in ransomware/artifact.lua [2407:2468]
function Ransomware:EventData(inputData)
local obj = {}
obj.processId = inputData.processId
obj.operation = inputData.fileOperation
obj.fileExtension = inputData.fileExtension
obj.entropy = inputData.entropy
obj.filePath = inputData.filePath
obj.fileName = obj.filePath:match('[^\\]+$')
obj.filePath = utils.RemoveAdsFromPath(obj.filePath)
obj.fileName = utils.RemoveAdsFromExtension(obj.fileName)
obj.fileExtension = utils.RemoveAdsFromExtension(obj.fileExtension)
obj.headerString = ''
obj.headerBytes = {}
obj.officeLockFile = inputData.officeLockFile
obj.parentProcessId = globals.INVALID_PROCESS_ID
if utils.TableHasKey(inputData, 'parentProcessId') then
obj.parentProcessId = inputData.parentProcessId
end
obj.renameTransition = globals.DEFAULT_RENAME
obj.alertScore = 0.0
obj.multipleExtension = false
obj.alertMetrics = {}
obj.headerMismatch = false
obj.previousHeaderMismatch = false
obj.entropyStatus = globals.ENTROPY_STATUS_DEFAULT
obj.previousEntropyStatus = globals.ENTROPY_STATUS_DEFAULT
obj.numAbnormalExtensionCharacters = 0
if globals.FILE_RENAME == obj.operation then
obj.filePreviousPath = inputData.filePreviousPath
obj.filePreviousExtension = inputData.filePreviousExtension
obj.filePreviousName = obj.filePreviousPath:match('[^\\]+$')
end
if utils.TableHasKey(inputData, 'headerString') then
obj.headerString = inputData.headerString
elseif utils.TableHasKey(inputData, 'headerBytes') then
obj.headerString = inputData.headerBytes
end
obj.headerBytes = utils.StringToByteArray(obj.headerString)
obj.headerString = utils.Hexlify(obj.headerString)
obj.currentExtensionData = nil
obj.previousExtensionData = nil
obj.normalizedPath = utils.NormalizePath(obj.filePath)
self.SetExtensionData(obj)
return obj
end