in ransomware/artifact.lua [2001:2034]
function globals.UpdateExtensionTables(eventData, processData)
if globals.FILE_CREATE_NEW == eventData.operation then
if not utils.TableHasKey(processData.createExtensions, eventData.fileExtension) then
processData.createExtensions[eventData.fileExtension] = {}
end
table.insert(processData.createExtensions[eventData.fileExtension], eventData)
elseif globals.FILE_MODIFY == eventData.operation then
if not utils.TableHasKey(processData.modifyExtensions, eventData.fileExtension) then
processData.modifyExtensions[eventData.fileExtension] = {}
end
table.insert(processData.modifyExtensions[eventData.fileExtension], eventData)
elseif globals.FILE_DELETE == eventData.operation then
if not utils.TableHasKey(processData.deleteExtensions, eventData.fileExtension) then
processData.deleteExtensions[eventData.fileExtension] = {}
end
table.insert(processData.deleteExtensions[eventData.fileExtension], eventData)
elseif globals.FILE_RENAME == eventData.operation then
if not utils.TableHasKey(processData.renameExtensions, eventData.fileExtension) then
processData.renameExtensions[eventData.fileExtension] = {}
end
table.insert(processData.renameExtensions[eventData.fileExtension], eventData)
if not utils.TableHasKey(processData.renamePreviousExtensions, eventData.filePreviousExtension) then
processData.renamePreviousExtensions[eventData.filePreviousExtension] = {}
end
table.insert(processData.renamePreviousExtensions[eventData.filePreviousExtension], eventData)
elseif globals.FILE_OVERWRITE == eventData.operation then
if not utils.TableHasKey(processData.overwriteExtensions, eventData.fileExtension) then
processData.overwriteExtensions[eventData.fileExtension] = {}
end
table.insert(processData.overwriteExtensions[eventData.fileExtension], eventData)
end
end