Raymond.CC Blog

I’ve posted an article about Sandboxie which lets you safely run suspicious or untrusted programs in a virtual space without affecting your computer. Let’s say when you run a trojan in sandbox, you’re temporarily infected and the attacker can still connect to your computer. But once you terminate the sandboxed trojan process, it kills of the attacker’s connections and your system is still safe from infection. Even if you’ve forgotten to terminate the sandboxed process, it’ll automatically be removed once you restart your computer.

Question is, how can you identify whether the suspicious file is a threat or not? If you don’t know how, I will teach you how to use Sandboxie to check if the sandboxed file is a rogue software.


I’ll do a test with an Optix Pro trojan. Optix Pro is a configurable remote access tool or trojan that gives an attacker unauthorized access to an infected computer, similar to SubSeven or BO2K. It is no longer in development and it is detected by all anti-virus program.

I ran Optix Pro trojan with Sandboxie by using my mouse to right click on the file and select “Run Sandboxed“.

On Sandboxie program’s interface, I can see that msiexec16.exe being loaded in the process name.

Did you notice anything suspicious here? The original executable file was virus.exe and now it has turned into msiexec16.exe. If the process name changes, it is suspicious.

Next, let’s check out the contents of sandbox. On the menu bar, click Function -> Contents of Sandbox -> Explore Contents.

I see a folder “drive” and also 2 files, RegHive and RegHive.LOG.

From the “drive” folder, I found out that the trojan renames itself to msiexec16.exe and copies to C:\windows\system32.

As for the RegHive file you see, it is what is mounted in the registry as a subkey. To see the RegHive file, you must load it in your Windows Registry Editor. Before you load the RegHive to your registry, you must terminate the current sandbox first, otherwise you’ll get the error message “Cannot Load RegHive: The process cannot access the file because it is being used by another process.” To terminate the the current sandbox, click Function on the menu bar, select Terminate Sandboxed Process -> In Current Sandbox.

After terminating the current sandbox, you can load the RegHive in Registry Editor by going to Start -> Run and type regedit. Select HKEY_USERS, go to File -> Load Hive and browse for the RegHive file.

Enter any key name for the RegHive. I use sandboxie for easy identification. Once the RegHive is loaded, a new Key “sandboxie” will appear.

I checked the registry and found that there’s an entry of msiexec16.exe at one of Windows autorun location. Meaning whenever Windows is booted up, it will auto run msiexec16.exe.

As you can see, there are so many reasons that makes this file looks like a malware. You can upload it to VirusTotal to scan with 32 antivirus. If it doesn’t detect any virus, you can submit to to anti-virus company for them to check. Here are a list of websites that you can submit a suspicious file to:
1. Nicta Software Anti-Virus Technologies
2. Norman Sandbox Information
3. Computer Associates (CA)
4. ClamAV
5. Trend Micro
6. Sophos
7. VigorPro
8. Authentium Thread Matrix
9. Hauri
10. Alladin
11. F-Secure
12. Symantec
13. Kaspersky (Email to newvirus@kaspersky.com)

There are undetectable private versions of trojans being sold by trojan writers and you won’t even know that you’re being infected and monitored. So use Sandboxie whenever you can when you want to run any email attachments, files downloaded from the Internet or even from a files received from a friend.