[mlwrdreamer]

I have been trying to unpack this sample for some time and I'm stuck. Has some antidebug.
Any guidance on how to unpack it will be appreciated.
Link to VT and attached
https://www.virustotal.com/en/file/e0c7 ... /analysis/

[EP_X0FF]

It is run pe. Set break on CreateProcess. Once called set break on NtWriteProcessMemory and inspect any call next. After few system calls will be payload call trying to write buffer with decrypted executable. Dump this memory and extract PE from this dump.

This is generic technique for most of malware "crypters".

This sample identified by MS as TrojanDownloader:Win32/Talalpek.A and probably has win32k exploit on board.
Notice it attempt to get SHAREDINFO by both binary search and CsrClientConnectToServer call.