Many malware samples are packed by a crypter using installer scripts. We can distinguish them by a NSIS tag on Virus Total. In this tutorial, I will show how to approach static decryption of such packages. Find a DLL and the exported function, that will be used for unpacking, to find out the correct algorithm. In some cases, it is not a pure XOR, but usually you can figure out the modifications by looking at the output. This type of crypter may use a simple XOR as well as some more complex algorithms.”]
Source: https://hshrzd.wordpress.com/2016/07/03/unpacking-nsis-based-crypter-step-by-step/