The purpose is finding interesting stuff about a binary.

The binary is not that obfuscated it uses xor to decrypt hardcoded strings. Another one can be seen here: By manually reversing the process we get:

Then the process calls create_mutex_a api so this part of the malware creates a mutex with the decoded name.

Next the malware wants to create a file using these strings:

The next decryptions are related to the registry: SOFTWARE\Microsoft\Windows\CurrentVersion\Run It sets the key WebLaunchAssist as a persistance mechanism

Furthermore it reads: Software\Classes\http\shell\open\command

Then it tries to connect to http://maybe.suspicious.to/secondstag using a get request.

Using OSINT techniques we can see this is part of flare on challenge 12 (https://armerj.github.io/Flare-on-Challenge-12-Part-1/)