in ransomware/artifact.lua [619:692]
function alert.GenerateEndgameAlert(processTable, alertProcessData)
local tempMessage = {}
local incompatible = false
processTable.file_list = {}
processTable.process_alerts = {'PROCESS_LUA_ALERT'}
incompatible = utils.CurrentVersionLessThan('3.54.0')
for _, v in pairs(alertProcessData.events) do
tempMessage = {}
tempMessage.file_path = v.filePath
if not incompatible then
table.insert(processTable.file_list, tempMessage)
tempMessage = {}
tempMessage.file_path = v.filePath
tempMessage.score = v.alertScore
tempMessage.entropy = v.entropy
tempMessage.file_extension = v.fileExtension
tempMessage.bk_file_operation = v.operation
tempMessage.file_alerts = {}
tempMessage.header_string = v.headerString
for _, v2 in pairs(v.alertMetrics) do
table.insert(tempMessage.file_alerts, v2)
end
if utils.FILE_RENAME == v.operation then
tempMessage.file_previous_path = v.filePreviousPath
tempMessage.file_previous_extension = v.filePreviousExtension
end
table.insert(processTable.alert_files, tempMessage)
elseif incompatible then
table.insert(processTable.file_list, tempMessage)
end
end
if incompatible then
for _, v in pairs(alertProcessData.events) do
tempMessage = {}
tempMessage.file_path = v.fileName .. ' | ' .. v.alertScore .. ' | ' .. v.entropy .. ' | ' .. v.headerString
table.insert(processTable.file_list, tempMessage)
end
for _, v in pairs(alertProcessData.events) do
tempMessage = {}
tempMessage.file_path = v.fileName
for _, v2 in pairs(v.alertMetrics) do
tempMessage.file_path = tempMessage.file_path .. '|' .. v2
end
tempMessage.file_path = tempMessage.file_path .. ' | ' .. v.operation + .0
if utils.FILE_RENAME == v.operation then
tempMessage.file_path = tempMessage.file_path .. ' | ' .. v.filePreviousPath
end
table.insert(processTable.file_list, tempMessage)
end
end
end