3. Make Sure Files Are Transferred Successfully
- Check in the File Explorer Sandbox (usually stored in the Desktop or Downloads).
- If the file does not appear, repeat the copy process with an alternate method.
Commemoration:
– Don’t double-click an EXE file in the Sandbox before you’re ready to analyze it!
– If the file looks suspicious (example: random name, too small), it’s better to delete it immediately.
3. Run the EXE File and Observe Its Behavior
Once the EXE file has been successfully moved to the Windows Sandbox, it’s time to run a test run to check for potential malware. Here’s how to carefully analyze file behavior:
A. Check for Warnings from Windows Defender
- Double-click the EXE file to run it.
- Observe the security notifications that appear.
If Windows Defender raises a red warning (example: “This file contains a virus”), close the program immediately.
If there is no warning, continue observation.
B. Check Network Activity (Unauthorized Internet Access)
- Open the Task Manager (Ctrl + Shift + Esc) > the “Details” tab.
- Look for the process name of the exe file that is running.
- Right-click the process > “Analyze wait chain” to see if the file is trying to connect to the internet.
If there is a foreign IP address or a suspicious domain (example: 185.143.223.1), be aware of spyware/keyloggers.
C. Identify Suspicious Processes in the Task Manager
- Sort processes by CPU/Memory usage.
- Be aware of:
- A new process with a random name appears (example: xvgthb.exe).
- The process continues to run after the EXE file is closed.
- There are strange child processes that are executed automatically.
D. Detection of System Settings Changes
1. Monitor unexpected changes such as:
- A new registry file in HKEY_LOCAL_MACHINE.
- Modify the system file (check via C:WindowsSystem32).
- The firewall/Windows Defender settings are suddenly disabled.
2. Use Process Explorer (Microsoft tools) for deeper analysis.
E. Beware of Automatic Software Installation
1. If the EXE file suddenly opens another program installer (example: “Do you want to install XYZ Toolbar?”), immediately:
- Cancel the process.
- Close the Sandbox (all changes will be lost).
2. Check the Program Files folder in the Sandbox to see if any unknown software is installed.
Summary Table of Malware Signs
Suspicious Behavior | Potential Threats | Action |
Windows Defender blocks files. | Virus/ransomware detected | Delete files |
Unauthorized internet access | Spyware/phishing | Disconnect |
Hidden processes in the background | Keylogger/miner | Terminate process |
Change the registry | Rootkit/persistent malware | Restore Sandbox |
Other Interesting Articles
Analyze Results and Take Action
After testing the EXE file in the Windows Sandbox, it’s time to analyze the results and make the right decision. Here’s the full guide:
If the file is safe (shows no red flags)
1. Re-Verify
- Make sure there are no warnings from Windows Defender or other antivirus software.
- Check the Task Manager again to make sure there are no suspicious processes still running.