3. Run the EXE File and Observe Its Behavior
Once the EXE file has been successfully moved to the Windows Sandbox, it’s time to run a test run to check for potential malware. Here’s how to carefully analyze file behavior:
A. Check for Warnings from Windows Defender
- Double-click the EXE file to run it.
- Observe the security notifications that appear.
If Windows Defender raises a red warning (example: “This file contains a virus”), close the program immediately.
If there is no warning, continue observation.
B. Check Network Activity (Unauthorized Internet Access)
- Open the Task Manager (Ctrl + Shift + Esc) > the “Details” tab.
- Look for the process name of the exe file that is running.
- Right-click the process > “Analyze wait chain” to see if the file is trying to connect to the internet.
If there is a foreign IP address or a suspicious domain (example: 185.143.223.1), be aware of spyware/keyloggers.
C. Identify Suspicious Processes in the Task Manager
- Sort processes by CPU/Memory usage.
- Be aware of:
- A new process with a random name appears (example: xvgthb.exe).
- The process continues to run after the EXE file is closed.
- There are strange child processes that are executed automatically.
D. Detection of System Settings Changes
1. Monitor unexpected changes such as:
- A new registry file in HKEY_LOCAL_MACHINE.
- Modify the system file (check via C:WindowsSystem32).
- The firewall/Windows Defender settings are suddenly disabled.
2. Use Process Explorer (Microsoft tools) for deeper analysis.
E. Beware of Automatic Software Installation
1. If the EXE file suddenly opens another program installer (example: “Do you want to install XYZ Toolbar?”), immediately:
- Cancel the process.
- Close the Sandbox (all changes will be lost).
2. Check the Program Files folder in the Sandbox to see if any unknown software is installed.
Summary Table of Malware Signs
| Suspicious Behavior | Potential Threats | Action |
| Windows Defender blocks files. | Virus/ransomware detected | Delete files |
| Unauthorized internet access | Spyware/phishing | Disconnect |
| Hidden processes in the background | Keylogger/miner | Terminate process |
| Change the registry | Rootkit/persistent malware | Restore Sandbox |
Analyze Results and Take Action
After testing the EXE file in the Windows Sandbox, it’s time to analyze the results and make the right decision. Here’s the full guide:
If the file is safe (shows no red flags)
1. Re-Verify
- Make sure there are no warnings from Windows Defender or other antivirus software.
- Check the Task Manager again to make sure there are no suspicious processes still running.
2. Transfer Files to Primary System (If Required)
- If the file is completely safe, you can re-download it from the official source (it’s safer than moving it from the Sandbox).
- Avoid copy-pasting directly from the Sandbox, as this feature is designed for isolation, not file transfer.
3. Stay Alert While Running
- Run the file first on the main system with limited access rights (non-administrator).
- Monitor its activity using Windows Defender or a monitoring tool like Process Explorer.
If the File is Problematic (Malware or Suspicious Detected)
1. Immediately Stop Testing
- Close all related processes in the Task Manager (if they are still running).
- Turn off Windows Sandbox – All changes will disappear automatically.
2. Delete Files from the Main System
- If the file is stored in Downloads or another folder, permanently delete it (Shift + Delete).
- Empty the Recycle Bin to make sure the file is completely deleted.
3. Perform a Full System Scan
- Use Windows Defender Offline Scan (more effectively detects persistent malware).
- Alternative: Use a tool like Malwarebytes or HitmanPro for additional checks.
4. Report Suspicious Files (Optional)
- If the file is from a source that is supposed to be trusted (for example, an official website that may have been hijacked), report it to Microsoft Defender SmartScreen or VirusTotal.