This malware is a cryptocurrency miner packed by yet another variant of NSIS-based cryptor. Let’s have a brief look… I am loading it under ImmunityDbg We can see some NSIS-related strings… Let’s confirm that the debugger is set to pause on every newly loaded module. The System.dll is a part of the NSIS package (nothing interesting for us). This new DLL is also the part of the package (not our payload). The real payload will be loaded by overwriting another PE in the memory, using WriteProcessMemory. Let’s set a breakpoint and observe it. We can see some new PE file revealed – is it our payload? Let’s remove redundant data from the beginning of the dumped memory area. The PE headers are correct, but the code looks invalid… The same problem is with other elements – imports, etc… Let’s see what happens on other writes… There is again a PE file loaded, is it valid this time? Hmm, no, it is the same… But is it loading something more? It seem this time the content of the .text section has changed (probably filled with valid content) I am dumping it again to check. In the old buffer the .text sections was filled with rubbish, now it is overwritten by the valid data. I dumped the valid content of the .text section to save it aside. Now it should reveal another missing section… And yes, it revealed a new section (.rdata), but at the same time it erased the previously filled .text section… I am saving it aside and we will put them all together later.