{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,14]],"date-time":"2026-01-14T12:37:57Z","timestamp":1768394277973,"version":"3.49.0"},"reference-count":134,"publisher":"IEEE","license":[{"start":{"date-parts":[[2025,11,4]],"date-time":"2025-11-04T00:00:00Z","timestamp":1762214400000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2025,11,4]],"date-time":"2025-11-04T00:00:00Z","timestamp":1762214400000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"funder":[{"DOI":"10.13039\/100004318","name":"Microsoft","doi-asserted-by":"publisher","id":[{"id":"10.13039\/100004318","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100009226","name":"National Security Agency","doi-asserted-by":"publisher","id":[{"id":"10.13039\/100009226","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2025,11,4]]},"DOI":"10.1109\/ecrime66972.2025.11327973","type":"proceedings-article","created":{"date-parts":[[2026,1,13]],"date-time":"2026-01-13T20:56:22Z","timestamp":1768337782000},"page":"1-20","source":"Crossref","is-referenced-by-count":0,"title":["ShadowBOX: A Low-Artifact Framework for Analyzing Evasive Malicious Code"],"prefix":"10.1109","author":[{"given":"Javad","family":"Zandi","sequence":"first","affiliation":[{"name":"Florida International University"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Lalchandra","family":"Rampersaud","sequence":"additional","affiliation":[{"name":"Florida International University"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Amin","family":"Kharraz","sequence":"additional","affiliation":[{"name":"Florida International University"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"263","reference":[{"key":"ref1","article-title":"Impeding automated malware analysis with environment-sensitive malware","volume-title":"7th USENIX Workshop on Hot Topics in Security (HotSec 12)"},{"key":"ref2","volume-title":"Iozone filesystem benchmark","year":"2024"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.1016\/j.asoc.2022.108744"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.1145\/3365001"},{"key":"ref5","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2022.3207757"},{"key":"ref6","volume-title":"ShieldFS: a self-healing, ransomware-aware filesystem"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP57164.2023.00042"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-64171-8_8"},{"key":"ref9","first-page":"3487","article-title":"When malware changed its mind: An empirical study of variable program behaviors in the real world","volume-title":"30th USENIX Security Symposium (USENIX Security 21)","author":"Avllazagaj"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.1109\/COMSNETS56262.2023.10041379"},{"key":"ref11","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-60876-1_10"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1109\/MALWARE.2014.6999410"},{"key":"ref13","first-page":"2012","article-title":"Scientific but not academical overview of malware anti-debugging","author":"Branco","year":"2012","journal-title":"Anti-Disassembly and Anti-VM Technologies, Black Hat USA"},{"key":"ref14","article-title":"Detours: Binary interception of win32 functions","volume-title":"Windows NT 3rd symposium (windows NT 3rd symposium)","author":"Brubacher"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1145\/3150376.3150378"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1109\/5.747866"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-33630-5_22"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2008.4630086"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243771"},{"key":"ref20","first-page":"3451","article-title":"{Obfuscation-Resilient} executable payload extraction from packed malware","volume-title":"30th USENIX Security Symposium (USENIX Security 21)","author":"Cheng"},{"key":"ref21","volume-title":"Hiding your .net - etw","year":"2020"},{"key":"ref22","volume-title":"Active exploitation of the MOVEit Transfer vulnerability by Clop ransomware group"},{"key":"ref23","article-title":"Veni, No Vidi, No Vici: Attacks on ETW Blind EDR Sensors","author":"Teodorescu"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.1145\/2991079.2991110"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1145\/3642974.3652280"},{"key":"ref26","article-title":"Turing around the security problem","volume-title":"15th USENIX Security Symposium (USENIX Security 06)"},{"key":"ref27","volume-title":"Windows Commands Most Used by Attackers"},{"key":"ref28","article-title":"Octoverse: The state of open source and rise of ai in 2023","year":"2023"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2020.2976559"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2020.2976559"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1145\/3478520"},{"key":"ref32","author":"Elder","year":"2024","journal-title":"Automatic extraction of vulnerability information for security operators using gpt models"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1145\/1368506.1368518"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1145\/3545948.3545983"},{"key":"ref35","doi-asserted-by":"publisher","DOI":"10.1007\/s11416-015-0244-0"},{"key":"ref36","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2021.102550"},{"key":"ref37","first-page":"391","article-title":"Rethinking system audit architectures for high event coverage and synchronous log availability","volume-title":"32nd USENIX Security Symposium (USENIX Security 23)","author":"Gandhi"},{"key":"ref38","article-title":"Compatibility is not transparency: Vmm detection myths and realities","author":"Garfinkel","year":"2007","journal-title":"HotOS"},{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2023.103595"},{"key":"ref40","doi-asserted-by":"publisher","DOI":"10.14778\/3324301.3324302"},{"key":"ref41","volume-title":"MALREC: Compact Full-Trace Malware Recording for Retrospective Deep Analysis"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2023.24207"},{"key":"ref43","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2022.102894"},{"key":"ref44","article-title":"catch me if you can!\u2014detecting sandbox evasion techniques","volume-title":"Proc. USENIX Assoc","author":"Guibernau"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.1145\/3564625.3564631"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2023.3329112"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00096"},{"key":"ref48","volume-title":"File systems driver design guide","author":"Hollasch","year":"2022"},{"key":"ref49","article-title":"Ten process injection techniques: A technical survey of common and trending process injection techniques, endgame","author":"Hosseini","year":"2018"},{"key":"ref50","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2021.3098977"},{"key":"ref51","doi-asserted-by":"publisher","DOI":"10.5220\/0010908400003120"},{"key":"ref52","volume-title":"BlueSpawn","author":"Smith"},{"issue":"1","key":"ref53","first-page":"45","article-title":"Ransomware analysis and defense","volume":"374","author":"Jones","year":"2012","journal-title":"Journal of Colloid and Interface Science"},{"key":"ref54","article-title":"In-depth formbook malware analysis \u2013 obfuscation and process injection","author":"Jullian","year":"2023"},{"key":"ref55","doi-asserted-by":"publisher","DOI":"10.1016\/j.eswa.2022.119133"},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3560649"},{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-41284-4_7"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.2197\/ipsjjip.27.297"},{"key":"ref59","first-page":"757","article-title":"{UNVEIL}: A {Large-Scale}, automated approach to detecting ransomware","volume-title":"25th USENIX security symposium (USENIX Security 16)","author":"Kharaz"},{"key":"ref60","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-66332-6_5"},{"key":"ref61","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-20550-2_1"},{"key":"ref62","doi-asserted-by":"crossref","first-page":"97","DOI":"10.1007\/978-3-319-60876-1_5","article-title":"Dynodet: Detecting dynamic obfuscation in malware. In Michalis Polychronakis and Michael Meier, editors","volume-title":"Detection of Intrusions and Malware, and Vulnerability Assessment","author":"Kim","year":"2017"},{"key":"ref63","doi-asserted-by":"publisher","DOI":"10.1145\/2076732.2076790"},{"key":"ref64","first-page":"287","article-title":"Barecloud: Bare-metal analysis-based evasive malware detection","volume-title":"23rd USENIX Security Symposium (USENIX Security 14)","author":"Kirat"},{"key":"ref65","doi-asserted-by":"publisher","DOI":"10.1145\/2046707.2046740"},{"key":"ref66","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134099"},{"key":"ref67","doi-asserted-by":"publisher","DOI":"10.1109\/SPW53761.2021.00050"},{"key":"ref68","doi-asserted-by":"publisher","DOI":"10.1109\/PRDC.2014.33"},{"key":"ref69","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2021.24475"},{"key":"ref70","article-title":"US govt offers $10 million bounty for info on Clop ransomware","author":"Abrams"},{"key":"ref71","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2021.102512"},{"key":"ref72","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2020.3048848"},{"key":"ref73","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-23644-0_18"},{"key":"ref74","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2022.102613"},{"key":"ref75","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2022.102613"},{"key":"ref76","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23254"},{"key":"ref77","doi-asserted-by":"publisher","DOI":"10.1007\/s41635-017-0013-2"},{"key":"ref78","author":"Ma","year":"2020","journal-title":"Anomaly detection for linux system log"},{"key":"ref79","doi-asserted-by":"publisher","DOI":"10.1145\/2818000.2818039"},{"key":"ref80","article-title":"Longitudinal study of the prevalence of malware evasive techniques","author":"Maffia","year":"2021"},{"key":"ref81","doi-asserted-by":"publisher","DOI":"10.1145\/3332184"},{"key":"ref82","doi-asserted-by":"publisher","DOI":"10.1109\/CIS.2008.199"},{"key":"ref83","doi-asserted-by":"publisher","DOI":"10.14722\/madweb.2024.23035"},{"key":"ref84","doi-asserted-by":"crossref","first-page":"114","DOI":"10.1007\/978-3-030-00470-5_6","article-title":"Rwguard: A real-time detection system against cryptographic ransomware. In Michael Bailey, Thorsten Holz, Manolis Stamatogiannakis, and Sotiris Ioannidis, editors","volume-title":"Research in Attacks, Intrusions, and Defenses","author":"Mehnaz","year":"2018"},{"key":"ref85","article-title":"Pssetcreateprocessnotifyroutineex function (ntddk.h)","year":"2022"},{"key":"ref86","article-title":"Pssetcreatethreadnotifyroutineex function (ntddk.h)","year":"2022"},{"key":"ref87","article-title":"Pssetloadimagenotifyroutineex function (ntddk.h)","year":"2022"},{"key":"ref88","article-title":"ntddk.h header","year":"2023"},{"key":"ref89","article-title":"Overview of Early Launch AntiMalware"},{"key":"ref90","article-title":"Plug and Play Minor IRPs"},{"key":"ref91","article-title":"Operations That Can Be IRP-Based or Fast I\/O"},{"key":"ref92","article-title":"Synchronous and Asynchronous I\/O"},{"key":"ref93","article-title":"Windows Management Instrumentation API"},{"key":"ref94","article-title":"ELAM: The Windows Defender ELAM Driver","volume-title":"PhD thesis","year":"2019"},{"key":"ref95","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.42"},{"key":"ref96","doi-asserted-by":"publisher","DOI":"10.7717\/peerj-cs.136"},{"key":"ref97","doi-asserted-by":"publisher","DOI":"10.1007\/978-1-4842-6193-4_10"},{"key":"ref98","article-title":"Detecting deceptive process hollowing techniques usind hollowfind volatility plugin","author":"Monnappa","year":"2017"},{"key":"ref99","volume-title":"Fibratus"},{"key":"ref100","doi-asserted-by":"publisher","DOI":"10.1016\/j.jisa.2019.102365"},{"key":"ref101","doi-asserted-by":"publisher","DOI":"10.1016\/j.jisa.2022.103202"},{"key":"ref102","article-title":"Another method of bypassing etw and process injection via etw registration entries","year":"2020"},{"key":"ref103","doi-asserted-by":"publisher","DOI":"10.1145\/3329786"},{"key":"ref104","volume-title":"osquery"},{"key":"ref105","doi-asserted-by":"publisher","DOI":"10.1007\/s11416-020-00371-x"},{"key":"ref106","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-60876-1_4"},{"key":"ref107","first-page":"48","volume-title":"Windows kernel internals cache manager","author":"Probert","year":"2010"},{"key":"ref108","volume-title":"Whids"},{"key":"ref109","doi-asserted-by":"publisher","DOI":"10.1145\/2103621.2103678"},{"key":"ref110","volume-title":"Windows internals, part 2","author":"Russinovich","year":"2012"},{"key":"ref111","doi-asserted-by":"publisher","DOI":"10.1109\/ICDCS.2016.46"},{"key":"ref112","article-title":"Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection","author":"Sgandurra","year":"2016"},{"key":"ref113","doi-asserted-by":"publisher","DOI":"10.3390\/electronics11162579"},{"key":"ref114","doi-asserted-by":"publisher","DOI":"10.1109\/I4CT.2015.7219584"},{"key":"ref115","author":"Sikorski","year":"2012","journal-title":"Practical malware analysis: the hands-on guide to dissecting malicious software"},{"key":"ref116","volume-title":"Windows internals","author":"Solomon","year":"2009"},{"key":"ref117","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23121"},{"key":"ref118","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-64954-7_25"},{"key":"ref119","volume-title":"About WMI","author":"White"},{"key":"ref120","doi-asserted-by":"publisher","DOI":"10.1109\/ICPADS.2011.78"},{"key":"ref121","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2020.2986112"},{"key":"ref122","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP48549.2020.00042"},{"key":"ref123","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-66332-6_13"},{"key":"ref124","doi-asserted-by":"publisher","DOI":"10.1109\/USBEREIT48449.2020.9117732"},{"key":"ref125","volume-title":"MITRE ATTACK"},{"key":"ref126","volume-title":"wazuh"},{"key":"ref127","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2007.45"},{"key":"ref128","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833726"},{"key":"ref129","volume-title":"ETW internals for security research and forensics","author":"Shafir"},{"key":"ref130","volume-title":"BEOTM"},{"key":"ref131","doi-asserted-by":"publisher","DOI":"10.1145\/3607199.3607207"},{"key":"ref132","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-45719-2_8"},{"key":"ref133","volume-title":"Windows Internals: System architecture, processes, threads, memory management, and more, Part 1","author":"Yosifovich","year":"2017"},{"key":"ref134","doi-asserted-by":"publisher","DOI":"10.1145\/3539605"}],"event":{"name":"2025 APWG Symposium on Electronic Crime Research (eCrime)","location":"San Diego, CA, USA","start":{"date-parts":[[2025,11,4]]},"end":{"date-parts":[[2025,11,7]]}},"container-title":["2025 APWG Symposium on Electronic Crime Research (eCrime)"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx8\/11326688\/11327697\/11327973.pdf?arnumber=11327973","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,1,14]],"date-time":"2026-01-14T07:08:46Z","timestamp":1768374526000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/11327973\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,11,4]]},"references-count":134,"URL":"https:\/\/doi.org\/10.1109\/ecrime66972.2025.11327973","relation":{},"subject":[],"published":{"date-parts":[[2025,11,4]]}}}