pip install python

end`
clc
clc
print("hoello world")
ls
cl
clear
python -u "d:\programe\python\ahmed sami\[Link]"
python -u "d:\programe\python\ahmed sami\[Link]"
python -u "d:\programe\python\ahmed sami\[Link]"
cl
clear
python -u "d:\programe\python\ahmed sami\[Link]"
ls
mkdir codzilla
ls
cd .\codzilla\
pip install requests
& C:/Users/m84369680/AppData/Local/Programs/Python/Python313/[Link] c:\Users\
m84369680\.vscode\extensions\[Link]-2024.14.1-win32-x64\python_files\
[Link] c:\Users\m84369680\.vscode\extensions\[Link]-
2024.14.1-win32-x64\python_files\deactivate\powershell\[Link]
pip list
pip install requests
pip list
pip install peautifuloup4
pip install beautifuloup4
pip install beautifulsoup4
pip install lxml
pip list
where is requests
?
pip -h
python -u "d:\programe\python\ahmed sami\codzila\web_scrapping"
& C:/Users/m84369680/AppData/Local/Programs/Python/Python313/[Link] c:\Users\
m84369680\.vscode\extensions\[Link]-2024.22.1-win32-x64\python_files\
[Link] c:\Users\m84369680\.vscode\extensions\[Link]-
2024.22.1-win32-x64\python_files\deactivate\powershell\[Link]
python -u "d:\programe\python\codzilla\web_scrapping"
& d:/programe/python/.venv/Scripts/[Link]
d:/programe/python/codzilla/web_scrapping
python -u "d:\programe\python\codzilla\web_scrapping"
pip list
pip list
ls
cd .\codzilla\
pip list
python -u "d:\programe\python\codzilla\web_scrapping"
& C:/Users/m84369680/AppData/Local/Programs/Python/Python313/[Link]
d:/programe/python/codzilla/web_scrapping
pip list
python -u "d:\programe\python\codzilla\web_scrapping"
& C:/Users/m84369680/AppData/Local/Programs/Python/Python313/[Link]
d:/programe/python/codzilla/web_scrapping
clr
clear
& C:/Users/m84369680/AppData/Local/Programs/Python/Python313/[Link]
d:/programe/python/codzilla/web_scrapping
& C:/Users/m84369680/AppData/Local/Programs/Python/Python313/[Link]
"d:/programe/python/ahmed sami/[Link]"
& C:/Users/m84369680/AppData/Local/Programs/Python/Python313/[Link]
d:/programe/python/codzilla/[Link]
& C:/Users/m84369680/AppData/Local/Programs/Python/Python313/[Link]
d:/programe/python/codzilla/[Link]
& C:/Users/m84369680/AppData/Local/Programs/Python/Python313/[Link]
d:/programe/python/codzilla/web_scrapping
& C:/Users/m84369680/AppData/Local/Programs/Python/Python313/[Link]
d:/programe/python/codzilla/[Link]
& C:/Users/m84369680/AppData/Local/Programs/Python/Python313/[Link]
d:/programe/python/codzilla/web_scrapping
& C:/Users/m84369680/AppData/Local/Programs/Python/Python313/[Link]
d:/programe/python/codzilla/[Link]
& C:/Users/m84369680/AppData/Local/Programs/Python/Python313/[Link]
d:/programe/python/codzilla/web_scrapping
& C:/Users/m84369680/AppData/Local/Programs/Python/Python313/[Link]
d:/programe/python/codzilla/[Link]
pip install curses
& C:/Users/m84369680/AppData/Local/Programs/Python/Python313/[Link]
d:/programe/python/codzilla/[Link]
pip list
& C:/Users/m84369680/AppData/Local/Programs/Python/Python313/[Link]
d:/programe/python/codzilla/[Link]
& C:/Users/m84369680/AppData/Local/Programs/Python/Python313/[Link]
d:/programe/python/codzilla/[Link]&
C:/Users/m84369680/AppData/Local/Programs/Python/Python313/[Link]
d:/programe/python/codzilla/[Link]
& C:/Users/m84369680/AppData/Local/Programs/Python/Python313/[Link]
d:/programe/python/codzilla/[Link]
& C:/Users/m84369680/AppData/Local/Programs/Python/Python313/[Link]
d:/programe/python/codzilla/[Link]
& C:/Users/m84369680/AppData/Local/Programs/Python/Python313/[Link]
d:/programe/python/codzilla/[Link]
& C:/Users/m84369680/AppData/Local/Programs/Python/Python313/[Link]
d:/programe/python/codzilla/[Link]
& C:/Users/m84369680/AppData/Local/Programs/Python/Python313/[Link]
d:/programe/python/codzilla/[Link]
& C:/Users/m84369680/AppData/Local/Programs/Python/Python313/[Link]
d:/programe/python/codzilla/[Link]
& 'c:\Users\m84369680\AppData\Local\Programs\Python\Python313\[Link]' 'c:\
Users\m84369680\.vscode\extensions\[Link]-2024.14.0-win32-x64\bundled\
libs\debugpy\adapter/../..\debugpy\launcher' '49394' '--' 'd:\programe\python\
codzilla\[Link]'
& C:/Users/m84369680/AppData/Local/Programs/Python/Python313/[Link]
d:/programe/python/codzilla/[Link]
& C:/Users/m84369680/AppData/Local/Programs/Python/Python313/[Link]
d:/programe/python/codzilla/[Link]
& C:/Users/m84369680/AppData/Local/Programs/Python/Python313/[Link]
d:/programe/python/codzilla/[Link]
& C:/Users/m84369680/AppData/Local/Programs/Python/Python313/[Link]
d:/programe/python/codzilla/[Link]
& C:/Users/m84369680/AppData/Local/Programs/Python/Python313/[Link]
d:/programe/python/codzilla/[Link]
& C:/Users/m84369680/AppData/Local/Programs/Python/Python313/[Link]
d:/programe/python/codzilla/[Link]
& C:/Users/m84369680/AppData/Local/Programs/Python/Python313/[Link]
"d:/programe/python/ahmed sami/codzila/[Link]"
python -u "c:\Users\m84369680\Downloads\Python - The [Link]"
& C:/Users/m84369680/AppData/Local/Programs/Python/Python313/[Link] c:\Users\
m84369680\.vscode\extensions\[Link]-2025.0.0-win32-x64\python_files\
[Link] c:\Users\m84369680\.vscode\extensions\[Link]-
2025.0.0-win32-x64\python_files\deactivate\powershell\[Link]
Get-Process mshta
Get-NetTCPConnection -RemoteAddress [Link]
# تØقق من وجود mshta كعملية (بديل لـ Get-Process
لالتقاط كل الأسماء)`
tasklist /FI "IMAGENAME eq [Link]"`
`
# تØقق من اتصالات TCP التي تشير للعنوان (netstat Ù…
ØªØ§Ø Ø¯Ø§Ø¦Ù…Ø§Ù‹)`
netstat -ano | findstr "[Link]"`
`
# إن أردت كل الاتصالات الخارجة/الواردة الآن
(أطول مخرجات)`
netstat -abno`

# مجلدات التØميل، TempØŒ Startup ومجلد المستخدمين`

$paths = @("$env:USERPROFILE\Downloads", "$env:USERPROFILE\AppData\Local\Temp",
"$env:ProgramData", "$env:ProgramFiles","$env:USERPROFILE\Start Menu\Programs\
StartUp")`
foreach($p in $paths){ if(Test-Path $p){ Write-Host "Searching $p"; Get-ChildItem -
Path $p -Recurse -ErrorAction SilentlyContinue | Select-String -Pattern
"mshta","[Link]","[Link]" -SimpleMatch -List -ErrorAction
SilentlyContinue }}`

Remove-Item "C:\Program Files\Computer_Config_info\[Link]" -Force`

Copy-Item "C:\Program Files\Computer_Config_info\[Link]" "C:\Users\Public\

zstart_sample.bat"`
Compress-Archive -Path "C:\Users\Public\zstart_sample.bat" -DestinationPath "C:\
Users\Public\zstart_sample.zip"`

schtasks /Query /FO LIST /V | findstr /I "[Link] Computer_Config_info mshta"`

[Link]|46712|[Link]|[Link]`

Remove-Item "C:\Program Files\Computer_Config_info\[Link]" -Force`

# تØقق إن mshta لا يزال يعمل (يعرض PID)`

Get-Process -Name mshta -ErrorAction SilentlyContinue | Format-Table
Id,ProcessName,Path -AutoSize`
# أو باستخدام tasklist لعرض المسار إذا أمكن:`
tasklist /FI "IMAGENAME eq [Link]" /V`

Get-Process -Name mshta -ErrorAction SilentlyContinue | Format-Table

Id,ProcessName,Path -AutoSize
# اتصالات Øية مع remote IP`
netstat -ano | findstr "[Link]"`
`
# أو جميع الاتصالات المرتبطة بـ mshta (باستخدام
PID إن وجد)`
# مثال إذا ظهر PID 46712:`
netstat -ano | findstr "46712"`
`
# في PowerShell (Get-NetTCPConnection قد لا يظهر كل شيء على
بعض النسخ بدون صلاØيات)`
Get-NetTCPConnection -State Established | Where-Object { $_.RemoteAddress -eq
"[Link]" -or $_.OwningProcess -eq 46712 } | Format-Table
LocalAddress,LocalPort,RemoteAddress,RemotePort,State,OwningProcess -AutoSize`

Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational';

Id=3; StartTime=(Get-Date).AddHours(-6)} -ErrorAction SilentlyContinue |`
Where-Object { $_.Message -match "5\.129\.219\.231|mshta|46712" } |`
Select-Object TimeCreated, Id, Message -First 20`

# عرض Ù…Øتوى (بآمان) لملف الباتش`

Get-Content "C:\Program Files\Computer_Config_info\[Link]" -ErrorAction
SilentlyContinue`

"%ProgramFiles%\Windows Defender\[Link]" -Scan -ScanType 2`

Get-Process mshta -ErrorAction SilentlyContinue | Select

Id,ProcessName,Path,StartTime`

Get-Process mshta -ErrorAction SilentlyContinue | Select

Id,ProcessName,Path,StartTime | Format-List`

Get-Process | Where-Object { $_.Path } | Select-Object

Id,ProcessName,Path,StartTime | Out-File "$env:USERPROFILE\Desktop\
process_list.txt"`

$since = (Get-Date).AddDays(-1)`
Get-ChildItem -Path $env:TEMP,$env:USERPROFILE\Downloads,$env:USERPROFILE\AppData\
Local\Temp,"C:\ProgramData","C:\Users" -Include *.exe,*.dll,*.hta,*.vbs,*.ps1 -
Recurse -ErrorAction SilentlyContinue |`
Where-Object { $_.LastWriteTime -ge $since } |`
Select FullName,LastWriteTime | Out-File "$env:USERPROFILE\Desktop\
recent_suspicious_files.txt"`

Get-ChildItem -Path C:\ -Include *.hta,*.odd,hip.* -Recurse -ErrorAction

SilentlyContinue |`
Select FullName,LastWriteTime | Out-File "$env:USERPROFILE\Desktop\
hta_odd_matches.txt"`

netstat -ano | Select-String "[Link]" > "$env:USERPROFILE\Desktop\

netstat_maybe.txt"`
netstat -abno > "$env:USERPROFILE\Desktop\netstat_all.txt"`

wevtutil qe System /q:"*[System[TimeCreated[timediff(@SystemTime) <=

86400000]]]" /f:text > "$env:USERPROFILE\Desktop\System_Last24h.txt"`
wevtutil qe Application /q:"*[System[TimeCreated[timediff(@SystemTime) <=
86400000]]]" /f:text > "$env:USERPROFILE\Desktop\Application_Last24h.txt"`
wevtutil qe Microsoft-Windows-PowerShell/Operational
/q:"*[System[TimeCreated[timediff(@SystemTime) <= 86400000]]]" /f:text >
"$env:USERPROFILE\Desktop\Powershell_Last24h.txt"`
# أنشئ مجلد لجمع الأدلة`
New-Item -Path C:\Investigations -ItemType Directory -Force`
`
# 1) لائØØ© العمليات الØالية ÙˆØفظها`
Get-Process | Sort-Object -Property Id | Format-Table Id,ProcessName,Path -AutoSize
> C:\Investigations\process_list_current.txt`
`
# 2) اتصالات الشبكة الØالية (يتطلب صلاØيات) ÙˆØ-
فظها`
netstat -ano > C:\Investigations\netstat_anon.txt`
# (أو PowerShell: يتطلب NetTCP cmdlets في بعض نسخ ويندوز)`
Get-NetTCPConnection | Sort-Object -Property State,RemoteAddress > C:\
Investigations\net_tcp_connections.txt`
`
# 3) المهام المجدولة`
Get-ScheduledTask | Where-Object {$_.State -ne 'Disabled'} | Format-Table
TaskName,TaskPath,State > C:\Investigations\scheduled_tasks.txt`
`
# 4) Ù…ÙØ§ØªÙŠØ Ø¨Ø¯Ø¡ التشغيل من الريجستري (Run keys)`
Get-ItemProperty -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Run* | Out-
File C:\Investigations\run_keys_HKLM.txt -ErrorAction SilentlyContinue`
Get-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run* | Out-
File C:\Investigations\run_keys_HKCU.txt -ErrorAction SilentlyContinue`
`
# 5) ملفات HTA على Ø³Ø·Ø Ø§Ù„Ù…ÙƒØªØ¨ أو المستخدم`
Get-ChildItem -Path "$env:USERPROFILE\Desktop" -Recurse -Include
*.hta,*.htm,*.html,*.js,*.vbs | Select-Object FullName,LastWriteTime > C:\
Investigations\desktop_suspicious_files.txt`
`
# 6) سجل أوامر PowerShell الأخيرة (تاریخ) — إن أمكن`
(Get-Content (Get-PSReadlineOption).HistorySavePath) | Select-Object -Last 200 >
C:\Investigations\powershell_history_last200.txt`
`
# 7) الأØداث الأمنية/التطبيقية الØديثة (Windows Event
Logs)`
wevtutil qe Security /q:"*[System[(TimeCreated[@SystemTime>='2025-10-
03T[Link].000Z'])]]" /f:text > C:\Investigations\security_events_recent.txt`
wevtutil qe Microsoft-Windows-PowerShell/Operational /f:text > C:\Investigations\
powershell_events.txt`
`
# 8) قائمة الخدمات المشغّلة ومساراتها`
Get-Service | Where-Object {$_.Status -eq 'Running'} | ForEach-Object {`
$svc = $_`
$p = (Get-WmiObject -Class Win32_Service -Filter "Name='$($[Link])'")`
[PSCustomObject]@{Name=$[Link]; DisplayName=$[Link];
PathName=$[Link]}`
} | Format-Table -AutoSize > C:\Investigations\running_services_with_path.txt`
`
# 9) سجل البرامج المثبتة وتاريخ التثبيت`
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\
Uninstall\* |`
Select-Object DisplayName,InstallDate,Publisher > C:\Investigations\
installed_programs.txt`
`
# 10) اØفظ نسخة من Ø³Ø·Ø Ø§Ù„Ù…ÙƒØªØ¨ والملفات المسجّلة
(فقط للبØØ«)`
Compress-Archive -Path "$env:USERPROFILE\Desktop\*" -DestinationPath C:\
Investigations\desktop_contents.zip -Force`