It was quite hard for me to deal with the obfuscated code, and debug it with dnSpy or similar tools to get the original assembly. I decided to use Windbg's sos extension to walk the loaded assemblies and to find the dynamic assemblies belonging to the original malware code. With this extension it is possible to enum the method tables foreach assembly and the stacks foreach thread that is executing managed code, making easy to find jit generated code that belongs to the malware code (and interesting malware's data referenced by the jit generated code).
asdjdsffdgnms.exe (2018-08-19 10:25:54) KFDJfd.exe (2018-11-16 00:26:10) jjunpkvyalquru.exe (2018-09-01 21:40:15)
https://hackforums.net/showthread.php?tid=5875152 http://offensivecommunity.net/showthread.php?tid=76358 https://urlhaus.abuse.ch/browse/tag/AlphaIRCBot/ https://yck1509.github.io/ConfuserEx/ https://github.com/Loksie/KoiVM-Virtualization https://docs.microsoft.com/en-us/dotnet/framework/tools/sos-dll-sos-debugging-extension https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debugging-managed-code https://mindlocksite.wordpress.com/2017/02/11/easy-way-to-unpack-confuserex-1-0-max-settings/ https://github.com/CodeCracker-Tools/MegaDumper