Is there a way to make this reflect at runtime so it can be more useful in terms of detection... Right now the only way this works is by having to run the exe directly from disk. Only way I've made this break through defender using a c# shellcode injector from disk but that too eventually gets caught by defender in about 15m. No chance the bin will stay undetectable even with the cleanest encryption because it's behavior is getting caught. This has to be pushed in memory somehow but I'm sure you already know this. Any tips on how I can convert the codedom output bin to work without needing to touch disk so it's easy just to reflect the exe?

Well right now it uses a C# shellcode injector for the miner installer/injector (and then that injects the actual miner into memory using RunPE) to lower detections. Everything already runs purely in memory so you can't really make anything else run in memory.

Well mine will always require it to be on the disk since otherwise it can't really install the miner (unless you use exploits of course but they aren't very reliable long-term) since if it's not the disk then there won't be any .exe to start then the computer starts.

Of course it's technically possible to use reflective DLL loading through using the Task Scheduler and the registry or similar methods but I have had problems with it before. If you do want to try that then you can try disabling "Shellcode Loader" and adding it to the registry and Task Scheduler with something like this: https://github.com/bytecode77/r77-rootkit#fileless-persistence. Currently I'm experimenting with different methods on my new unified miner that's in development.

No problem, hope you find some good method.