Windows 10 sandbox
A Windows 10 Sandbox is a temporary virtual machine that allows you to safely run and test any program (including potential malware) without risking harm to your main system.
The purpose of using the sandbox is to determine whether a program is malicious and, if so, to analyze its behavior in detail. This includes observing what processes it launches, what temporary files it creates, what traces or indicators of compromise (IOCs) it leaves behind, and how to configure your defense systems to protect against it.
In ANY.RUN, you can create any number of 32-bit or 64-bit Windows 10 Professional Sandbox environments. The only limitation is that you can't run multiple sandbox instances simultaneously — you need to end one session before starting another.
Who should use the Windows 10 ANY.RUN sandbox?
ANY.RUN’s Windows 10 sandbox mode is designed specifically for security professionals. If you simply want to experiment with a virtual environment, our solution may not be the best fit. For casual use cases, consider using the built-in Windows 10 Home/Pro sandbox instead. However, the ANY.RUN sandbox can be incredibly useful when you need to analyze potentially malicious objects, such as:
1. SCAN A POTENTIALLY MALICIOUS FILE
You can upload the file to our service, select the system parameters (system locale, pre-installed programs, option to load your own programs, startup behavior like specifying a PowerShell command), and then run the analysis task.
Our service will create a virtual machine with your specified parameters. We monitor all system and network processes in real-time, using tools like MITRE ATT&CK, YARA rules, and Suricata to detect any suspicious activity. Moreover, if you need to intervene during the analysis, such as entering a password for an obfuscated archive, you can do so at any time directly through the in-browser VNC window.
2. CHECK POTENTIALLY HARMFUL ONLINE CONTENT
You can also analyze various online content like phishing sites or untrusted browser extensions in the Windows 10 sandbox. You can specify which browser (Chrome, Firefox, Edge, or Internet Explorer) the site should open in. Then, you can interact with the content just as you would on your regular computer.
EASILY CREATE UNLIMITED WINDOWS SANDBOXES IN ANY.RUN
Register for freeAdvantages of ANY.RUN’s Windows 10 sandbox
While Windows sandboxes on Windows 10 Home/Pro systems do have a built-in sandbox feature, our solution offers several key advantages for security teams:
- One-click setup and instant access to information: You can launch a fully isolated, network-connected Windows 10 sandbox environment through our online service with just one click — no configuration required. On average, it detects malicious behavior within 40 seconds.
- Cross-platform compatibility: Let's say you're working on a Linux machine but need to analyze how a potentially malicious file behaves on Windows 10. Since ANY.RUN is a cloud service, you can easily do this from any platform.
- In-depth behavioral analysis: Our sandbox is built for malware analysis from the ground up. We don't just provide a temporary safe execution environment; we record all behavioral aspects — memory, processes, network activity, and more. This data is conveniently compiled into reports, streamlining your research work and IOC collection.
How to use Windows 10 Sandbox in ANY.RUN
Let's go through how easy it is to launch a Sandbox in ANY.RUN and what kind of analysis view we get. For this example, we'll use this sample.
To create a new Windows 10 sandbox, click the New analysis button on the service's home page. This will open the configuration settings window (below).
On the right side, select the Windows 10 operating system and choose either the 64-bit or 32-bit version as needed for your analysis context. The system version will be Windows 10 Pro.
Our virtual machines offer flexible configuration options. You can manage:
- Network parameters
- Post-launch actions
- Presets
- Task privacy settings
- Preinstalled software
- Your tools to upload
- And more
Check out this blog post for more details on the available options.
Once configured, click Run Private/Public Task to initiate the sandbox.
ANALYZE WINDOWS MALWARE IN ANY.RUN
Register for freeOur machines typically take just 10-20 seconds to start up, and the first detection of any malicious activity happens within an average of 40 seconds. The screenshot below shows what the running Windows 10 sandbox looks like in ANY.RUN.
Here's a breakdown of the information and functions available to you:
- The central area (1) is the VNC (Virtual Network Computing) window. You can interact with the virtual machine here — click on files, type, open applications, all of it works just like on a real computer.
- The upper left section (2) shows general information. Tags indicate what kind of threat was detected and when. Below is the process tree, which highlights key suspicious and malicious actions.
- The tabs in the lower center (3) contain data on network connections, network threats flagged by Suricata rules, and file modifications.
Within seconds of starting the virtual machine, you can identify threats and understand how the object interacts with the system. We can see that in this case, we're dealing with Agent Tesla malware, which, as MITRE shows, steals web credentials.
Consider ANY.RUN sandbox to analyze malware
Sandbox ANY.RUN is specially designed to simplify the analysis of malicious objects for cybersecurity teams. We help launch any number of virtual machines, adapted for analyzing complex threats, in seconds, not hours, and simplify data collection through convenient reports.
Users with the Hunter plan or higher can create Windows 10 virtual machine instances. You can view all of our plan options on the pricing page.
If you or your team regularly analysis malware on Windows 10 and other systems, reach out to our sales team. We'd be happy to discuss how ANY.RUN's capabilities can save your team time and boost malware detection rates.
