Ransomware Data Type Changes by magermark · Pull Request #234 · elastic/endpoint-package

magermark · 2022-03-09T21:50:24Z

Change Summary

Reference: #233

Ransomware alerts may contain Ransomware.files.data and / or Ransomware.child_processes.files.data, and we needed to update the type of these fields from binary to keyword due to how we have traditionally been generating these alerts (with strings of hexadecimal character) and in order to allow for these fields to be exceptionable.

Sample values

Complete example of Endpoint ransomware alert with Ransomware.files.data (click to expand)

{
    "@timestamp": "2022-03-07T22:31:51.1921522Z",
    "Ransomware": {
        "feature": "canary",
        "files": [
            {
                "data": "FFFE0D000A0020002000200020002000",
                "entropy": 2.11497982051648,
                "extension": "ini",
                "operation": "creation",
                "path": "c:\\users\\tempdata\\igiraldo\\ntuser.ini",
                "score": 0
            },
            {
                "data": "FFFE0D000A005B002E00530068006500",
                "entropy": 3.52286954864205,
                "extension": "ini",
                "operation": "creation",
                "path": "c:\\users\\tempdata\\igiraldo\\3d objects\\desktop.ini",
                "score": 0
            },
            {
                "data": "5468697320697320612063616E617279",
                "entropy": 4.14316554644241,
                "extension": "doc",
                "metrics": [
                    "CANARY_ACTIVITY"
                ],
                "operation": "creation",
                "path": "c:\\users\\tempdata\\igiraldo\\aaantiransomelastic-do-not-touch-dab6d40c-a6a1-442c-adc4-9d57a47e58d7\\antiransomelastic-do-not-touch-4568452b-fc17-414d-afb6-ddeceb5ec54c.doc",
                "score": 0
            }
        ],
        "version": "1.3.2"
    },
}

Complete example of Endpoint ransomware alert with Ransomware.child_processes.files.data (click to expand)

{
    "@timestamp": "2022-02-28T09:11:44.0109365Z",
    "Endpoint": {
        "policy": {
            "applied": {
                "artifacts": {
                    "global": {
                        "identifiers": [
                            {
                                "name": "diagnostic-configuration-v1",
                                "sha256": "9a0c8808ce6d9b8043cc3033ec55de4fee958dc871680789f699c16e3079cc05"
                            },
                            {
                                "name": "diagnostic-endpointpe-v4-blocklist",
                                "sha256": "c33693fcadb720d4d37706cd2ca77b28a8c59a424ab3f251b2b07ac7975eb2f4"
                            },
                            {
                                "name": "diagnostic-endpointpe-v4-exceptionlist",
                                "sha256": "bc06f9f85c5fc4aa724a1a543717042871e3d52991adeba79f3ba1fa35abd75a"
                            },
                            {
                                "name": "diagnostic-endpointpe-v4-model",
                                "sha256": "28d326d2f11116d03a6afdf4d4b53311d2e95d5762832571896bd4a9a0e73911"
                            },
                            {
                                "name": "diagnostic-malware-signature-v1-windows",
                                "sha256": "a0ed2d878fbaa094b72d18a3710d6d4ed0af076c5210f3533a582a86bce09c06"
                            },
                            {
                                "name": "diagnostic-ransomware-v1-windows",
                                "sha256": "27f02966be2e0662af48c632ed593179a0867fd0507bbabfae70b3e110faa371"
                            },
                            {
                                "name": "diagnostic-rules-windows-v1",
                                "sha256": "cae1cfc50aafbdde67d60743d1e653bee823645443a2a4b38f65b9e416185f84"
                            },
                            {
                                "name": "endpointpe-v4-blocklist",
                                "sha256": "060c237293b0227178c400075df0ffd82af1ee9bfd4dbec2f76b916d888590f5"
                            },
                            {
                                "name": "endpointpe-v4-exceptionlist",
                                "sha256": "e783aca33a50c80ed1b2220114b03f474cdbc46f0876713cfeb1fcfc85dc0f63"
                            },
                            {
                                "name": "endpointpe-v4-model",
                                "sha256": "eefecf029ae70ec948d358e8b1030e41c8ffad676e7fb8c797b0e39e407e3e0a"
                            },
                            {
                                "name": "global-configuration-v1",
                                "sha256": "b98dc812e3cd9c9aa21462bb8b2bac86158d6d2d97ea4aac6731c069f6babb4d"
                            },
                            {
                                "name": "global-exceptionlist-windows",
                                "sha256": "540dde1901d278b58cfc09a051a10d9c9a587875f18b3604c65cd4047e36d358"
                            },
                            {
                                "name": "global-trustlist-windows-v1",
                                "sha256": "d72a108c5cd65d46e932dab5a3f38ac9689020aa5730024b35146962469ebf9b"
                            },
                            {
                                "name": "production-malware-signature-v1-windows",
                                "sha256": "611a02c398c58ebe2f6d9d63621778de96263ef7fa885098ce62a22c411d67bc"
                            },
                            {
                                "name": "production-ransomware-v1-windows",
                                "sha256": "4d7ed75842048694d9dc01efffc55ce9cefe4e412c9acd702ea7d0bcdfdc4b09"
                            },
                            {
                                "name": "production-rules-windows-v1",
                                "sha256": "ba8822f31320352e85b77850bd15bcf8b381496b065d95a2e3fdac65edd0575d"
                            }
                        ],
                        "version": "1.0.224"
                    },
                    "user": {
                        "identifiers": [
                            {
                                "name": "endpoint-eventfilterlist-windows-v1",
                                "sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658"
                            },
                            {
                                "name": "endpoint-exceptionlist-windows-v1",
                                "sha256": "36b2d088903c71463677d3b83e57d5971c57620eb0a3a151afd48f17f159c48d"
                            },
                            {
                                "name": "endpoint-hostisolationexceptionlist-windows-v1",
                                "sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658"
                            },
                            {
                                "name": "endpoint-trustlist-windows-v1",
                                "sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658"
                            }
                        ],
                        "version": "1.0.10"
                    }
                }
            }
        }
    },
    "Ransomware": {
        "child_processes": [
            {
                "executable": "C:\\Program Files\\Fortinet\\FortiClient\\fcaptmon.exe",
                "files": [
                    {
                        "data": "30333433323232303231373034303630",
                        "entropy": 7.64091806696165,
                        "extension": "",
                        "metrics": [
                            "ENTROPY_VERY_HIGH"
                        ],
                        "operation": "overwrite",
                        "path": "c:\\program files\\fortinet\\forticlient\\vir_sig\\vir_sandbox_sig",
                        "score": 0.05
                    }
                ],
                "pid": 8248,
                "score": 0.05
            },
            {
                "executable": "C:\\Program Files\\Fortinet\\FortiClient\\update_task.exe",
                "files": [
                    {
                        "data": "0000010002000000000001002000193C",
                        "entropy": 4.88115779273243,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\3478739855.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.70546571723651,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_VERY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\3478739855.png",
                        "score": 0.05
                    },
                    {
                        "data": "00000100020000000000010020009EE1",
                        "entropy": 4.36189650835928,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\2944073191.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.55254216863781,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_VERY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\2944073191.png",
                        "score": 0.05
                    },
                    {
                        "data": "0000010001002020000001002000A810",
                        "entropy": 3.35396145718861,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\1675251984.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.50172621061455,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_VERY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\1675251984.png",
                        "score": 0.05
                    },
                    {
                        "data": "0000010003002020100001000400E802",
                        "entropy": 2.54396556966991,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\1770210828.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 6.69284824171492,
                        "extension": "png",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\1770210828.png",
                        "score": 0
                    },
                    {
                        "data": "00000100040010101000000000002801",
                        "entropy": 3.31532151498571,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\2524896003.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 6.70160198211533,
                        "extension": "png",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\2524896003.png",
                        "score": 0
                    },
                    {
                        "data": "00000100010000000000010020002B27",
                        "entropy": 7.74060852381833,
                        "extension": "tmp",
                        "metrics": [
                            "ENTROPY_VERY_HIGH",
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\1158590297.ico.tmp",
                        "score": 0.055
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.70971362837062,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_VERY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\1158590297.png",
                        "score": 0.05
                    }
                ],
                "pid": 17204,
                "score": 0.285
            },
            {
                "executable": "C:\\Program Files\\Fortinet\\FortiClient\\FCDBLog.exe",
                "files": [
                    {
                        "data": "D9D505F920A163D70000000A24EEEFD1",
                        "entropy": 3.94782862166061,
                        "extension": "dat@journal",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\fclog.dat@journal",
                        "score": 0
                    },
                    {
                        "data": "D9D505F920A163D7000000069E4F836E",
                        "entropy": 2.13957828091858,
                        "extension": "dat@journal",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\netdb.dat@journal",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.23042657052156,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645089626.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.23309572912861,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645089627.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.24289514802376,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645089629.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.24819066995674,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645089630.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.23566322190452,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645089632.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.27497285542282,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645089633.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.24506829783974,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645089635.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.2733266891593,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645089636.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.2628881293093,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645089638.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.27389810052288,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645089639.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.26074021612959,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645089641.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.25253102536794,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645089642.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.23013997208966,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645089704.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.24649675035459,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645089861.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.24707283001057,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645089862.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.24406491946558,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645089864.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.24328250178443,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645090568.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.24898362682848,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645090569.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.2503843300748,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645090571.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.26781665367061,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645090572.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.25573334566697,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645091565.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.26351591469057,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645091566.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.25549912794328,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645092465.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.30548894130685,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645092466.log",
                        "score": 0
                    },
                    {
                        "data": "0000010002000000000001002000193C",
                        "entropy": 4.88115779273243,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\3478739855.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.70546571723651,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_VERY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\3478739855.png",
                        "score": 0.05
                    },
                    {
                        "data": "00000100020000000000010020009EE1",
                        "entropy": 4.36189650835928,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\2944073191.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.55254216863781,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_VERY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\2944073191.png",
                        "score": 0.05
                    },
                    {
                        "data": "0000010001002020000001002000A810",
                        "entropy": 3.35396145718861,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\1675251984.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.50172621061455,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_VERY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\1675251984.png",
                        "score": 0.05
                    },
                    {
                        "data": "0000010003002020100001000400E802",
                        "entropy": 2.54396556966991,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\1770210828.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 6.69284824171492,
                        "extension": "png",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\1770210828.png",
                        "score": 0
                    },
                    {
                        "data": "00000100040010101000000000002801",
                        "entropy": 3.31532151498571,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\2524896003.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 6.70160198211533,
                        "extension": "png",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\2524896003.png",
                        "score": 0
                    },
                    {
                        "data": "00000100010000000000010020002B27",
                        "entropy": 7.74060852381833,
                        "extension": "tmp",
                        "metrics": [
                            "ENTROPY_VERY_HIGH",
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\1158590297.ico.tmp",
                        "score": 0.055
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.70971362837062,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_VERY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\1158590297.png",
                        "score": 0.05
                    },
                    {
                        "data": "00000100070010101000010004002801",
                        "entropy": 1.81191974811498,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\220646291.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.44540980262852,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\220646291.png",
                        "score": 0
                    },
                    {
                        "data": "00000100050010100000010020006804",
                        "entropy": 4.12110564082005,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\381081779.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.52300141191741,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_VERY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\381081779.png",
                        "score": 0.05
                    },
                    {
                        "data": "00000100040010101000000000002801",
                        "entropy": 3.31532151498571,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\1913157502.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 6.70160198211533,
                        "extension": "png",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\1913157502.png",
                        "score": 0
                    },
                    {
                        "data": "00000100050010100000010020006804",
                        "entropy": 3.7530211471644,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\1367287368.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.74589223512116,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_VERY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\1367287368.png",
                        "score": 0.05
                    },
                    {
                        "data": "00000100030000000000010008002404",
                        "entropy": 2.09161385693887,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\2583725937.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 6.85814841873,
                        "extension": "png",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\2583725937.png",
                        "score": 0
                    },
                    {
                        "data": "00000100010080800000010020002808",
                        "entropy": 0.53295921132943,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\2181973066.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.26090266479309,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\2181973066.png",
                        "score": 0
                    },
                    {
                        "data": "0000010001000000000001002000D16F",
                        "entropy": 7.6531304275278,
                        "extension": "tmp",
                        "metrics": [
                            "ENTROPY_VERY_HIGH",
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\3085943732.ico.tmp",
                        "score": 0.055
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.41372712996281,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\3085943732.png",
                        "score": 0
                    },
                    {
                        "data": "00000100020000000000010020001E33",
                        "entropy": 4.84291865413709,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\335525420.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.50325286928459,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_VERY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\335525420.png",
                        "score": 0.05
                    },
                    {
                        "data": "00000100030010101000010004002801",
                        "entropy": 3.53418888534516,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\0.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.40482049811163,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\0.png",
                        "score": 0
                    },
                    {
                        "data": "0000010001002020000001000800A808",
                        "entropy": 3.36363130340256,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\2085404897.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.26264580553571,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\2085404897.png",
                        "score": 0
                    },
                    {
                        "data": "00000100040000000000010008006813",
                        "entropy": 4.62298843425188,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\2349326867.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.03427503376579,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\2349326867.png",
                        "score": 0
                    },
                    {
                        "data": "0000010001002020000001000800A808",
                        "entropy": 3.36363130340256,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\3402302025.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.26264580553571,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\3402302025.png",
                        "score": 0
                    },
                    {
                        "data": "0000010001002020000001000800A808",
                        "entropy": 3.36363130340256,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\3276537528.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.26264580553571,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\3276537528.png",
                        "score": 0
                    },
                    {
                        "data": "0000010001002020000001000800A808",
                        "entropy": 3.36363130340256,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\3817463593.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.26264580553571,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\3817463593.png",
                        "score": 0
                    },
                    {
                        "data": "00000100040010100000000020006804",
                        "entropy": 3.22030987745757,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\555140510.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.69236177691371,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_VERY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\555140510.png",
                        "score": 0.05
                    },
                    {
                        "data": "0000010003000000000001000800540F",
                        "entropy": 4.58690454688032,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\735871797.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.03427503376579,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\735871797.png",
                        "score": 0
                    },
                    {
                        "data": "00000100040000000000010008006813",
                        "entropy": 4.62298843425188,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\3016245751.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.03427503376579,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\3016245751.png",
                        "score": 0
                    },
                    {
                        "data": "00000100020000000000010020009EE1",
                        "entropy": 4.36189650835928,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\3361737910.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.55254216863781,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_VERY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\3361737910.png",
                        "score": 0.05
                    },
                    {
                        "data": "0000010001002020000001000800A808",
                        "entropy": 3.36363130340256,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\1417398377.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.26264580553571,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\1417398377.png",
                        "score": 0
                    },
                    {
                        "data": "00000100040000000000010008006813",
                        "entropy": 4.62298843425188,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\13101810.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.03427503376579,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\13101810.png",
                        "score": 0
                    },
                    {
                        "data": "0000010001002020000001000800A808",
                        "entropy": 3.36363130340256,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\3065640957.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.26264580553571,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\3065640957.png",
                        "score": 0
                    },
                    {
                        "data": "00000100070010101000010004002801",
                        "entropy": 1.81191974811498,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\234428056.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.44540980262852,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\234428056.png",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.227337253135,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645093365.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.23285252023327,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645093366.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.2379562427786,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645093368.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.25773069738157,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645093369.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.22664808188809,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645094265.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.23698963715499,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645094266.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.24590885664178,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645095165.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.22901161168638,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645095166.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.23500093072421,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645096065.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.22903998218063,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645096066.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.23274063342881,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645096068.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.23712762248313,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645096069.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.24163972387467,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645096071.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.25418987774369,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645096965.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.24854751382846,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645096966.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.24230085243132,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645097770.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.24648878752623,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645097772.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.26070593358058,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645097773.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.23193886355429,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645098706.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.23016484081914,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645098708.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.23727877451238,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645099606.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.2507728036873,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645100506.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.22480363018182,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645100508.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.23276672898516,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645101368.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.25374597457499,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645101369.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.24564377577592,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645101371.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.2315494141289,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645101372.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.24621306536141,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645101374.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.26425245714101,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645102282.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.24375667282477,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645103182.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.23793487175711,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645103183.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.24503908344007,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645104082.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.23692235999995,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645104083.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.23554496316368,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645104085.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.2345838760731,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645104086.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.23672552063753,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645104088.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.23226355086737,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645104089.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.23313354748818,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645104091.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.23099498166035,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645104092.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.23495791720638,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645104094.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.24817862910381,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645104095.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.25614417934418,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645104097.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.23186387133445,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645104098.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.23495809152423,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645104100.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.24185114452546,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645104101.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.24196855461776,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645104103.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.23912283619044,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645104104.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.24785494175326,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645104106.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.23758076632684,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645104107.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.2491342998444,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645104109.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.25507781349883,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645104110.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.24759504624298,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645104112.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.24344829240931,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645104113.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.23587065583913,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645104970.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.27003559739865,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645104971.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.23926138506438,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645105884.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.22093157091253,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645105885.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.25929347776594,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645105887.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.24544110513135,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645106784.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.25162458234846,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645106785.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.22678109239432,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645106787.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.22912516676722,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645106788.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.2361393719279,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645107684.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.24989325203656,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645107685.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.2679856440589,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645107687.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.30506538797885,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645107688.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.25024855332286,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645108569.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.24527943214357,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645108571.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.23426679617697,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645109483.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.26730094688742,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645109485.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.26190435011157,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645109486.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.24478887020897,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645109488.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.24437437736581,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645109489.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.23139448722618,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645110383.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.22860119660202,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645110385.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.24354937843593,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645111283.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.2489365854154,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645111285.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.24007683900569,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645112170.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.25299808111826,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645112172.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.25928771490196,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645113107.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.24387756540195,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645113108.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.24693088347849,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645113110.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.24466582080981,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645113111.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.21869416918022,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645114007.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.20287573762395,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645114008.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.25057900888176,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645114907.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.25170307405517,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645114908.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.24527028324929,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645114910.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.25245000192284,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645114911.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.25334375383145,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645114913.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.22830393706193,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645115767.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.21583279895652,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645115768.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.12081870617806,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645115770.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.25655413544291,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645116739.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.24946704991819,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645116740.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.14422400645799,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645116742.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.23712620811301,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645117639.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.23802453714442,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645117640.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.22957447342298,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645118539.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.24922885982625,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645118540.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.26618219964441,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645118542.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.25958432037368,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645118543.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.2597540010055,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645118545.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.25722927405864,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645119625.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.27203667337416,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645119626.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.25346406021301,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645119628.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.26964765217745,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645120648.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.2384421515954,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645121548.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.24829138329706,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645121549.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.2446777970461,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645121890.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.25065361788895,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645122848.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.25373842926119,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645123748.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.27430687844453,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645124648.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.2390739368255,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645124650.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.24054194140309,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645125487.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.25353141266931,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645125488.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.23332232155323,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645125490.log",
                        "score": 0
                    },
                    {
                        "data": "646174653D323032322D30322D313720",
                        "entropy": 5.26334473224243,
                        "extension": "log",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\traffic1645125491.log",
                        "score": 0
                    }
                ],
                "pid": 8144,
                "score": 0.69
            },
            {
                "executable": "C:\\Program Files\\Fortinet\\FortiClient\\FortiESNAC.exe",
                "files": [
                    {
                        "data": "0000010002000000000001002000193C",
                        "entropy": 4.88115779273243,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\3478739855.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.70546571723651,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_VERY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\3478739855.png",
                        "score": 0.05
                    },
                    {
                        "data": "00000100020000000000010020009EE1",
                        "entropy": 4.36189650835928,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\2944073191.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.55254216863781,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_VERY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\2944073191.png",
                        "score": 0.05
                    },
                    {
                        "data": "0000010001002020000001002000A810",
                        "entropy": 3.35396145718861,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\1675251984.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.50172621061455,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_VERY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\1675251984.png",
                        "score": 0.05
                    },
                    {
                        "data": "0000010003002020100001000400E802",
                        "entropy": 2.54396556966991,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\1770210828.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 6.69284824171492,
                        "extension": "png",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\1770210828.png",
                        "score": 0
                    },
                    {
                        "data": "00000100040010101000000000002801",
                        "entropy": 3.31532151498571,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\2524896003.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 6.70160198211533,
                        "extension": "png",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\2524896003.png",
                        "score": 0
                    },
                    {
                        "data": "00000100010000000000010020002B27",
                        "entropy": 7.74060852381833,
                        "extension": "tmp",
                        "metrics": [
                            "ENTROPY_VERY_HIGH",
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\1158590297.ico.tmp",
                        "score": 0.055
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.70971362837062,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_VERY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\1158590297.png",
                        "score": 0.05
                    },
                    {
                        "data": "00000100070010101000010004002801",
                        "entropy": 1.81191974811498,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\220646291.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.44540980262852,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\220646291.png",
                        "score": 0
                    },
                    {
                        "data": "00000100050010100000010020006804",
                        "entropy": 4.12110564082005,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\381081779.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.52300141191741,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_VERY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\381081779.png",
                        "score": 0.05
                    },
                    {
                        "data": "00000100040010101000000000002801",
                        "entropy": 3.31532151498571,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\1913157502.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 6.70160198211533,
                        "extension": "png",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\1913157502.png",
                        "score": 0
                    },
                    {
                        "data": "00000100050010100000010020006804",
                        "entropy": 3.7530211471644,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\1367287368.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.74589223512116,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_VERY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\1367287368.png",
                        "score": 0.05
                    },
                    {
                        "data": "00000100030000000000010008002404",
                        "entropy": 2.09161385693887,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\2583725937.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 6.85814841873,
                        "extension": "png",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\2583725937.png",
                        "score": 0
                    },
                    {
                        "data": "00000100010080800000010020002808",
                        "entropy": 0.53295921132943,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\2181973066.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.26090266479309,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\2181973066.png",
                        "score": 0
                    },
                    {
                        "data": "0000010001000000000001002000D16F",
                        "entropy": 7.6531304275278,
                        "extension": "tmp",
                        "metrics": [
                            "ENTROPY_VERY_HIGH",
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\3085943732.ico.tmp",
                        "score": 0.055
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.41372712996281,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\3085943732.png",
                        "score": 0
                    },
                    {
                        "data": "00000100020000000000010020001E33",
                        "entropy": 4.84291865413709,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\335525420.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.50325286928459,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_VERY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\335525420.png",
                        "score": 0.05
                    },
                    {
                        "data": "00000100030010101000010004002801",
                        "entropy": 3.53418888534516,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\0.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.40482049811163,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\0.png",
                        "score": 0
                    },
                    {
                        "data": "0000010001002020000001000800A808",
                        "entropy": 3.36363130340256,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\2085404897.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.26264580553571,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\2085404897.png",
                        "score": 0
                    },
                    {
                        "data": "00000100040000000000010008006813",
                        "entropy": 4.62298843425188,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\2349326867.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.03427503376579,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\2349326867.png",
                        "score": 0
                    },
                    {
                        "data": "0000010001002020000001000800A808",
                        "entropy": 3.36363130340256,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\3402302025.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.26264580553571,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\3402302025.png",
                        "score": 0
                    },
                    {
                        "data": "0000010001002020000001000800A808",
                        "entropy": 3.36363130340256,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\3276537528.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.26264580553571,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\3276537528.png",
                        "score": 0
                    },
                    {
                        "data": "0000010001002020000001000800A808",
                        "entropy": 3.36363130340256,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\3817463593.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.26264580553571,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\3817463593.png",
                        "score": 0
                    },
                    {
                        "data": "00000100040010100000000020006804",
                        "entropy": 3.22030987745757,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\555140510.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.69236177691371,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_VERY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\555140510.png",
                        "score": 0.05
                    },
                    {
                        "data": "0000010003000000000001000800540F",
                        "entropy": 4.58690454688032,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\735871797.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.03427503376579,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\735871797.png",
                        "score": 0
                    },
                    {
                        "data": "00000100040000000000010008006813",
                        "entropy": 4.62298843425188,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\3016245751.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.03427503376579,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\3016245751.png",
                        "score": 0
                    },
                    {
                        "data": "00000100020000000000010020009EE1",
                        "entropy": 4.36189650835928,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\3361737910.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.55254216863781,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_VERY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\3361737910.png",
                        "score": 0.05
                    },
                    {
                        "data": "0000010001002020000001000800A808",
                        "entropy": 3.36363130340256,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\1417398377.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.26264580553571,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\1417398377.png",
                        "score": 0
                    },
                    {
                        "data": "00000100040000000000010008006813",
                        "entropy": 4.62298843425188,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\13101810.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.03427503376579,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\13101810.png",
                        "score": 0
                    },
                    {
                        "data": "0000010001002020000001000800A808",
                        "entropy": 3.36363130340256,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\3065640957.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.26264580553571,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\3065640957.png",
                        "score": 0
                    },
                    {
                        "data": "00000100070010101000010004002801",
                        "entropy": 1.81191974811498,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\234428056.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.44540980262852,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\234428056.png",
                        "score": 0
                    },
                    {
                        "data": "444154415F4845414445520A5549443D",
                        "entropy": 6.50250464852714,
                        "extension": "bin",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\large_data_upload\\0.bin",
                        "score": 0
                    },
                    {
                        "data": "4348554E4B5F4845414445520A554944",
                        "entropy": 7.68097593828671,
                        "extension": "bin",
                        "metrics": [
                            "ENTROPY_VERY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\large_data_upload\\1.bin",
                        "score": 0.05
                    },
                    {
                        "data": "3C3F786D6C2076657273696F6E3D2231",
                        "entropy": 4.99688963307701,
                        "extension": "cnf",
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\ec\\tmp.cnf",
                        "score": 0
                    },
                    {
                        "data": "3C3F786D6C2076657273696F6E3D2231",
                        "entropy": 4.99688963307701,
                        "extension": "conf",
                        "operation": "overwrite",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\ec\\push.conf",
                        "score": 0
                    },
                    {
                        "data": "0000010001000000000001002000D16F",
                        "entropy": 7.6531304275278,
                        "extension": "tmp",
                        "metrics": [
                            "ENTROPY_VERY_HIGH",
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\3445336858.ico.tmp",
                        "score": 0.055
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.41372712996281,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\3445336858.png",
                        "score": 0
                    },
                    {
                        "data": "00000100020000000000010020001E33",
                        "entropy": 4.84291865413709,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\2975978289.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.50325286928459,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_VERY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\2975978289.png",
                        "score": 0.05
                    },
                    {
                        "data": "00000100020000000000010020008825",
                        "entropy": 5.00510578334597,
                        "extension": "tmp",
                        "metrics": [
                            "KNOWN_SUBEXTENSION",
                            "CREATE_KNOWN_SUBEXTENSION"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\1949624266.ico.tmp",
                        "score": 0.005
                    },
                    {
                        "data": "89504E470D0A1A0A0000000D49484452",
                        "entropy": 7.71114923210616,
                        "extension": "png",
                        "metrics": [
                            "ENTROPY_VERY_HIGH"
                        ],
                        "operation": "creation",
                        "path": "c:\\program files\\fortinet\\forticlient\\softwareinventory\\1949624266.png",
                        "score": 0.05
                    },
                    {
                        "data": "3C3F786D6C2076657273696F6E3D2231",
                        "entropy": 4.65099707738069,
                        "extension": "conf",
                        "operation": "overwrite",
                        "path": "c:\\program files\\fortinet\\forticlient\\logs\\ec\\onnet.conf",
                        "score": 0
                    }
                ],
                "pid": 8208,
                "score": 0.905
            }
        ],
        "feature": "behavior",
        "score": 100,
        "version": "1.3.1"
    },
    "agent": {
        "build": {
            "original": "version: 7.16.1, compiled: Thu Dec 9 16:00:00 2021, branch: 7.16, commit: fdb4ff682aec483cd701d56cdd0d755426f6cd6e"
        },
        "id": "08b10759-caa8-446b-b39b-fb8559f7fe83",
        "type": "endpoint",
        "version": "7.16.1"
    },
    "channel": "alerts-endpoint",
    "cloud": {
        "cluster_name": "f7b510658f5c45e994a5ee3c385a5a5b",
        "deployment_info": {
            "account_uuid": 1770010627,
            "deployment_parent": "f7b510658f5c45e994a5ee3c385a5a5b",
            "domain": "factoryinternet.co.uk",
            "in_trial": false,
            "is_cloud": true,
            "is_elastic_internal": false
        }
    },
    "cluster_info": {
        "cluster_name": "f7b510658f5c45e994a5ee3c385a5a5b",
        "cluster_uuid": "1k7P2fOHSRmeHmAayPl9Zw",
        "license": {
            "issue_date": "2020-03-24T00:00:00.000Z",
            "issued_to": "Elastic Cloud",
            "status": "active",
            "type": "enterprise",
            "uid": "fb7a9815-8b0a-4608-b786-049fbec4a4a8"
        },
        "version": "7.15.2"
    },
    "cluster_name": "f7b510658f5c45e994a5ee3c385a5a5b",
    "cluster_uuid": "1k7P2fOHSRmeHmAayPl9Zw",
    "data_stream": {
        "dataset": "endpoint.diagnostic.collection",
        "namespace": "lumyna",
        "type": ".logs"
    },
    "ecs": {
        "version": "1.11.0"
    },
    "elastic": {
        "agent": {
            "id": "08b10759-caa8-446b-b39b-fb8559f7fe83"
        }
    },
    "event": {
        "action": "files-encrypted",
        "agent_id_status": "verified",
        "category": [
            "malware",
            "intrusion_detection",
            "process",
            "file"
        ],
        "code": "ransomware",
        "created": "2022-02-28T09:11:44.0109365Z",
        "dataset": "endpoint.diagnostic.collection",
        "id": "MUsEOypT/msH06JW+++BT7pY",
        "ingested": "2022-02-28T09:19:34Z",
        "kind": "alert",
        "module": "endpoint",
        "risk_score": 99,
        "sequence": 74200098,
        "severity": 99,
        "type": [
            "info",
            "start",
            "change",
            "allowed"
        ]
    },
    "host": {
        "os": {
            "Ext": {
                "variant": "Windows 10 Enterprise"
            },
            "family": "windows",
            "full": "Windows 10 Enterprise 20H2 (10.0.19042.1526)",
            "kernel": "20H2 (10.0.19042.1526)",
            "name": "Windows",
            "platform": "windows",
            "type": "windows",
            "version": "20H2 (10.0.19042.1526)"
        }
    },
    "location": "gs://elastic-telemetry-prod-data/raw/1646039995.962614-967a2839f3e8a110ac0ab58ffebea4a3",
    "process": {
        "Ext": {
            "architecture": "x86_64",
            "code_signature": [
                {
                    "exists": true,
                    "status": "trusted",
                    "subject_name": "Fortinet Technologies (Canada) ULC",
                    "trusted": true
                }
            ],
            "dll": [
                {
                    "Ext": {
                        "mapped_address": 140700656533504,
                        "mapped_size": 266240
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Fortinet Technologies (Canada) ULC",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "eb52022c6ff096ff4d8a439e52ae3602",
                        "sha1": "a1c1e5fdbe1a045dcdc38bc437f12000fcfb50d7",
                        "sha256": "43d21eed82b9aa876f9750af01468ddf074c1bcde3219854ece88f85622a7d48"
                    },
                    "name": "scheduler.exe",
                    "path": "C:\\Program Files\\Fortinet\\FortiClient\\scheduler.exe"
                },
                {
                    "Ext": {
                        "mapped_address": 140730010238976,
                        "mapped_size": 2052096
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "d1d7a092e2cacd614bba4a293159d7d7",
                        "sha1": "c72dc39ba48957ebcabcb6c3898f4b041e9923a0",
                        "sha256": "262dd735296ad742cffd04258dc8b5e49b5fa5f7789a737109565bcccd3b36eb"
                    },
                    "name": "ntdll.dll",
                    "path": "C:\\WINDOWS\\SYSTEM32\\ntdll.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729998639104,
                        "mapped_size": 778240
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "9d48db32122d192d5f17f9a67240a328",
                        "sha1": "6bc17c6b2f58637005d298d9c5c407464a15b047",
                        "sha256": "b80f1242fd439fd3c0745cad0460892dc8a74d58e1c748177568142963e096db"
                    },
                    "name": "KERNEL32.DLL",
                    "path": "C:\\WINDOWS\\System32\\KERNEL32.DLL"
                },
                {
                    "Ext": {
                        "mapped_address": 140729972490240,
                        "mapped_size": 2916352
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "9a0dfce41ba321e065a70eee4b4c927e",
                        "sha1": "5c9756db21ed0e919a8ef7aaf2b8f8dd7ef48476",
                        "sha256": "b6983053a4da13af6449d7a631b6f00bbd565ea810a64afaaa587147328a563d"
                    },
                    "name": "KERNELBASE.dll",
                    "path": "C:\\WINDOWS\\System32\\KERNELBASE.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729980485632,
                        "mapped_size": 4661248
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "cb493544c3d52588f8eb01fb9e2e158d",
                        "sha1": "1c6ffe79d1d53bbf56574aa4dccd8a9edd16f34b",
                        "sha256": "ed0433a06ac58c555c06b9cc89e5394ebf5531eb934583165b1f798d75243e63"
                    },
                    "name": "SETUPAPI.dll",
                    "path": "C:\\WINDOWS\\System32\\SETUPAPI.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729978781696,
                        "mapped_size": 647168
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "a4f2d5942fb447cd48a5cee414983e85",
                        "sha1": "5aff4cfdee689f127df3c555281dc629d4d62318",
                        "sha256": "dd7c8bc34cdbe30ef921395e874909bbf6be53803822164f75f7207e9f085650"
                    },
                    "name": "msvcrt.dll",
                    "path": "C:\\WINDOWS\\System32\\msvcrt.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729967312896,
                        "mapped_size": 319488
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "1aeb3524cc1162f97a87ee77810d0c1f",
                        "sha1": "bae55961b55a36ff0b74edced581219c1d0d9c0b",
                        "sha256": "cb82c3b7c8734e891ddcb08c7890599e563498bcb645bb15cbf819fe8a88e3d4"
                    },
                    "name": "cfgmgr32.dll",
                    "path": "C:\\WINDOWS\\System32\\cfgmgr32.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729862193152,
                        "mapped_size": 81920
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "2e8bc179a27b230af644c81c956a7627",
                        "sha1": "f4b972ed5fee471bdfb01b195c58f2d341299b93",
                        "sha256": "1033414b92fe745fb7fd75cab631fe253a55e390e11bab0093aad0d55a1734be"
                    },
                    "name": "WTSAPI32.dll",
                    "path": "C:\\WINDOWS\\SYSTEM32\\WTSAPI32.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729970196480,
                        "mapped_size": 1048576
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "2c8fe06966d5085a595ffa3c98fe3098",
                        "sha1": "e82945e3e63ffef0974d6dd74f2aef2bf6d0a908",
                        "sha256": "de8d08d01291df93821314176381f3d1ae863e6c5584a7f8ea42f0b94b15ef65"
                    },
                    "name": "ucrtbase.dll",
                    "path": "C:\\WINDOWS\\System32\\ucrtbase.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140730006831104,
                        "mapped_size": 1200128
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "57916e42bdc0ed33a3252d27be9bd4bd",
                        "sha1": "c817a2c865f10245b7ce7b3fff1c9806b8fddc00",
                        "sha256": "507961e07da1f8f16b29383bc1b9929b88f572c8558d478d01a282ec3814a1be"
                    },
                    "name": "RPCRT4.dll",
                    "path": "C:\\WINDOWS\\System32\\RPCRT4.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729976094720,
                        "mapped_size": 159744
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "a4be5153c4441ffeda74aa99d4b2e830",
                        "sha1": "fb5de507fc8cc3622d225cb3f5e551c98dc10b51",
                        "sha256": "0f14bb6286686143d6192376c2f965d7e71a0c3fae73773da56a7fcd5e355f4d"
                    },
                    "name": "bcrypt.dll",
                    "path": "C:\\WINDOWS\\System32\\bcrypt.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729998245888,
                        "mapped_size": 348160
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "800fb7d0317b3ab92f7099516acb49e0",
                        "sha1": "3e2ace507216082b1882098d2fe19a9cf2981731",
                        "sha256": "4e9fb3235a2665f139ed2d3f9068cae8377614030e911e6398da91c526fe4729"
                    },
                    "name": "SHLWAPI.dll",
                    "path": "C:\\WINDOWS\\System32\\SHLWAPI.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140730000998400,
                        "mapped_size": 438272
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "6eed88c1206032a2797abf131c6242cf",
                        "sha1": "2865c9ad28810c59f5eeed6f894467c9eb2c4ee8",
                        "sha256": "1f996574f38219cdd848375f517f8d86e17542bc84d64cce63aa0c64cc15f22d"
                    },
                    "name": "WS2_32.dll",
                    "path": "C:\\WINDOWS\\System32\\WS2_32.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729994444800,
                        "mapped_size": 1703936
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "3d2a6411d06e658a2ab3c893ca691ea3",
                        "sha1": "b27afe066b8f194a367f8479d0f14c83f410ddc3",
                        "sha256": "0178536e572f7443ce276c92ec19a2265cebf223be3b535423e537f8f8a14080"
                    },
                    "name": "USER32.dll",
                    "path": "C:\\WINDOWS\\System32\\USER32.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729975898112,
                        "mapped_size": 139264
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "2967992aa96b62320348ae2d02bf892b",
                        "sha1": "48dcab9f693fd19a264f350878108ffa5f014ed1",
                        "sha256": "96ec73e1cc65c4c0afa6e349b32d55cbf2cabd44dd6077426d43efaa70a0aa6e"
                    },
                    "name": "win32u.dll",
                    "path": "C:\\WINDOWS\\System32\\win32u.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140730003095552,
                        "mapped_size": 176128
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "f1590bdb1c95293cd3b487ffc97353e0",
                        "sha1": "9b3c7713828bda35bb3e4f30a56d61a2c19811dc",
                        "sha256": "de75aea74bf6453f42f02b949a6a3dc00ecef4ae16310fc4a0acb6d869e1fd2a"
                    },
                    "name": "GDI32.dll",
                    "path": "C:\\WINDOWS\\System32\\GDI32.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729967640576,
                        "mapped_size": 1101824
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "35ebe12ae1f1c27584f5be396440bcd0",
                        "sha1": "32bbca406ab71468a0a692306f050bd0b59b61d2",
                        "sha256": "5da711c82b60e44efe5373ce870685ef8b919af69ba8e79e9b16fe3d694c1d82"
                    },
                    "name": "gdi32full.dll",
                    "path": "C:\\WINDOWS\\System32\\gdi32full.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729971245056,
                        "mapped_size": 643072
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "34692d0bde33641b576c32165fbaaf6d",
                        "sha1": "09c6a238c7b2936207f261562079a327aa9ff34e",
                        "sha256": "fd1d0cc8a5ac8bf20af9e1a7ec360dd76dc022dfe992556948df1c17f7a714d2"
                    },
                    "name": "msvcp_win.dll",
                    "path": "C:\\WINDOWS\\System32\\msvcp_win.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729615450112,
                        "mapped_size": 1056768
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "0ac786f7a0c0f07a6e2a2941bfa24bb0",
                        "sha1": "de1633bfac523ede0a7f7408ee5f852c839d5681",
                        "sha256": "4ef7af838272ec8825e45801fc110561e68f139ab29941b1cd6a1216a325d990"
                    },
                    "name": "RASAPI32.dll",
                    "path": "C:\\WINDOWS\\SYSTEM32\\RASAPI32.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140730002309120,
                        "mapped_size": 712704
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "881b5e88c418446969cab97fd10855f8",
                        "sha1": "47bbf1c64077eb10b8aef0012dd71417a00e3935",
                        "sha256": "2f474779e3d794347a916c930886e4a5c07a43e7102b90cbea09feb789e3cb79"
                    },
                    "name": "ADVAPI32.dll",
                    "path": "C:\\WINDOWS\\System32\\ADVAPI32.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729613484032,
                        "mapped_size": 1912832
                    },
                    "code_signature": [
                        {
                            "exists": false
                        }
                    ],
                    "hash": {
                        "md5": "df60dc2544553fb826113cbd2d24c638",
                        "sha1": "fc15828dc482da3a7ff572633a12077539bde0ad",
                        "sha256": "e9792528179f6aae7586eae8298c8f1c89a68e4fc4be54084cc0359205efdce2"
                    },
                    "name": "utilsdll.dll",
                    "path": "C:\\Program Files\\Fortinet\\FortiClient\\utilsdll.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729979437056,
                        "mapped_size": 638976
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "664f560be5e2350f640efbc3de922d70",
                        "sha1": "ce8a1b8b0157039e9f83b83e6ea4f80bc37ba98a",
                        "sha256": "5c5dd08d4d4855598f2f7f88b4323124fcb5f00935a52c03d2c2a9cb3fa16a62"
                    },
                    "name": "sechost.dll",
                    "path": "C:\\WINDOWS\\System32\\sechost.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140730003292160,
                        "mapped_size": 3493888
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "31f46dd8b1ea17c235600971ffaeaa4f",
                        "sha1": "236f2434690cd06104a1b10a3e8e1b5ee5b4149d",
                        "sha256": "1279edebe6ae859a5db12b22ab0346e82e6fa95b7e640cd151f4dc6ee7a7b79e"
                    },
                    "name": "combase.dll",
                    "path": "C:\\WINDOWS\\System32\\combase.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729985204224,
                        "mapped_size": 7618560
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "71e3b63f50a75d4c7daae8b5d88ba4ca",
                        "sha1": "75bd0072eb3081e0a7fdc5d47ecd62ca18e98025",
                        "sha256": "96567b042825d93e00c10fad8aab406fcc5709a94e3135843f819c79ef76f31e"
                    },
                    "name": "SHELL32.dll",
                    "path": "C:\\WINDOWS\\System32\\SHELL32.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729610076160,
                        "mapped_size": 3383296
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "2ad968d1b1b21b5136ea6237ce823252",
                        "sha1": "8978a39fe4932298e21559cd58742c2436751723",
                        "sha256": "a5888fe1711cd67437d60fadebb926c86e67791f867e7da5be82fa4d625bf7d4"
                    },
                    "name": "msi.dll",
                    "path": "C:\\WINDOWS\\SYSTEM32\\msi.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140730008076288,
                        "mapped_size": 1220608
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "7d78addfcb5040857fe4576a9f4ae8fb",
                        "sha1": "94dfbcfb38254181bbb1bc27b59ba24d420a3af5",
                        "sha256": "bb5c4a11364a7f3f60b70314c6757426ad0fef577a7219aad30eba24e6b44484"
                    },
                    "name": "ole32.dll",
                    "path": "C:\\WINDOWS\\System32\\ole32.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729609814016,
                        "mapped_size": 217088
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "a2bab1378c2cf08db4f13da911c1f123",
                        "sha1": "e869396f82e5f861cbbe4f00edb15b90b5bd33fa",
                        "sha256": "e8a6980ce7cd2d4036678b5efcc3395f866ec4bf155a50579e14104f55298f88"
                    },
                    "name": "rasman.dll",
                    "path": "C:\\WINDOWS\\SYSTEM32\\rasman.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729968754688,
                        "mapped_size": 1400832
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "1c46946cce849bb9082a8bdf9ca246c8",
                        "sha1": "2aeafdc2841f3145100c7ea94962ef5aa0198cb3",
                        "sha256": "c1291c4860dfe5a103c92992335ca32956f41ab0290cda205aa28c884d28cb29"
                    },
                    "name": "CRYPT32.dll",
                    "path": "C:\\WINDOWS\\System32\\CRYPT32.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140730003030016,
                        "mapped_size": 32768
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "729a761566b60a8621a1d171baccf41c",
                        "sha1": "a9852987463fdd9b05614a10a33d30b1b91f04a6",
                        "sha256": "4bf259ee8bc11a51fb6ffc7c5d77b8fab9d092d6892789b92d145083607fb314"
                    },
                    "name": "PSAPI.DLL",
                    "path": "C:\\WINDOWS\\System32\\PSAPI.DLL"
                },
                {
                    "Ext": {
                        "mapped_address": 140729999425536,
                        "mapped_size": 892928
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "a833a16dfa3423d3308d0886cd34fbf9",
                        "sha1": "a21ef5776170bbfe19d7298af89380a5fc067fd4",
                        "sha256": "cbbdba7688804ddd45de6c250c5493b8889502771c17655b566fef3282219e79"
                    },
                    "name": "COMDLG32.dll",
                    "path": "C:\\WINDOWS\\System32\\COMDLG32.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729997524992,
                        "mapped_size": 708608
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "92a58f317bcd8fe3891bdb9d1c0497d3",
                        "sha1": "74d2c7429799d38a8ac8528275050a6bc19bc150",
                        "sha256": "84b1b10eba9d78625a63f16ab6056b49672bc89ba6c5c3cfbf1066a674171ef6"
                    },
                    "name": "shcore.dll",
                    "path": "C:\\WINDOWS\\System32\\shcore.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729609682944,
                        "mapped_size": 90112
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Corporation",
                            "trusted": true
                        },
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Corporation",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "6e2b2ddb1bc783122018d99d38497298",
                        "sha1": "414dfc02289926416399fd986a303e32e812c595",
                        "sha256": "02fcb91909ed2ecc68b62bceaca7b8d8319e7d625e599756c170db631237da69"
                    },
                    "name": "VCRUNTIME140.dll",
                    "path": "C:\\Program Files\\Fortinet\\FortiClient\\VCRUNTIME140.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729609027584,
                        "mapped_size": 634880
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Corporation",
                            "trusted": true
                        },
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Corporation",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "eb1b46c4b900e4c83066760a737986cd",
                        "sha1": "90444980a36e79c043e6f037841822a9ef89af9d",
                        "sha256": "29206a9a3abb8962593312edc6fb5aaa76a86fae8f24c1e1718707001b8df3dd"
                    },
                    "name": "MSVCP140.dll",
                    "path": "C:\\Program Files\\Fortinet\\FortiClient\\MSVCP140.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140730001457152,
                        "mapped_size": 839680
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "eab5aded2242feaee371ed5cab6ea919",
                        "sha1": "d9d46f3be08dd8b988b873c4e034c622bc0fb119",
                        "sha256": "bbe70836e44ba71555906d37011ec2aa3f86bd1314f5431406bba8f305dfb570"
                    },
                    "name": "OLEAUT32.dll",
                    "path": "C:\\WINDOWS\\System32\\OLEAUT32.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729966264320,
                        "mapped_size": 188416
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "6331627f363f17f1b1d28c4fe3fb433b",
                        "sha1": "31ab07ef67ba94c1d219235ca7db246b3d0f2fe2",
                        "sha256": "de6f6cd7d703dca17c147b358fb0ded9b763c5642c56dca0280204a8d3e2cdc3"
                    },
                    "name": "USERENV.dll",
                    "path": "C:\\WINDOWS\\SYSTEM32\\USERENV.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729782435840,
                        "mapped_size": 102400
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "48cd1acc603321ef4c1138ea71c88712",
                        "sha1": "f04bc05870257dc0b2ff11433190e2799361da71",
                        "sha256": "01442fcce39fb0c34f40b53690633d84d8924c981e4b84604a1a4857a2b5ec53"
                    },
                    "name": "NETAPI32.dll",
                    "path": "C:\\WINDOWS\\SYSTEM32\\NETAPI32.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729607258112,
                        "mapped_size": 1740800
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "bfdb218a461ccd21a2de0c70b21986b4",
                        "sha1": "e99d9f1ec0b339319fdbde82fc3a16deced359dc",
                        "sha256": "73734442546d8029cf7e6e9707222b42fb9f763fe6291e24256394982fa67647"
                    },
                    "name": "gdiplus.dll",
                    "path": "C:\\WINDOWS\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.1466_none_91a4907ccc87e3b8\\gdiplus.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729769328640,
                        "mapped_size": 40960
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "17c1e1099b65051bb6dec71fea37315b",
                        "sha1": "8ed26469afbd53da7749ef9c6ab8c7f010e9bb1e",
                        "sha256": "e549d528fee40208df2dd911c2d96b29d02df7bef9b30c93285f4a2f3e1ad5b0"
                    },
                    "name": "VERSION.dll",
                    "path": "C:\\WINDOWS\\SYSTEM32\\VERSION.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729955057664,
                        "mapped_size": 241664
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "567a217405f41caea18f4bab50d480fd",
                        "sha1": "90f870f43852b3fd62110692030bd20887777c0e",
                        "sha256": "41f7a696a02b5dcba85e12a4999423bdebb1215662059adae955f8081e3ffa78"
                    },
                    "name": "IPHLPAPI.DLL",
                    "path": "C:\\WINDOWS\\SYSTEM32\\IPHLPAPI.DLL"
                },
                {
                    "Ext": {
                        "mapped_address": 140729602015232,
                        "mapped_size": 118784
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "4f8bfcfa67a8d446cd6e8f6b5fa3ffe9",
                        "sha1": "501c4eb03a67b79b0b4d8d02738b96b66cfa4971",
                        "sha256": "1028e8df3dc3888f98626a673c93c5207c774ef833f6ec331aed807bd609a5f6"
                    },
                    "name": "MPR.dll",
                    "path": "C:\\WINDOWS\\SYSTEM32\\MPR.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729602146304,
                        "mapped_size": 5079040
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "d72984411123c0c955ca77bc793911a4",
                        "sha1": "1fdf1ccad34240ce33238d7b95e89682ed1bdae0",
                        "sha256": "216a93efb3cec41257e47a4889baa28644691392d7445565404419145b31406a"
                    },
                    "name": "WININET.dll",
                    "path": "C:\\WINDOWS\\SYSTEM32\\WININET.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729864290304,
                        "mapped_size": 118784
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "912357f8e08213ba9cea37721b5ed46b",
                        "sha1": "9ac131aba943b6e80ee4b9ce9b39f943d82be583",
                        "sha256": "691a7aff42d558fac26f2a9de6b47d7596b130e730597dc3aff6025cb484d4a1"
                    },
                    "name": "dhcpcsvc.DLL",
                    "path": "C:\\WINDOWS\\SYSTEM32\\dhcpcsvc.DLL"
                },
                {
                    "Ext": {
                        "mapped_address": 140729599066112,
                        "mapped_size": 2887680
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Fortinet Technologies (Canada) ULC",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "2f75c68f6b6a68a09412d92000237472",
                        "sha1": "8ebc74972472e568424a5c8c92c93fc2eec1aa41",
                        "sha256": "1cab334629f00a890f14333769070837b8fa99f9c5d7b6d00f7e12bddcd3b2c9"
                    },
                    "name": "libcrypto-1_1-x64.dll",
                    "path": "C:\\Program Files\\Fortinet\\FortiClient\\libcrypto-1_1-x64.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729965215744,
                        "mapped_size": 40960
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "db1f14390509ccda5539f23a826c8e7d",
                        "sha1": "5d376f21549dc1c471f92d5da21b0658cf1bed5a",
                        "sha256": "1c00f2882e1d7f7a630e5f931613bb34a740290455763492f1ab416a39922b5d"
                    },
                    "name": "DPAPI.DLL",
                    "path": "C:\\WINDOWS\\SYSTEM32\\DPAPI.DLL"
                },
                {
                    "Ext": {
                        "mapped_address": 140729798230016,
                        "mapped_size": 102400
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "1ee506ba169756b2bc933bd5a4d5b7a2",
                        "sha1": "fbb97258680c4aba9163b94fc17f7a22f54e298f",
                        "sha256": "e6eb43aa14c8889142af2763b8198ce81369e87ee22d79477a18f19e921b3a68"
                    },
                    "name": "SAMCLI.DLL",
                    "path": "C:\\WINDOWS\\SYSTEM32\\SAMCLI.DLL"
                },
                {
                    "Ext": {
                        "mapped_address": 140729596313600,
                        "mapped_size": 2727936
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "bc6be4f87a4557179349323f23b5685f",
                        "sha1": "625c424e6104f4ea83fb797e37748e02bb7da05a",
                        "sha256": "8972aa51e8eff7a0dd87dbc6d70efdf2f2f997a3b1f83ae6ccea95b5650ba36e"
                    },
                    "name": "COMCTL32.dll",
                    "path": "C:\\WINDOWS\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\\COMCTL32.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729595002880,
                        "mapped_size": 45056
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "d778391d413afbdb9ce4896acaacbd00",
                        "sha1": "fda7d1317bc84fb6c0b8e229ca0954f643188449",
                        "sha256": "755299e787cdb27f89fb6428d1f3415695ef097d9ba210558be5a6c44354859f"
                    },
                    "name": "fltlib.dll",
                    "path": "C:\\WINDOWS\\SYSTEM32\\fltlib.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729960628224,
                        "mapped_size": 49152
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "095b8f1c0f8ee3caa09fcca6cb92f6c0",
                        "sha1": "9356bb02fc42e850639f001a104717233b441ddf",
                        "sha256": "b50d007ee8764f7cada9d9a395da396201c8b18e6501b50ab809914a7588baf1"
                    },
                    "name": "CRYPTBASE.dll",
                    "path": "C:\\WINDOWS\\SYSTEM32\\CRYPTBASE.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729942540288,
                        "mapped_size": 208896
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "3847505289cb4d4454f8dc5a866338a8",
                        "sha1": "5a5db0243ff6c10865b1301712647bbb416d2b07",
                        "sha256": "b2eb064f3d70f08152e1845fbeef64be204fa44fa56d2e58a645e15db5505011"
                    },
                    "name": "ntmarta.dll",
                    "path": "C:\\WINDOWS\\SYSTEM32\\ntmarta.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729931988992,
                        "mapped_size": 73728
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "af68fddb20df61ece812b542176949e4",
                        "sha1": "cdba1cc8fd390b4f8101b5a22b0aa0ba5605c7db",
                        "sha256": "7d6c60195dfb05eec27377ae25d9ad259d7fdf85fa71d2aa855fd4129c2aadc2"
                    },
                    "name": "kernel.appcore.dll",
                    "path": "C:\\WINDOWS\\SYSTEM32\\kernel.appcore.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729971900416,
                        "mapped_size": 532480
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "997827ce8aefac419ed1880c1f58e718",
                        "sha1": "70021fe46dc589bae27b813ea8274df452cea790",
                        "sha256": "2ae5378430807a84fd862e30a1305426a8d016080a1a248c6b4b5f5cda198ee4"
                    },
                    "name": "bcryptPrimitives.dll",
                    "path": "C:\\WINDOWS\\System32\\bcryptPrimitives.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729933627392,
                        "mapped_size": 7946240
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "ab63928d70c9c633ecef5b49fb727a01",
                        "sha1": "4ac6953b3506b604f58a724347f6f10eee360dc7",
                        "sha256": "4ea8a03f7d5548e647a5de8b772dba5deb43bc9617da515bc1c34e5793722271"
                    },
                    "name": "windows.storage.dll",
                    "path": "C:\\WINDOWS\\SYSTEM32\\windows.storage.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729961349120,
                        "mapped_size": 188416
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "7004680670f05f6870a126e3f8e85180",
                        "sha1": "0e616b4445586ec8590d384a0a49571e3e0c4b34",
                        "sha256": "80e8a7444c9b57877ed45f4f73765d59251cbde9388e5716c4e6015b54a2c01d"
                    },
                    "name": "Wldp.dll",
                    "path": "C:\\WINDOWS\\SYSTEM32\\Wldp.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729908789248,
                        "mapped_size": 1007616
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "b5b4006acf4d06112dec1d2d3e86c431",
                        "sha1": "0fe3f7f5ad40e9b902f4438f55cdcfd9fcdb5cb0",
                        "sha256": "bf1a5b4b8178c8092347e0c977e0b1bc11a287f703d5ecf68575589ddc6655f8"
                    },
                    "name": "PROPSYS.dll",
                    "path": "C:\\WINDOWS\\SYSTEM32\\PROPSYS.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729996804096,
                        "mapped_size": 692224
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "d77132d9a41654bd9cd887208d6c2516",
                        "sha1": "037c463993be1b0f0b8d58de4b6aa201a4b89715",
                        "sha256": "ec3d61cb2c5d1511051882f3c0e2b8b6f74b011cfb972112179090f2c3f3f5fc"
                    },
                    "name": "clbcatq.dll",
                    "path": "C:\\WINDOWS\\System32\\clbcatq.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729966526464,
                        "mapped_size": 126976
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "4a7468ff74f0114626b2f7d1dd5d9fc7",
                        "sha1": "0094c51ce445d9986ad3a74959c47c7ec4e25504",
                        "sha256": "313cb7c9a69d5d84308a1c4b78c8ff257854071cac7918bc31d1b893feb95ec2"
                    },
                    "name": "profapi.dll",
                    "path": "C:\\WINDOWS\\SYSTEM32\\profapi.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729592315904,
                        "mapped_size": 401408
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "20f848d3c5b7d2e9264c2c88e8c8b411",
                        "sha1": "916a5f00192aa9d72c95a71c52319c0abc4513bf",
                        "sha256": "9e76f8b77482d978da320e876eebf0cd960aea165266fe1488463f6740a6da58"
                    },
                    "name": "Windows.FileExplorer.Common.dll",
                    "path": "C:\\Windows\\System32\\Windows.FileExplorer.Common.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729778307072,
                        "mapped_size": 2822144
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "0ca7873d7151abe5b9b85965be26250f",
                        "sha1": "df966272f84384e033e03ff6b6f5e4216868c2d1",
                        "sha256": "035ac4ca2e37ae3289638fae15e2d3096c64bedc6de191720b0bfa963ab0bb5e"
                    },
                    "name": "iertutil.dll",
                    "path": "C:\\Windows\\System32\\iertutil.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729592119296,
                        "mapped_size": 147456
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "b14c8b8e3e73cea720969abba2afac8a",
                        "sha1": "38fc9713047055fd40d3777524ed3742b7da4272",
                        "sha256": "494b7e2e452a875c11de6ae4ea9b7760b1afe23e160638313e1ccefbdfadddc8"
                    },
                    "name": "edputil.dll",
                    "path": "C:\\WINDOWS\\SYSTEM32\\edputil.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729644220416,
                        "mapped_size": 2011136
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "deefc52fa55c586da20aeababf25c504",
                        "sha1": "f0243431043ff3b30835bc00085518a81b4e56d6",
                        "sha256": "484f3904f9a862da6505b285121824de515e239e0960b01d5d45b735e36d0a46"
                    },
                    "name": "urlmon.dll",
                    "path": "C:\\WINDOWS\\SYSTEM32\\urlmon.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729644023808,
                        "mapped_size": 163840
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "99fb8b2e6d75af49dc1fa1fae777df8f",
                        "sha1": "dfb4b76ed2bfe24c78fd44b0d2639451c483b812",
                        "sha256": "1aefeab96e14fb56abddbca4f770e6ddf588a2e10aaeaafa3f273e6504a6a73d"
                    },
                    "name": "srvcli.dll",
                    "path": "C:\\WINDOWS\\SYSTEM32\\srvcli.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729956171776,
                        "mapped_size": 49152
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "87185311a6de2e993e72502f58c1171f",
                        "sha1": "1038aa4d791515382ef14485601e74ae897122fe",
                        "sha256": "4b02305203ab1ac0e795b6467c1e17a00c17447941aefbf91378186e2fc580d8"
                    },
                    "name": "netutils.dll",
                    "path": "C:\\WINDOWS\\SYSTEM32\\netutils.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729307103232,
                        "mapped_size": 1335296
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "98535de16da23159539178d8f3f2b8b0",
                        "sha1": "f8a146409dcf7b429145fd3de03c9fa8c12277e8",
                        "sha256": "63bcc1705049bd7a1b181638bc23850a0d1e12286202850cf40a78bd5e3675b3"
                    },
                    "name": "Windows.StateRepositoryPS.dll",
                    "path": "C:\\Windows\\System32\\Windows.StateRepositoryPS.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729966002176,
                        "mapped_size": 200704
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "956ad5a3683b1d05ecb2927114682495",
                        "sha1": "1c241020754267181dd501949e0d43f35f0a4d10",
                        "sha256": "74542c85c237583a61bfd6296e7610da2973872645ddc614ad837705d9c4ac72"
                    },
                    "name": "SspiCli.dll",
                    "path": "C:\\WINDOWS\\SYSTEM32\\SspiCli.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729306906624,
                        "mapped_size": 143360
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "29ea53f925520943783a93cb9ec3a3c7",
                        "sha1": "8c506d0ee7a223850d94f934d8819ae9b86b73bf",
                        "sha256": "5ea1651dc79d536cb6c64b27257a28271570bd390da7d6f44e563770e43bb175"
                    },
                    "name": "cldapi.dll",
                    "path": "C:\\Windows\\System32\\cldapi.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729896992768,
                        "mapped_size": 1392640
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "01844ee13bf526446f103390f4a69309",
                        "sha1": "f0309242c4fffdcb0891928d50fa67c5cd94e414",
                        "sha256": "bdf7f7a38e35404407a695c17e730736bfcf7573707aa0fdc7e1bdd2e21944b3"
                    },
                    "name": "wintypes.dll",
                    "path": "C:\\Windows\\System32\\wintypes.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729301139456,
                        "mapped_size": 589824
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "fdd9ea02c8c8928bbf67cefa068ebcbb",
                        "sha1": "de82b58b566ed33ed131936000e3eaf2398c7d9a",
                        "sha256": "fe96c271815e9f5c5c0befaf9ee13e159460139137a25440ea296e2fdff83578"
                    },
                    "name": "appresolver.dll",
                    "path": "C:\\Windows\\System32\\appresolver.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729946013696,
                        "mapped_size": 167936
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "4f6f869094d632eb65e88ca037986aa3",
                        "sha1": "681b0201ca12047db8768462497be8aba49fea29",
                        "sha256": "a68d1f8265d6a1175e55283a6f57b96ac94bad9585d19d3d56f8d2c6d4c92df4"
                    },
                    "name": "SLC.dll",
                    "path": "C:\\Windows\\System32\\SLC.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729724043264,
                        "mapped_size": 376832
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "968b32ebcc2e8ac5105f513baf367ff3",
                        "sha1": "03b5ab3ea87137e34254b1021ea0b98bae9af941",
                        "sha256": "80b01aa7f1f5561705de81c8e1e521792dba8daaf4d6d7ab6cf9360daa787c4c"
                    },
                    "name": "Bcp47Langs.dll",
                    "path": "C:\\Windows\\System32\\Bcp47Langs.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729945817088,
                        "mapped_size": 151552
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "1a344a53306779abd7a3242f7521ca19",
                        "sha1": "93105d0b684532fd5ae8f302497beec84891087a",
                        "sha256": "63acba2d7b1e0ff51b1fb5eddac20b89e7d47051a4d7e3180da4f99ecca8ae32"
                    },
                    "name": "sppc.dll",
                    "path": "C:\\Windows\\System32\\sppc.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729302450176,
                        "mapped_size": 90112
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "ac9a1d6ae55762a7ed1b139562beaa66",
                        "sha1": "1e8fcb8551d18b1c777d3c8f88d117d00884d562",
                        "sha256": "9d97b0901ece09e1b2d5662e8646777bdab3762ea73f8a1c1b9396e5848b7d36"
                    },
                    "name": "pcacli.dll",
                    "path": "C:\\WINDOWS\\SYSTEM32\\pcacli.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729302319104,
                        "mapped_size": 73728
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "03139bcf3cf2ebc37e4bbce3c1502f7f",
                        "sha1": "fc115e1f4199b2a67f88e7a867b8f36d644e7063",
                        "sha256": "19776361b3a0a941a2eafcb87b83a3022f6c5dafa31a7722079cb6d7b3d03332"
                    },
                    "name": "sfc_os.dll",
                    "path": "C:\\WINDOWS\\System32\\sfc_os.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729590022144,
                        "mapped_size": 491520
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "197b28b17b7287500c7546c82e2bfa5b",
                        "sha1": "3be7c8cb40a2369bab87382102118e0234c97c24",
                        "sha256": "decc9227566c5851efe9592afd8b07b660e285e4e99e60ee6cd287d7ffa103d0"
                    },
                    "name": "NetSetupShim.dll",
                    "path": "C:\\Windows\\System32\\NetSetupShim.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729646252032,
                        "mapped_size": 155648
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "635f5ef7975819e634fa5385923e25cf",
                        "sha1": "38a3f7ad99965e7265afebc096cade740c94beb1",
                        "sha256": "1a7ba67fa78f06a0a5025ae4b1fff5736d3d601906d27a596f2fd76fcf764cfb"
                    },
                    "name": "NetSetupApi.dll",
                    "path": "C:\\Windows\\System32\\NetSetupApi.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729787219968,
                        "mapped_size": 81920
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "804b115e40c962e02837e51c1cc8fea2",
                        "sha1": "2336760b68e62123582aa98cc15d7973c012ca67",
                        "sha256": "7ae8b9ab829c52ed76e84240b266f799d918160643b4a675ce2484bdfd4baf0a"
                    },
                    "name": "DEVRTL.dll",
                    "path": "C:\\Windows\\System32\\DEVRTL.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729964822528,
                        "mapped_size": 212992
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "06015ff148729baab68690cb75c23789",
                        "sha1": "f6655b48250cf5a0f4d2a64bb00415ef6db06185",
                        "sha256": "c63c6b78f997ce49c3794ea6272cfd352c9fdae7305e4e2849f16bcf13e6fd0e"
                    },
                    "name": "DEVOBJ.dll",
                    "path": "C:\\WINDOWS\\SYSTEM32\\DEVOBJ.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729975439360,
                        "mapped_size": 430080
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "96af912f85ce8a267ceeeffbd81799f9",
                        "sha1": "6b3ade7526a953b8fe9a0f0354e655f12b8b007a",
                        "sha256": "c2520ceabba43ff8e4bf2f2099b6d6be55af104763a7d798badc1815b4a120da"
                    },
                    "name": "WINTRUST.dll",
                    "path": "C:\\WINDOWS\\System32\\WINTRUST.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729962987520,
                        "mapped_size": 73728
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "353b595137ed00adfc8bbb180c3ce30c",
                        "sha1": "67b5be0f3baf074fea76182878c757a5db1863de",
                        "sha256": "589f8393dee90934afd9e70739caac7cd8e85f6a9501635f0b9026e272b349fd"
                    },
                    "name": "MSASN1.dll",
                    "path": "C:\\WINDOWS\\SYSTEM32\\MSASN1.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729893060608,
                        "mapped_size": 589824
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "20001393b469dffa4349e76e787ed83a",
                        "sha1": "6b89bdc2316a815879a0077de03439414a9dadc4",
                        "sha256": "2236a6c3ddde48543d50826fff355ad7bbacf9bd1424a24c10647326f0b8d7ee"
                    },
                    "name": "apphelp.dll",
                    "path": "C:\\WINDOWS\\system32\\apphelp.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729946669056,
                        "mapped_size": 368640
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "e8f4740e77b514f913d1fd2439e2980d",
                        "sha1": "2425de26d34a27b274347006747ed3caaa78ce11",
                        "sha256": "8d642d993b9dcb4b5b8227e21fec8d2a84a7c0bd012633678b65b57b7abb9a0b"
                    },
                    "name": "WINSTA.dll",
                    "path": "C:\\WINDOWS\\SYSTEM32\\WINSTA.dll"
                },
                {
                    "Ext": {
                        "mapped_address": 140729491259392,
                        "mapped_size": 159744
                    },
                    "code_signature": [
                        {
                            "exists": true,
                            "status": "trusted",
                            "subject_name": "Microsoft Windows",
                            "trusted": true
                        }
                    ],
                    "hash": {
                        "md5": "9148ac1b63d3075bc07859af7cf83db5",
                        "sha1": "dca660804ce63a9a639e3d249d450a059414ddd5",
                        "sha256": "a9d8956ae603937e2141fddc9ce58ce2f38b0e7e7c0c144c837676c49b65ef5f"
                    },
                    "name": "SAMLIB.dll",
                    "path": "C:\\WINDOWS\\SYSTEM32\\SAMLIB.dll"
                }
            ],
            "token": {
                "integrity_level_name": "system"
            }
        },
        "args": [
            "C:\\Program Files\\Fortinet\\FortiClient\\scheduler.exe"
        ],
        "command_line": "\"C:\\Program Files\\Fortinet\\FortiClient\\scheduler.exe\"",
        "entity_id": "MDhiMTA3NTktY2FhOC00NDZiLWIzOWItZmI4NTU5ZjdmZTgzLTQ3NzItMTMyODk1NjI0NzUuMjExNTcwMA==",
        "executable": "C:\\Program Files\\Fortinet\\FortiClient\\scheduler.exe",
        "hash": {
            "md5": "eb52022c6ff096ff4d8a439e52ae3602",
            "sha1": "a1c1e5fdbe1a045dcdc38bc437f12000fcfb50d7",
            "sha256": "43d21eed82b9aa876f9750af01468ddf074c1bcde3219854ece88f85622a7d48"
        },
        "name": "scheduler.exe",
        "parent": {
            "Ext": {
                "architecture": "x86_64",
                "code_signature": [
                    {
                        "exists": true,
                        "status": "trusted",
                        "subject_name": "Microsoft Windows Publisher",
                        "trusted": true
                    }
                ]
            },
            "command_line": "",
            "entity_id": "MDhiMTA3NTktY2FhOC00NDZiLWIzOWItZmI4NTU5ZjdmZTgzLTk0NC0xMzI4OTU2MjQ3My40MTg4ODg4MDA=",
            "executable": "C:\\Windows\\System32\\services.exe",
            "hash": {
                "md5": "d8e577bf078c45954f4531885478d5a9",
                "sha1": "d7a213f3cfee2a8a191769eb33847953be51de54",
                "sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674"
            },
            "name": "services.exe",
            "pid": 944,
            "uptime": 950631
        },
        "pid": 4772,
        "uptime": 950629
    },
    "rule": {
        "ruleset": "diagnostic"
    },
    "version": "7.16.1"
}

Release Target

8.2

For mapping changes:

I ran make after making the schema changes, and committed any generated files (in schema/, generated/)
Does this field need to be "exceptionable"? (no longer specified in this package, this is now tracked in Kibana)

ferullo · 2022-03-09T22:33:33Z

Does this need to be backported to 7.17?

magermark · 2022-03-10T14:30:54Z

@ferullo Yes, this would need to be backported to 7.17 to ensure a consistent user experience across the board

crowens · 2022-03-10T14:56:43Z

Should we consider this a breaking change? @andrewkroh what do we usually do in a package when we change a field type? @bradenlpreston

andrewkroh · 2022-03-10T18:11:11Z

When the integration is upgraded by Fleet the data stream will be rolled over in order to apply the new mapping. Any data that is ingested after that will need to align to the type (keyword). In this case that won't be a problem since binary data must be base64 encoded and base64 is obviously valid for a keyword field.

You may want to add a step to your Ingest Node pipelines to conditionally convert incoming base64 data to hexidecimal to account for Agents that are not yet upgraded. I think you'd need to use Painless to handle this (like https://www.elastic.co/guide/en/elasticsearch/painless/master/painless-api-reference-shared-java-util.html#painless-api-reference-shared-Base64-Decoder).

The last issue to consider are queries. Are there any consumers (rules, alerts, dashboards, etc) of this field in the Elastic ecosystem that will be broken by the change or by receiving mixed results (base64 and hex) when hitting older indices? You should test this on a cluster having both a binary and keyword mapped indices to see if you encounter any other issues (like check Discover and check the Kibana index pattern / data view UI).

magermark · 2022-03-18T14:50:11Z

Bumping for increased visibility...

I'm going to begin testing this today to validate it operates as expected, but would appreciate review feedback just to make sure the content of the PR makes sense.

CC: @pzl @joeypoon

pzl

the change here is ok

sounds like what's being sent from endpoint is not changing at all, just how it's stored, so that obviates some of the above complications.

This won't re-index the existing data, it will just index anything after package update. Not much to do there.

If this needs to be exceptionable, then it probably needs to be added to the Kibana repo here: x-pack/plugins/security_solution/public/common/components/exceptions/exceptionable_endpoint_fields.json

Changed the field type for files.data from binary to keyword

98967fd

magermark added the v8.2.0 label Mar 9, 2022

magermark requested review from joeypoon and pzl March 10, 2022 14:55

pzl approved these changes Mar 21, 2022

View reviewed changes

joeypoon approved these changes Mar 24, 2022

View reviewed changes

magermark merged commit 3c29c62 into master Mar 28, 2022

magermark deleted the ep-233 branch March 28, 2022 14:05

kevinlog mentioned this pull request Apr 4, 2022

[Security Solution] Add new exceptionable fields for Ransomware elastic/kibana#129401

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Ransomware Data Type Changes#234

Ransomware Data Type Changes#234
magermark merged 1 commit intomasterfrom
ep-233

magermark commented Mar 9, 2022 •

edited

Loading

Uh oh!

ferullo commented Mar 9, 2022

Uh oh!

magermark commented Mar 10, 2022

Uh oh!

crowens commented Mar 10, 2022

Uh oh!

andrewkroh commented Mar 10, 2022 •

edited

Loading

Uh oh!

magermark commented Mar 18, 2022

Uh oh!

pzl left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

Conversation

magermark commented Mar 9, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Change Summary

Sample values

Release Target

For mapping changes:

Uh oh!

ferullo commented Mar 9, 2022

Uh oh!

magermark commented Mar 10, 2022

Uh oh!

crowens commented Mar 10, 2022

Uh oh!

andrewkroh commented Mar 10, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

magermark commented Mar 18, 2022

Uh oh!

pzl left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

magermark commented Mar 9, 2022 •

edited

Loading

andrewkroh commented Mar 10, 2022 •

edited

Loading