https://hexpysya.github.io/tags/dnspy/Recent content in Dnspy on bubka hacks stuffHugo -- gohugo.ioen-usSun, 01 Mar 2026 00:00:00 +0000https://hexpysya.github.io/investigations/cdef-xworm/Sun, 01 Mar 2026 00:00:00 +0000https://hexpysya.github.io/investigations/cdef-xworm/A .NET XWorm RAT that establishes triple persistence via scheduled task, startup shortcut, and registry Run key, implements keylogging, clipboard hijacking for crypto wallets, and communicates with multiple C2 servers over TCP using AES-ECB encrypted payloads.https://hexpysya.github.io/investigations/htb-bypass/Wed, 28 Jan 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-bypass/https://hexpysya.github.io/investigations/poschc2-sharp_v4_x64.dll/Tue, 25 Nov 2025 00:00:00 +0000https://hexpysya.github.io/investigations/poschc2-sharp_v4_x64.dll/A .NET DLL decodes architecture-specific shellcode from an embedded base64 string, allocates executable memory, and spawns a thread to execute it. The shellcode performs NTDLL unhooking, AMSI and ETW patching before executing an embedded PE payload identified as a PoshC2 dropper.https://hexpysya.github.io/investigations/dropper-cs.exe-analysis/Sun, 23 Nov 2025 00:00:00 +0000https://hexpysya.github.io/investigations/dropper-cs.exe-analysis/C2 .NET implant. AES-encrypted config, HTTPS beacon to <code>192.168.248.128</code>, fileless in-memory execution, anti-debug via divide-by-zero.