Unhookingntdll_disk.exe

: It then identified the .text section (the executable code) of the "dirty" ntdll.dll already running in its process memory and overwrote it with the "clean" code from the disk. The Result: Silent Execution

Elias realized that UnhookingNtdll_disk.exe was designed to break those hooks. The Methodology: Cleaning the DLL UnhookingNtdll_disk.exe

Elias pulled the file into his sandbox. He watched as the malware performed a classic evasion maneuver: : It then identified the