.NET Reactor proctector

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Checks computer location settings

Looks up country code configured in the registry, likely geofence.

Drops startup file

Executes dropped EXE

Reads data files stored by FTP clients

Tries to access configuration files associated with programs like FileZilla.

Reads user/profile data of web browsers

Infostealers often target stored browser data, which can include saved credentials etc.

Unsecured Credentials: Credentials In Files

Steal credentials from unsecured files.

Adds Run key to start application

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger