2 new rules

LasCC · web-flow · commit 84ddc823cfb1 · 2025-09-10T14:44:20.000-04:00
diff --git a/s1_powerquery_hunting.json b/s1_powerquery_hunting.json
@@ -283,7 +283,7 @@
     {
         "category": "Defense Evasion",
         "name": "Suspicious Double Extension",
-        "query": "(src.process.name endswith '.doc.exe' OR src.process.name endswith '.docx.exe' OR src.process.name endswith '.xls.exe' OR src.process.name endswith '.xlsx.exe' OR src.process.name endswith '.ppt.exe' OR src.process.name endswith '.pptx.exe' OR src.process.name endswith '.rtf.exe' OR src.process.name endswith '.pdf.exe' OR src.process.name endswith '.txt.exe' OR src.process.name endswith ' .exe' OR src.process.name endswith '__.exe')\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count() by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline\n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| columns  \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, Count\n| sort -Count\n| limit 100000"
+        "query": "#filepath contains:anycase (\".doc.bat\",\".doc.dll\",\".doc.exe\",\".doc.htm\",\".doc.iso\",\".doc.jar\",\".doc.js\",\".doc.rar\",\".doc.sfx\",\".doc.vbs\",\".doc.zip\",\".docx.bat\",\".docx.dll\",\".docx.exe\",\".docx.htm\",\".docx.iso\",\".docx.jar\",\".docx.js\",\".docx.rar\",\".docx.sfx\",\".docx.vbs\",\".docx.zip\",\".jpg.exe\",\".jpg.iso\",\".jpg.rar\",\".jpg.zip\",\".pdf.bat\",\".pdf.exe\",\".pdf.htm\",\".pdf.iso\",\".pdf.jar\",\".pdf.js\",\".pdf.rar\",\".pdf.sfx\",\".pdf.vbs\",\".pdf.zip\",\".ppt.bat\",\".ppt.dll\",\".ppt.exe\",\".ppt.htm\",\".ppt.iso\",\".ppt.jar\",\".ppt.js\",\".ppt.rar\",\".ppt.sfx\",\".ppt.vbs\",\".ppt.zip\",\".pptx.bat\",\".pptx.dll\",\".pptx.exe\",\".pptx.htm\",\".pptx.iso\",\".pptx.jar\",\".pptx.js\",\".pptx.rar\",\".pptx.sfx\",\".pptx.vbs\",\".pptx.zip\",\".rar.exe\",\".rar.iso\",\".rtf.bat\",\".rtf.dll\",\".rtf.exe\",\".rtf.htm\",\".rtf.jar\",\".rtf.js\",\".rtf.sfx\",\".rtf.vbs\",\".txt.bat\",\".txt.dll\",\".txt.exe\",\".txt.htm\",\".txt.iso\",\".txt.jar\",\".txt.js\",\".txt.sfx\",\".txt.vbs\",\".xls.bat\",\".xls.dll\",\".xls.exe\",\".xls.htm\",\".xls.iso\",\".xls.jar\",\".xls.js\",\".xls.rar\",\".xls.sfx\",\".xls.vbs\",\".xls.zip\",\".xlsx.bat\",\".xlsx.dll\",\".xlsx.exe\",\".xlsx.htm\",\".xlsx.iso\",\".xlsx.jar\",\".xlsx.js\",\".xlsx.rar\",\".xlsx.sfx\",\".xlsx.vbs\",\".xlsx.zip\",\".zip.exe\",\".zip.iso\",\".pdf.msi\")\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count() by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, src.process.image.path, tgt.file.path , tgt.file.originalFileName \n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| columns  \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, src.process.image.path, tgt.file.path , tgt.file.originalFileName, Count\n| sort -Count\n| limit 100000"
     },
     {
         "category": "Credential Access",
@@ -394,5 +394,15 @@
         "category" : "Installation & Persistence",
         "name": "RMM Process detected",
         "query": "(src.process.name contains:anycase (\"TeamViewer.exe\", \"AnyDesk.exe\", \"ScreenConnect.Client.exe\", \"LogMeIn.exe\", \"SRManager.exe\", \"SplashtopRemoteService.exe\", \"g2comm.exe\", \"g2tray.exe\", \"winvnc.exe\", \"DWRCS.exe\", \"DWRCSMS.exe\", \"rfusclient.exe\", \"rutserv.exe\", \"ZohoAssistService.exe\", \"KaUsrTsk.exe\", \"AgentMon.exe\", \"AteraAgent.exe\", \"pulsewayagent.exe\", \"NinjaRMMAgent.exe\", \"ncentralagent.exe\", \"MWAgent.exe\", \"ITSMService.exe\", \"CloudBerryRemoteAssistant.exe\", \"DomotzAgent.exe\", \"rasagent.exe\", \"client32.exe\", \"pciclient.exe\", \"vncserver.exe\", \"vncviewer.exe\", \"tvnviewer.exe\", \"tvnserver.exe\", \"AA_v3.exe\", \"rpclient.exe\", \"dwagent.exe\", \"isl_light_client.exe\", \"RemoteDesktopManager.exe\", \"Bomgar-scc.exe\", \"bomgar-rep.exe\", \"AweSun.exe\", \"wtserver.exe\", \"Action1Agent.exe\", \"Addigy.app\", \"AeroAdmin.exe\", \"Alpemix.exe\", \"apc_admin.exe\", \"AnyViewer.exe\", \"AuvikAgentService.exe\", \"BYS.exe\", \"BASupSrvc.exe\", \"remoting_host.exe\", \"CrossLoopConnect.exe\", \"CrossTecRemote.exe\", \"CagService.exe\", \"DesktopNow.exe\", \"DistantDesktop.exe\", \"ehorusclientctl.exe\", \"fleetdeck_agent_svc\", \"getscreen.exe\", \"IperiusRemote.exe\", \"JumpCloud.exe\", \"server.exe\", \"MeshAgent.exe\", \"mRemoteNG.exe\", \"naveriskagent.exe\", \"OptiTuneAgent.exe\", \"Panorama9.exe\", \"parsecd.exe\", \"PDQInventory.exe\", \"rserver3.exe\", \"rustdesk.exe\", \"ScreenMeetSupport.app\", \"ScreenMeetSupport.exe\", \"ServerEye.Client.exe\", \"wShowMyPC.exe\", \"simplehelp.exe\", \"Supremo.exe\", \"Syncro.exe\", \"SyspectrAgent.exe\", \"TacticalAgent.exe\", \"techinline.exe\", \"winvnc4.exe\", \"UltraViewer.exe\", \"XMReality.exe\"))\nOR\n(src.process.parent.name contains:anycase (\"TeamViewer\", \"AnyDesk\", \"ScreenConnect.Client\", \"LogMeIn\", \"SRManager\", \"SplashtopRemoteService\", \"g2comm\", \"g2tray\", \"winvnc\", \"DWRCS\", \"DWRCSMS\", \"rfusclient\", \"rutserv\", \"ZohoAssistService\", \"KaUsrTsk\", \"AgentMon\", \"AteraAgent\", \"pulsewayagent\", \"NinjaRMMAgent\", \"ncentralagent\", \"MWAgent\", \"ITSMService\", \"CloudBerryRemoteAssistant\", \"DomotzAgent\", \"rasagent\", \"client32\", \"pciclient\", \"vncserver\", \"vncviewer\", \"tvnviewer\", \"tvnserver\", \"AA_v3\", \"rpclient\", \"dwagent\", \"isl_light_client\", \"RemoteDesktopManager\", \"Bomgar-scc\", \"bomgar-rep\", \"AweSun\", \"wtserver\", \"Action1Agent\", \"Addigy.app\", \"AeroAdmin\", \"Alpemix\", \"apc_admin\", \"AnyViewer\", \"AuvikAgentService\", \"BYS\", \"BASupSrvc\", \"remoting_host\", \"CrossLoopConnect\", \"CrossTecRemote\", \"CagService\", \"DesktopNow\", \"DistantDesktop\", \"ehorusclientctl\", \"fleetdeck_agent_svc\", \"getscreen.exe\", \"IperiusRemote\", \"JumpCloud\", \"server\", \"MeshAgent\", \"mRemoteNG\", \"naveriskagent\", \"OptiTuneAgent\", \"Panorama9\", \"parsecd\", \"PDQInventory\", \"rserver3\", \"rustdesk.exe\", \"ScreenMeetSupport.app\", \"ScreenMeetSupport.exe\", \"ServerEye.Client\", \"wShowMyPC\", \"simplehelp\", \"Supremo\", \"Syncro\", \"SyspectrAgent\", \"TacticalAgent\", \"techinline\", \"winvnc4\", \"UltraViewer\", \"XMReality\"))\nAND\nNOT src.process.cmdline contains:anycase (\"Microsoft.DesktopAppInstaller\",\"Microsoft Azure AD Sync\",\"SAP BusinessObjects\")\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count() by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, tgt.process.cmdline, event.dns.request\n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| columns  \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, tgt.process.cmdline, event.dns.request, Count\n| sort -Count\n| limit 100000"
+    },
+    {
+        "category" : "Defense Evasion",
+        "name" : "Anomalous Virtual Machine Installation Detected",
+        "query" : "#filepath contains:anycase (\".vmdk\",\".ovf\",\".ova\") #filepath contains:anycase (\"kali\",\"parrot\",\"blackarch\",\"exegol\",\"pentest\",\"redteam\",\"purpleteam\",\"reverse\",\"malware\")\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count() by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, src.process.image.path, tgt.file.path , tgt.file.originalFileName \n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| columns  \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, src.process.image.path, tgt.file.path , tgt.file.originalFileName, Count\n| sort -Count\n| limit 100000"
+    },
+    {
+        "category" : "Malware & Threats",
+        "name" : "Recent ISO Image Mount Activity Detected",
+        "query" : "indicator.metadata contains:anycase (\"\\\\Microsoft\\\\Windows\\\\Recent\\\\\") indicator.metadata contains:anycase (\".iso.lnk\", \".img.lnk\", \".vhd.lnk\", \".vhdx.lnk\")\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count() by indicator.name, indicator.metadata, src.process.displayName\n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| columns  \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, indicator.name, indicator.metadata, src.process.displayName, Count\n| sort -Count\n| limit 100000"
     }
 ]

Original file line number	Diff line number	Diff line change
`@@ -283,7 +283,7 @@`
`283`	`283`	`{`
`284`	`284`	`"category": "Defense Evasion",`
`285`	`285`	`"name": "Suspicious Double Extension",`
`286`		- "query": "(src.process.name endswith '.doc.exe' OR src.process.name endswith '.docx.exe' OR src.process.name endswith '.xls.exe' OR src.process.name endswith '.xlsx.exe' OR src.process.name endswith '.ppt.exe' OR src.process.name endswith '.pptx.exe' OR src.process.name endswith '.rtf.exe' OR src.process.name endswith '.pdf.exe' OR src.process.name endswith '.txt.exe' OR src.process.name endswith ' .exe' OR src.process.name endswith '__.exe')\n\| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count() by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline\n\| let _firstSeenNs = _FirstSeenMs * 1000000\n\| let _lastSeenNs = _LastSeenMs * 1000000\n\| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, Count\n\| sort -Count\n\| limit 100000"
	`286`	+ "query": "#filepath contains:anycase (\".doc.bat\",\".doc.dll\",\".doc.exe\",\".doc.htm\",\".doc.iso\",\".doc.jar\",\".doc.js\",\".doc.rar\",\".doc.sfx\",\".doc.vbs\",\".doc.zip\",\".docx.bat\",\".docx.dll\",\".docx.exe\",\".docx.htm\",\".docx.iso\",\".docx.jar\",\".docx.js\",\".docx.rar\",\".docx.sfx\",\".docx.vbs\",\".docx.zip\",\".jpg.exe\",\".jpg.iso\",\".jpg.rar\",\".jpg.zip\",\".pdf.bat\",\".pdf.exe\",\".pdf.htm\",\".pdf.iso\",\".pdf.jar\",\".pdf.js\",\".pdf.rar\",\".pdf.sfx\",\".pdf.vbs\",\".pdf.zip\",\".ppt.bat\",\".ppt.dll\",\".ppt.exe\",\".ppt.htm\",\".ppt.iso\",\".ppt.jar\",\".ppt.js\",\".ppt.rar\",\".ppt.sfx\",\".ppt.vbs\",\".ppt.zip\",\".pptx.bat\",\".pptx.dll\",\".pptx.exe\",\".pptx.htm\",\".pptx.iso\",\".pptx.jar\",\".pptx.js\",\".pptx.rar\",\".pptx.sfx\",\".pptx.vbs\",\".pptx.zip\",\".rar.exe\",\".rar.iso\",\".rtf.bat\",\".rtf.dll\",\".rtf.exe\",\".rtf.htm\",\".rtf.jar\",\".rtf.js\",\".rtf.sfx\",\".rtf.vbs\",\".txt.bat\",\".txt.dll\",\".txt.exe\",\".txt.htm\",\".txt.iso\",\".txt.jar\",\".txt.js\",\".txt.sfx\",\".txt.vbs\",\".xls.bat\",\".xls.dll\",\".xls.exe\",\".xls.htm\",\".xls.iso\",\".xls.jar\",\".xls.js\",\".xls.rar\",\".xls.sfx\",\".xls.vbs\",\".xls.zip\",\".xlsx.bat\",\".xlsx.dll\",\".xlsx.exe\",\".xlsx.htm\",\".xlsx.iso\",\".xlsx.jar\",\".xlsx.js\",\".xlsx.rar\",\".xlsx.sfx\",\".xlsx.vbs\",\".xlsx.zip\",\".zip.exe\",\".zip.iso\",\".pdf.msi\")\n\| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count() by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, src.process.image.path, tgt.file.path , tgt.file.originalFileName \n\| let _firstSeenNs = _FirstSeenMs * 1000000\n\| let _lastSeenNs = _LastSeenMs * 1000000\n\| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, src.process.image.path, tgt.file.path , tgt.file.originalFileName, Count\n\| sort -Count\n\| limit 100000"
`287`	`287`	`},`
`288`	`288`	`{`
`289`	`289`	`"category": "Credential Access",`
`@@ -394,5 +394,15 @@`
`394`	`394`	`"category" : "Installation & Persistence",`
`395`	`395`	`"name": "RMM Process detected",`
`396`	`396`	"query": "(src.process.name contains:anycase (\"TeamViewer.exe\", \"AnyDesk.exe\", \"ScreenConnect.Client.exe\", \"LogMeIn.exe\", \"SRManager.exe\", \"SplashtopRemoteService.exe\", \"g2comm.exe\", \"g2tray.exe\", \"winvnc.exe\", \"DWRCS.exe\", \"DWRCSMS.exe\", \"rfusclient.exe\", \"rutserv.exe\", \"ZohoAssistService.exe\", \"KaUsrTsk.exe\", \"AgentMon.exe\", \"AteraAgent.exe\", \"pulsewayagent.exe\", \"NinjaRMMAgent.exe\", \"ncentralagent.exe\", \"MWAgent.exe\", \"ITSMService.exe\", \"CloudBerryRemoteAssistant.exe\", \"DomotzAgent.exe\", \"rasagent.exe\", \"client32.exe\", \"pciclient.exe\", \"vncserver.exe\", \"vncviewer.exe\", \"tvnviewer.exe\", \"tvnserver.exe\", \"AA_v3.exe\", \"rpclient.exe\", \"dwagent.exe\", \"isl_light_client.exe\", \"RemoteDesktopManager.exe\", \"Bomgar-scc.exe\", \"bomgar-rep.exe\", \"AweSun.exe\", \"wtserver.exe\", \"Action1Agent.exe\", \"Addigy.app\", \"AeroAdmin.exe\", \"Alpemix.exe\", \"apc_admin.exe\", \"AnyViewer.exe\", \"AuvikAgentService.exe\", \"BYS.exe\", \"BASupSrvc.exe\", \"remoting_host.exe\", \"CrossLoopConnect.exe\", \"CrossTecRemote.exe\", \"CagService.exe\", \"DesktopNow.exe\", \"DistantDesktop.exe\", \"ehorusclientctl.exe\", \"fleetdeck_agent_svc\", \"getscreen.exe\", \"IperiusRemote.exe\", \"JumpCloud.exe\", \"server.exe\", \"MeshAgent.exe\", \"mRemoteNG.exe\", \"naveriskagent.exe\", \"OptiTuneAgent.exe\", \"Panorama9.exe\", \"parsecd.exe\", \"PDQInventory.exe\", \"rserver3.exe\", \"rustdesk.exe\", \"ScreenMeetSupport.app\", \"ScreenMeetSupport.exe\", \"ServerEye.Client.exe\", \"wShowMyPC.exe\", \"simplehelp.exe\", \"Supremo.exe\", \"Syncro.exe\", \"SyspectrAgent.exe\", \"TacticalAgent.exe\", \"techinline.exe\", \"winvnc4.exe\", \"UltraViewer.exe\", \"XMReality.exe\"))\nOR\n(src.process.parent.name contains:anycase (\"TeamViewer\", \"AnyDesk\", \"ScreenConnect.Client\", \"LogMeIn\", \"SRManager\", \"SplashtopRemoteService\", \"g2comm\", \"g2tray\", \"winvnc\", \"DWRCS\", \"DWRCSMS\", \"rfusclient\", \"rutserv\", \"ZohoAssistService\", \"KaUsrTsk\", \"AgentMon\", \"AteraAgent\", \"pulsewayagent\", \"NinjaRMMAgent\", \"ncentralagent\", \"MWAgent\", \"ITSMService\", \"CloudBerryRemoteAssistant\", \"DomotzAgent\", \"rasagent\", \"client32\", \"pciclient\", \"vncserver\", \"vncviewer\", \"tvnviewer\", \"tvnserver\", \"AA_v3\", \"rpclient\", \"dwagent\", \"isl_light_client\", \"RemoteDesktopManager\", \"Bomgar-scc\", \"bomgar-rep\", \"AweSun\", \"wtserver\", \"Action1Agent\", \"Addigy.app\", \"AeroAdmin\", \"Alpemix\", \"apc_admin\", \"AnyViewer\", \"AuvikAgentService\", \"BYS\", \"BASupSrvc\", \"remoting_host\", \"CrossLoopConnect\", \"CrossTecRemote\", \"CagService\", \"DesktopNow\", \"DistantDesktop\", \"ehorusclientctl\", \"fleetdeck_agent_svc\", \"getscreen.exe\", \"IperiusRemote\", \"JumpCloud\", \"server\", \"MeshAgent\", \"mRemoteNG\", \"naveriskagent\", \"OptiTuneAgent\", \"Panorama9\", \"parsecd\", \"PDQInventory\", \"rserver3\", \"rustdesk.exe\", \"ScreenMeetSupport.app\", \"ScreenMeetSupport.exe\", \"ServerEye.Client\", \"wShowMyPC\", \"simplehelp\", \"Supremo\", \"Syncro\", \"SyspectrAgent\", \"TacticalAgent\", \"techinline\", \"winvnc4\", \"UltraViewer\", \"XMReality\"))\nAND\nNOT src.process.cmdline contains:anycase (\"Microsoft.DesktopAppInstaller\",\"Microsoft Azure AD Sync\",\"SAP BusinessObjects\")\n\| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count() by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, tgt.process.cmdline, event.dns.request\n\| let _firstSeenNs = _FirstSeenMs * 1000000\n\| let _lastSeenNs = _LastSeenMs * 1000000\n\| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, tgt.process.cmdline, event.dns.request, Count\n\| sort -Count\n\| limit 100000"
	`397`	`+ },`
	`398`	`+ {`
	`399`	`+ "category" : "Defense Evasion",`
	`400`	`+ "name" : "Anomalous Virtual Machine Installation Detected",`
	`401`	+ "query" : "#filepath contains:anycase (\".vmdk\",\".ovf\",\".ova\") #filepath contains:anycase (\"kali\",\"parrot\",\"blackarch\",\"exegol\",\"pentest\",\"redteam\",\"purpleteam\",\"reverse\",\"malware\")\n\| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count() by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, src.process.image.path, tgt.file.path , tgt.file.originalFileName \n\| let _firstSeenNs = _FirstSeenMs * 1000000\n\| let _lastSeenNs = _LastSeenMs * 1000000\n\| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, src.process.image.path, tgt.file.path , tgt.file.originalFileName, Count\n\| sort -Count\n\| limit 100000"
	`402`	`+ },`
	`403`	`+ {`
	`404`	`+ "category" : "Malware & Threats",`
	`405`	`+ "name" : "Recent ISO Image Mount Activity Detected",`
	`406`	+ "query" : "indicator.metadata contains:anycase (\"\\\\Microsoft\\\\Windows\\\\Recent\\\\\") indicator.metadata contains:anycase (\".iso.lnk\", \".img.lnk\", \".vhd.lnk\", \".vhdx.lnk\")\n\| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count() by indicator.name, indicator.metadata, src.process.displayName\n\| let _firstSeenNs = _FirstSeenMs * 1000000\n\| let _lastSeenNs = _LastSeenMs * 1000000\n\| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, indicator.name, indicator.metadata, src.process.displayName, Count\n\| sort -Count\n\| limit 100000"
`397`	`407`	`}`
`398`	`408`	`]`