https://pastein.ru/t/SW8
Загрузка данных
root@ilyavm:/home/ilya/Downloads/курсач (2)/курсач# pwsh ./Invoke-Triage.ps1 -OutputPath .\Output -ScanPaths '/root/RansomwareTestEnv'
+==========================================================+
| RANSOMWARE TRIAGE COLLECTOR v1.0.0 |
+==========================================================+
[2026-06-02 11:41:55.598] [INFO] Case ID : triage_ilyavm_20260602_114155
[2026-06-02 11:41:55.619] [INFO] Host : ilyavm
[2026-06-02 11:41:55.621] [INFO] OS : Linux
[2026-06-02 11:41:55.625] [INFO] PS : 7.6.2 (Core)
[2026-06-02 11:41:55.628] [INFO] Admin : True
[2026-06-02 11:41:55.630] [INFO] Output : /home/ilya/Downloads/курсач (2)/курсач/.Output/triage_ilyavm_20260602_114155
[2026-06-02 11:41:55.632] [INFO] Started : 2026-06-02T11:41:55.4576688+03:00
[2026-06-02 11:41:55.638] [OK] ------------------------------------------------------------
[2026-06-02 11:41:55.640] [OK] Step 1/4 - Volatile data (RFC 3227)
[2026-06-02 11:41:55.642] [OK] ------------------------------------------------------------
[2026-06-02 11:41:55.710] [INFO] Module loaded: Collect-Volatile
[2026-06-02 11:41:55.720] [INFO] [volatile] system snapshot...
[2026-06-02 11:41:56.019] [INFO] [volatile] processes...
[2026-06-02 11:41:59.216] [INFO] [volatile] no suspicious processes found
[2026-06-02 11:41:59.218] [INFO] [volatile] network connections...
[2026-06-02 11:41:59.476] [WARN] [volatile] ss unavailable: Cannot convert value "*" to type "System.Int32". Error: "The input string '*' was not in a correct format."
[2026-06-02 11:41:59.482] [WARN] Manifest: file not found - /home/ilya/Downloads/курсач (2)/курсач/.Output/triage_ilyavm_20260602_114155/volatile/network_connections.json
[2026-06-02 11:41:59.487] [INFO] [volatile] user sessions...
[2026-06-02 11:41:59.659] [INFO] [volatile] environment variables...
[2026-06-02 11:41:59.689] [OK] Volatile: complete
[2026-06-02 11:41:59.691] [OK] Step completed: Volatile
[2026-06-02 11:41:59.693] [OK] ------------------------------------------------------------
[2026-06-02 11:41:59.695] [OK] Step 2/4 - Network artifacts
[2026-06-02 11:41:59.697] [OK] ------------------------------------------------------------
[2026-06-02 11:41:59.708] [INFO] Module loaded: Collect-Network
[2026-06-02 11:41:59.727] [INFO] [net] DNS cache...
[2026-06-02 11:41:59.830] [INFO] [net] hosts file...
[2026-06-02 11:41:59.859] [WARN] [net] non-default lines in hosts: 6
[2026-06-02 11:41:59.862] [INFO] [net] ARP table...
[2026-06-02 11:41:59.910] [INFO] [net] routing table...
[2026-06-02 11:41:59.956] [INFO] [net] firewall...
[2026-06-02 11:42:00.078] [WARN] [net/fw] iptables empty or unavailable
[2026-06-02 11:42:00.090] [WARN] [net/fw] iptables empty or unavailable - system may be unprotected
[2026-06-02 11:42:00.093] [INFO] [net] network adapters...
[2026-06-02 11:42:00.110] [INFO] [net] IoC matching...
[2026-06-02 11:42:00.121] [INFO] [net] no IoC matches found
[2026-06-02 11:42:00.123] [OK] Network: complete
[2026-06-02 11:42:00.125] [OK] Step completed: Network
[2026-06-02 11:42:00.126] [OK] ------------------------------------------------------------
[2026-06-02 11:42:00.128] [OK] Step 3/4 - File system
[2026-06-02 11:42:00.130] [OK] ------------------------------------------------------------
[2026-06-02 11:42:00.140] [INFO] Module loaded: Collect-FileSystem
[2026-06-02 11:42:00.143] [INFO] Scan paths: /root/RansomwareTestEnv
[2026-06-02 11:42:00.153] [INFO] [fs] scan paths: /root/RansomwareTestEnv
[2026-06-02 11:42:00.163] [INFO] [fs] searching for suspicious extensions...
[2026-06-02 11:42:00.167] [INFO] [ext-scan] /root/RansomwareTestEnv
[2026-06-02 11:42:00.194] [WARN] [fs] found: 12 files, families: 12
[2026-06-02 11:42:00.196] [INFO] [fs] searching for ransom notes...
[2026-06-02 11:42:00.240] [WARN] [fs] ransom notes found: 3
[2026-06-02 11:42:00.242] [INFO] [fs] entropy analysis (threshold H > 7.9)...
[2026-06-02 11:42:00.252] [INFO] [entropy] checked files: 0, anomalies: 0
[2026-06-02 11:42:00.254] [INFO] [fs] no entropy anomalies found
[2026-06-02 11:42:00.255] [INFO] [fs] modification timeline analysis...
[2026-06-02 11:42:00.279] [OK] FileSystem: complete
[2026-06-02 11:42:00.281] [OK] Step completed: FileSystem
[2026-06-02 11:42:00.283] [OK] ------------------------------------------------------------
[2026-06-02 11:42:00.285] [OK] Step 4/4 - System artifacts (Linux)
[2026-06-02 11:42:00.286] [OK] ------------------------------------------------------------
[2026-06-02 11:42:00.297] [ERROR] ERROR in step 'Collect-Linux': The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: At /home/ilya/Downloads/курсач (2)/курсач/Modules/Collect-Linux.psm1:209 char:40
+ @{ Pattern = 'python.*-c\s+["\']import\s+socket'; Reason = 'P …
+ ~
Unexpected token ']' in expression or statement.
At /home/ilya/Downloads/курсач (2)/курсач/Modules/Collect-Linux.psm1:209 char:11
+ @{ Pattern = 'python.*-c\s+["\']import\s+socket'; Reason = 'P …
+ ~
Missing closing '}' in statement block or type definition.
At /home/ilya/Downloads/курсач (2)/курсач/Modules/Collect-Linux.psm1:346 char:84
+ … -match 'ExecStart=.*((/tmp|/dev/shm|/var/tmp|AppData|\.sh)\b|base64) …
+ ~~
Unexpected token '\b' in expression or statement.
At /home/ilya/Downloads/курсач (2)/курсач/Modules/Collect-Linux.psm1:346 char:84
+ … nt -match 'ExecStart=.*((/tmp|/dev/shm|/var/tmp|AppData|\.sh)\b|base6 …
+ ~
Missing closing ')' in expression.
At /home/ilya/Downloads/курсач (2)/курсач/Modules/Collect-Linux.psm1:346 char:94
+ … tch 'ExecStart=.*((/tmp|/dev/shm|/var/tmp|AppData|\.sh)\b|base64)') {
+ ~~~~
Unexpected token '') {
$suspUnits.Add([PSCustomObject]@{
File = $_.FullName
Excerpt = ($content -split '' in expression or statement.
At /home/ilya/Downloads/курсач (2)/курсач/Modules/Collect-Linux.psm1:349 char:49
+ Excerpt = ($content -split '\n' |
+ ~~~~~
Unexpected token '\n' |
Where-Object { $_ -match 'ExecStart' } |
Select-Object -First 3) -join '' in expression or statement.
At /home/ilya/Downloads/курсач (2)/курсач/Modules/Collect-Linux.psm1:720 char:42
+ $lnxDir = Join-Path $OutputDir 'linux'
+ ~
The string is missing the terminator: '.
At /home/ilya/Downloads/курсач (2)/курсач/Modules/Collect-Linux.psm1:191 char:34
+ function Find-SuspiciousCommands {
+ ~
Missing closing '}' in statement block or type definition.
[2026-06-02 11:42:00.299] [ERROR] Stack: at Import-TriageModule, /home/ilya/Downloads/курсач (2)/курсач/Invoke-Triage.ps1: line 188
at <ScriptBlock>, /home/ilya/Downloads/курсач (2)/курсач/Invoke-Triage.ps1: line 460
at Invoke-TriageStep, /home/ilya/Downloads/курсач (2)/курсач/Invoke-Triage.ps1: line 287
at Start-Triage, /home/ilya/Downloads/курсач (2)/курсач/Invoke-Triage.ps1: line 459
at <ScriptBlock>, /home/ilya/Downloads/курсач (2)/курсач/Invoke-Triage.ps1: line 516
[2026-06-02 11:42:00.301] [OK] ------------------------------------------------------------
[2026-06-02 11:42:00.303] [OK] Finalization
[2026-06-02 11:42:00.305] [OK] ------------------------------------------------------------
[2026-06-02 11:42:00.351] [OK] Manifest saved: /home/ilya/Downloads/курсач (2)/курсач/.Output/triage_ilyavm_20260602_114155/manifest.json (19 artifacts)
[2026-06-02 11:42:00.360] [INFO] Module loaded: Export-Report
[2026-06-02 11:42:00.366] [INFO] [report] building summary...
[2026-06-02 11:42:00.408] [INFO] [report] generating HTML...
[2026-06-02 11:42:00.436] [ERROR] ERROR in step 'Export-Report': Method invocation failed because [System.DateTime] does not contain a method named 'Substring'.
[2026-06-02 11:42:00.438] [ERROR] Stack: at <ScriptBlock>, /home/ilya/Downloads/курсач (2)/курсач/Modules/Export-Report.psm1: line 335
at Build-HtmlReport, /home/ilya/Downloads/курсач (2)/курсач/Modules/Export-Report.psm1: line 332
at Export-TriageReport, /home/ilya/Downloads/курсач (2)/курсач/Modules/Export-Report.psm1: line 424
at <ScriptBlock>, /home/ilya/Downloads/курсач (2)/курсач/Invoke-Triage.ps1: line 476
at Invoke-TriageStep, /home/ilya/Downloads/курсач (2)/курсач/Invoke-Triage.ps1: line 287
at Start-Triage, /home/ilya/Downloads/курсач (2)/курсач/Invoke-Triage.ps1: line 474
at <ScriptBlock>, /home/ilya/Downloads/курсач (2)/курсач/Invoke-Triage.ps1: line 516
[2026-06-02 11:42:00.488] [OK] Manifest saved: /home/ilya/Downloads/курсач (2)/курсач/.Output/triage_ilyavm_20260602_114155/manifest.json (20 artifacts)
[2026-06-02 11:42:00.493] [OK] Duration: 00:00:05
============================================================
RANSOMWARE TRIAGE - COMPLETE
============================================================
Case ID : triage_ilyavm_20260602_114155
Host : ilyavm
OS : Linux
Duration : 00:00:05
Artifacts : 20
Errors : 2
RISK ASSESSMENT
Level : CRITICAL (score: 70/100)
OUTPUT
Dir : /home/ilya/Downloads/курсач (2)/курсач/.Output/triage_ilyavm_20260602_114155
Report : /home/ilya/Downloads/курсач (2)/курсач/.Output/triage_ilyavm_20260602_114155/report.html
Manifest : /home/ilya/Downloads/курсач (2)/курсач/.Output/triage_ilyavm_20260602_114155/manifest.json
============================================================
