It is run pe. Set break on CreateProcess. Once called set break on NtWriteProcessMemory and inspect any call next. After few system calls will be payload call trying to write buffer with decrypted executable. Dump this memory and extract PE from this dump.
This is generic technique for most of malware "crypters".
This sample identified by MS as TrojanDownloader:Win32/Talalpek.A and probably has win32k exploit on board.
Notice it attempt to get SHAREDINFO by both binary search and CsrClientConnectToServer call.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration