/rules/integrations/unified_logs/execution_run_script_from_hidden_file_in_staging_directory_via_applescript.toml
index f6ef16a7257..68679380d28 100644
--- a/rules/integrations/unified_logs/execution_run_script_from_hidden_file_in_staging_directory_via_applescript.toml
+++ b/rules/integrations/unified_logs/execution_run_script_from_hidden_file_in_staging_directory_via_applescript.toml
@@ -22,8 +22,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["logs-unifiedlogs.unifiedlogs-*"]
-language = "eql"
+language = "esql"
 license = "Elastic License v2"
 name = "AppleScript Run Script from Hidden File in Staging Directory"
 note = """## Triage and analysis
@@ -69,16 +68,19 @@ tags = [
     "Tactic: Defense Evasion",
 ]
 timestamp_override = "event.ingested"
-type = "eql"
+type = "esql"
 
 query = '''
-any where event.dataset == "unifiedlogs.log" and host.os.type == "macos" and apple_event.type_code in ("syso,dsct", "syso,exec") and
-  (
-    apple_event.decoded_payloads like "*/tmp/.*" or
-    apple_event.decoded_payloads like "*/private/tmp/.*" or
-    apple_event.decoded_payloads like "*/var/tmp/.*" or
-    apple_event.decoded_payloads like "*/Users/Shared/.*"
+FROM logs-unifiedlogs.unifiedlogs-* METADATA _id, _version, _index
+| WHERE event.dataset == "unifiedlogs.log" AND host.os.type == "macos"
+  AND apple_event.type_code IN ("syso,dsct", "syso,exec")
+  AND (
+    apple_event.decoded_payloads LIKE "*/tmp/.*" OR
+    apple_event.decoded_payloads LIKE "*/private/tmp/.*" OR
+    apple_event.decoded_payloads LIKE "*/var/tmp/.*" OR
+    apple_event.decoded_payloads LIKE "*/Users/Shared/.*"
   )
+| KEEP @timestamp, _id, _version, _index, host.name, host.id, host.os.type, event.dataset, unified_log.subsystem, unified_log.category, apple_event.type_code, apple_event.decoded_payloads, message
 '''
 
 [[rule.threat]]
diff --git a/rules/integrations/unified_logs/execution_volume_mute_via_applescript.toml b/rules/integrations/unified_logs/execution_volume_mute_via_applescript.toml
index 179de0965b2..9ac5d6b0219 100644
--- a/rules/integrations/unified_logs/execution_volume_mute_via_applescript.toml
+++ b/rules/integrations/unified_logs/execution_volume_mute_via_applescript.toml
@@ -21,8 +21,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["logs-unifiedlogs.unifiedlogs-*"]
-language = "eql"
+language = "esql"
 license = "Elastic License v2"
 name = "Volume Mute via AppleScript"
 note = """## Triage and analysis
@@ -67,11 +66,13 @@ tags = [
     "Rule Type: BBR",
 ]
 timestamp_override = "event.ingested"
-type = "eql"
+type = "esql"
 
 query = '''
-any where event.dataset == "unifiedlogs.log" and host.os.type == "macos" and apple_event.type_code == "aevt,stvl" and
-  apple_event.mute == true
+FROM logs-unifiedlogs.unifiedlogs-* METADATA _id, _version, _index
+| WHERE event.dataset == "unifiedlogs.log" AND host.os.type == "macos" AND apple_event.type_code == "aevt,stvl"
+  AND apple_event.mute == true
+| KEEP @timestamp, _id, _version, _index, host.name, host.id, host.os.type, event.dataset, unified_log.subsystem, unified_log.category, apple_event.type_code, apple_event.mute, message
 '''
 
 [[rule.threat]]

From 1644ab7b4ad83664c90a1891578cb5e114bb416a Mon Sep 17 00:00:00 2001
From: Colson Wilhoit <defsecsentinel@protonmail.ch>
Date: Tue, 24 Mar 2026 10:40:58 -0500
Subject: [PATCH 13/14] Promote rules from development to production

Unified Logs integration is now GA. Rules are validated and
ready for production use.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../collection_clipboard_access_via_applescript.toml            | 2 +-
 ...tial_access_hidden_text_password_prompt_via_applescript.toml | 2 +-
 ...ii_character_obfuscation_and_shell_exec_via_applescript.toml | 2 +-
 ...t_from_hidden_file_in_staging_directory_via_applescript.toml | 2 +-
 .../unified_logs/execution_volume_mute_via_applescript.toml     | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/rules/integrations/unified_logs/collection_clipboard_access_via_applescript.toml b/rules/integrations/unified_logs/collection_clipboard_access_via_applescript.toml
index 5b4299e7f9d..53057218ac6 100644
--- a/rules/integrations/unified_logs/collection_clipboard_access_via_applescript.toml
+++ b/rules/integrations/unified_logs/collection_clipboard_access_via_applescript.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2026/03/23"
 integration = ["unifiedlogs"]
-maturity = "development"
+maturity = "production"
 updated_date = "2026/03/23"
 
 [rule]
diff --git a/rules/integrations/unified_logs/credential_access_hidden_text_password_prompt_via_applescript.toml b/rules/integrations/unified_logs/credential_access_hidden_text_password_prompt_via_applescript.toml
index 52ce39369ff..ff4788d7f00 100644
--- a/rules/integrations/unified_logs/credential_access_hidden_text_password_prompt_via_applescript.toml
+++ b/rules/integrations/unified_logs/credential_access_hidden_text_password_prompt_via_applescript.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2026/03/23"
 integration = ["unifiedlogs"]
-maturity = "development"
+maturity = "production"
 updated_date = "2026/03/23"
 
 [rule]
diff --git a/rules/integrations/unified_logs/defense_evasion_ascii_character_obfuscation_and_shell_exec_via_applescript.toml b/rules/integrations/unified_logs/defense_evasion_ascii_character_obfuscation_and_shell_exec_via_applescript.toml
index 7dfd581c2da..73ea4d035bb 100644
--- a/rules/integrations/unified_logs/defense_evasion_ascii_character_obfuscation_and_shell_exec_via_applescript.toml
+++ b/rules/integrations/unified_logs/defense_evasion_ascii_character_obfuscation_and_shell_exec_via_applescript.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2026/03/23"
 integration = ["unifiedlogs"]
-maturity = "development"
+maturity = "production"
 updated_date = "2026/03/23"
 
 [rule]
diff --git a/rules/integrations/unified_logs/execution_run_script_from_hidden_file_in_staging_directory_via_applescript.toml b/rules/integrations/unified_logs/execution_run_script_from_hidden_file_in_staging_directory_via_applescript.toml
index 68679380d28..aafa1c21c67 100644
--- a/rules/integrations/unified_logs/execution_run_script_from_hidden_file_in_staging_directory_via_applescript.toml
+++ b/rules/integrations/unified_logs/execution_run_script_from_hidden_file_in_staging_directory_via_applescript.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2026/03/23"
 integration = ["unifiedlogs"]
-maturity = "development"
+maturity = "production"
 updated_date = "2026/03/23"
 
 [rule]
diff --git a/rules/integrations/unified_logs/execution_volume_mute_via_applescript.toml b/rules/integrations/unified_logs/execution_volume_mute_via_applescript.toml
index 9ac5d6b0219..ab14bd9678c 100644
--- a/rules/integrations/unified_logs/execution_volume_mute_via_applescript.toml
+++ b/rules/integrations/unified_logs/execution_volume_mute_via_applescript.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2026/03/23"
 integration = ["unifiedlogs"]
-maturity = "development"
+maturity = "production"
 updated_date = "2026/03/23"
 
 [rule]

From 5bb977e009ce43c87687b019299aa5ecdd562dd7 Mon Sep 17 00:00:00 2001
From: Colson Wilhoit <defsecsentinel@protonmail.ch>
Date: Tue, 24 Mar 2026 12:11:12 -0500
Subject: [PATCH 14/14] Fix investigation guide title and add Investigation
 Guide tags

- Fix investigation guide title to match rule name for hidden file rule
- Add "Resources: Investigation Guide" tag to all rules with note field

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../collection_clipboard_access_via_applescript.toml           | 1 +
 ...ial_access_hidden_text_password_prompt_via_applescript.toml | 1 +
 ...i_character_obfuscation_and_shell_exec_via_applescript.toml | 1 +
 ..._from_hidden_file_in_staging_directory_via_applescript.toml | 3 ++-
 .../unified_logs/execution_volume_mute_via_applescript.toml    | 1 +
 5 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/rules/integrations/unified_logs/collection_clipboard_access_via_applescript.toml b/rules/integrations/unified_logs/collection_clipboard_access_via_applescript.toml
index 53057218ac6..68b545d6c3f 100644
--- a/rules/integrations/unified_logs/collection_clipboard_access_via_applescript.toml
+++ b/rules/integrations/unified_logs/collection_clipboard_access_via_applescript.toml
@@ -62,6 +62,7 @@ tags = [
     "Data Source: macOS Unified Logs",
     "Data Source: Unified Logs",
     "Use Case: Threat Detection",
+    "Resources: Investigation Guide",
     "Tactic: Collection",
 ]
 timestamp_override = "event.ingested"
diff --git a/rules/integrations/unified_logs/credential_access_hidden_text_password_prompt_via_applescript.toml b/rules/integrations/unified_logs/credential_access_hidden_text_password_prompt_via_applescript.toml
index ff4788d7f00..a33cefcb459 100644
--- a/rules/integrations/unified_logs/credential_access_hidden_text_password_prompt_via_applescript.toml
+++ b/rules/integrations/unified_logs/credential_access_hidden_text_password_prompt_via_applescript.toml
@@ -66,6 +66,7 @@ tags = [
     "Data Source: macOS Unified Logs",
     "Data Source: Unified Logs",
     "Use Case: Threat Detection",
+    "Resources: Investigation Guide",
     "Tactic: Credential Access",
     "Rule Type: BBR",
 ]
diff --git a/rules/integrations/unified_logs/defense_evasion_ascii_character_obfuscation_and_shell_exec_via_applescript.toml b/rules/integrations/unified_logs/defense_evasion_ascii_character_obfuscation_and_shell_exec_via_applescript.toml
index 73ea4d035bb..154f4b16acb 100644
--- a/rules/integrations/unified_logs/defense_evasion_ascii_character_obfuscation_and_shell_exec_via_applescript.toml
+++ b/rules/integrations/unified_logs/defense_evasion_ascii_character_obfuscation_and_shell_exec_via_applescript.toml
@@ -66,6 +66,7 @@ tags = [
     "Data Source: macOS Unified Logs",
     "Data Source: Unified Logs",
     "Use Case: Threat Detection",
+    "Resources: Investigation Guide",
     "Tactic: Defense Evasion",
     "Tactic: Execution",
 ]
diff --git a/rules/integrations/unified_logs/execution_run_script_from_hidden_file_in_staging_directory_via_applescript.toml b/rules/integrations/unified_logs/execution_run_script_from_hidden_file_in_staging_directory_via_applescript.toml
index aafa1c21c67..99474760eed 100644
--- a/rules/integrations/unified_logs/execution_run_script_from_hidden_file_in_staging_directory_via_applescript.toml
+++ b/rules/integrations/unified_logs/execution_run_script_from_hidden_file_in_staging_directory_via_applescript.toml
@@ -27,7 +27,7 @@ license = "Elastic License v2"
 name = "AppleScript Run Script from Hidden File in Staging Directory"
 note = """## Triage and analysis
 
-### Investigating AppleScript Run Script from Hidden Temporary File
+### Investigating AppleScript Run Script from Hidden File in Staging Directory
 
 This rule detects the `run script` AppleScript command (`syso,dsct` Apple Event) targeting a hidden file in common staging directories (`/tmp/`, `/private/tmp/`, `/var/tmp/`, `/Users/Shared/`). The path appears in the Apple Event debug output as a UTF-16LE hex-encoded string. Stealers commonly write obfuscated or secondary-stage scripts as hidden files in these world-writable directories before executing them.
 
@@ -64,6 +64,7 @@ tags = [
     "Data Source: macOS Unified Logs",
     "Data Source: Unified Logs",
     "Use Case: Threat Detection",
+    "Resources: Investigation Guide",
     "Tactic: Execution",
     "Tactic: Defense Evasion",
 ]
diff --git a/rules/integrations/unified_logs/execution_volume_mute_via_applescript.toml b/rules/integrations/unified_logs/execution_volume_mute_via_applescript.toml
index ab14bd9678c..799e9eb33ca 100644
--- a/rules/integrations/unified_logs/execution_volume_mute_via_applescript.toml
+++ b/rules/integrations/unified_logs/execution_volume_mute_via_applescript.toml
@@ -62,6 +62,7 @@ tags = [
     "Data Source: macOS Unified Logs",
     "Data Source: Unified Logs",
     "Use Case: Threat Detection",
+    "Resources: Investigation Guide",
     "Tactic: Execution",
     "Rule Type: BBR",
 ]