Once the malware has done all the checks, it starts multithreading for efficiency. Over 10 threads are created, each one in charge of a different operation.
The malware only steals RTF, DOC, DOCX, TXT and JSON files smaller than 20kb. The files are saved in a folder "grabber" in the hidden folder infrastructure created by the malware.
The malware also lists all installed software on the system.
All known browser data is stolen if the malware detects a browser it knows, including login credentials, cookies, encryption keys, and master passwords.
Discord tokens and Telegram sessions are also stolen, and a screenshot of the user's screen is taken.
The registry is then queried in a hunt for cryptocurrency wallets such as Litecoin, Dash, and Bitcoin before targeting cold storage wallets such as Zcash, Armory, Bytecoin, Jaxx, and Exodus, Ethereum, Electrum, Atomic Wallet, Guarda, and Coinomi. Wallet files are stolen from a list of predefined folders. Cryptocurrency extensions in Chrome-based browsers are also targeted.
Once all the collection is done, it is compressed and sent over to an attacker-controlled server before being deleted from the computer.