in ransomware/artifact.lua [1969:1994]
function globals.CleanEventData(eventData)
if utils.TableHasKey(eventData, 'filePath') then
eventData.filePath = utils.RemoveAdsFromPath(eventData.filePath)
eventData.fileName = eventData.filePath:match('[^\\]+$')
end
if utils.TableHasKey(eventData, 'fileExtension') then
eventData.fileExtension = utils.RemoveAdsFromPath(eventData.fileExtension)
end
if utils.TableHasKey(eventData, 'filePreviousPath') then
eventData.filePreviousPath = utils.RemoveAdsFromPath(eventData.filePreviousPath)
eventData.filePreviousName = eventData.filePreviousPath:match('[^\\]+$')
end
if utils.TableHasKey(eventData, 'filePreviousExtension') then
eventData.filePreviousExtension = utils.RemoveAdsFromPath(eventData.filePreviousExtension)
end
if utils.IsOfficeLockFile(eventData.fileExtension, eventData.fileName) then
utils.DebugLog('OFFICE LOCK FILE: ' .. eventData.filePath)
eventData.officeLockFile = true
else
eventData.officeLockFile = false
end
end