The body contains in resources section 3 modules for operation systems x86 and x64:
1. Driver for the disk.
2. MBR encryptor, which also controls driver for MBR encryption.
The way these modules are located in resources is the same as NotPetya, but now they are preliminary scored with 0xE9 key. For module compression in resources - zlib 1.2.8 is used – this is the same as in NotPetya. Despite the fact that the most recent version is 1.2.12.
To prevent debugging after launch the program deletes file C:\Windows\infpub.dat, preliminarily having copied it to memory. After it unloads it's body calling API function FreeLibary() and then passing the control flow to memory page, where the content was copied before.
After this the mutex checks synchronization with other instances. If there is a mutex, the program terminates.
If a process has following privileges: SeDebugPrivilege - the driver of opensourced product https://diskcryptor.net
is unpacked and saved to C:\Windows\cscc.dat. What is more if the file C:\Windows\cscc.dat is detected, the program will be terminated.