Buster Sandbox Analyzer

David changed injection mechanism and now LOG_API works much better. So I decided to release a new version: 1.89 (Beta 3). You can download it from here:

https://1fichier.com/?tj0ae79njg5jgd74501a

I wanted to keep things simple so the GUI is exactly the same than version 1.88.

To run the new version you also need the new dll's. As David will be the person in charge of fixing and updating LOG_API, he will host and share the files.

In previous versions was necessary to do this to run BSA with Sandboxie:

Edit Sandboxie´s configuration (open Sandboxie Control -> Configure -> Edit Configuration) and add a few lines to every sandbox you will be using with Buster Sandbox Analyzer:

InjectDll=C:\BSA\LOG_API\logapi32.dll
InjectDll64=C:\BSA\LOG_API\logapi64.dll
OpenWinClass=TFormBSA
NotifyDirectDiskAccess=y
ProcessLimit1=20
ProcessLimit2=30

In the new version you must replace "OpenWinClass=TFormBSA" with "OpenPipePath=\Device\NamedPipe\LogAPI"

It's still posible to run multiple malware analysis at the same time. If anyone is interested in this feature just let me know but as better analysis are done with a single instance of BSA, I'll skip the method at the moment.

 

Here is the download: https://github.com/sandboxie-plus/LogApiDll/releases/download/1.0.4/LogApiDll.zip

 

thanks, good news.

 

if he wants to run BSA.exe then a message pops up saying that the wpcap.dll file is missing.

 

Cool im gonna test it in next day

 

Please read the manual. Buster Sandbox Analyzer requires WinPcap to work.

Download it from https://www.winpcap.org/ and install it.

 

Notes for new Buster Sandbox Analyzer users.

If you want to try BSA you must follow these steps:

1) Download BSA package from here:

http://bsa.novirusthanks.org/downloads/bsa.rar

2) Create a folder, let's say C:\BSA, and decompress BSA.RAR inside the folder you created.

3) Delete BSA.EXE

4) Download BSA 1.89 Beta 3 binary from here:

https://1fichier.com/?tj0ae79njg5jgd74501a

5) Decompress BSA189Beta3.rar in the folder you created.

6) Download WinPcap from:

https://www.winpcap.org/

7) Install WinPcap

Read the complete manual. BSA is a complex tool so reading the manual is specially necessary.

Buster Sandbox Analyzer continues to be a discontinued project. I decided to release an update because even if there are features that don't work anymore, BSA still is a valuable analysis tool.

 

Thanks, it's working now.

 

Information updated:

Notes for new Buster Sandbox Analyzer users.

If you want to try BSA you must follow these steps:

1.- Download BSA package from here:

http://bsa.novirusthanks.org/downloads/bsa.rar

2.- Create a folder, let's say C:\BSA, and decompress BSA.RAR inside the folder you created.

3.- Delete:

BSA.EXE

From LOG_API folder delete all DLL files

4.- Download BSA 1.89 Beta 3 binary from here:

https://1fichier.com/?tj0ae79njg5jgd74501a

5.- Decompress BSA189Beta3.rar in the folder you created.

6.- Download LOG_API dll files from here:

https://github.com/sandboxie-plus/LogApiDll/releases/download/1.0.4/LogApiDll.zip

7.- Decompress LogApiDll.zip inside LOG_API folder

8.- Download WinPcap from:

https://www.winpcap.org/

9.- Install WinPcap

10.- Read the complete manual. BSA is a complex tool so reading the manual is specially necessary.

Buster Sandbox Analyzer continues to be a discontinued project. I decided to release an update because even if there are features that don't work anymore, BSA still is a valuable analysis tool.

 

Alternatively you can download BSA package from here:

https://1fichier.com/?ao6zqt3s8eb9nrziu8lk

It contains BSA 1.89 Beta 3 and the new dll's.

In this case you can skip to step 8.

 

I fixed a minor glitch and added an extra checking to enforce BSA works fine.

I'll release version 1.89 Beta 4 as soon as I get feedback that everything is working fine again.

 

Buster Sandbox Analyzer website (http://bsa.isoftware.nl/) updated with new version.

 

It's a pleasure to see a ressurection of good old piece of code and also to remember my plays in youth )))

WinPcap is obsolete. I am using Win10Pcap and it seems no problem so far. Your comments on this?

Also I've tried to quickly unpack the new version, make all settings in sandboxie.ini and to "analyze" notepad.exe running in sandbox.

I can see API calls but notepad.exe hangs )

Will try again later, possibly it is caused by third-party software installed in mys system.

 

I don't know if Win10Pcap is compatible with BSA. In fact I didn't know about it, but if you don't notice any problem, network information is correctly added to reports and pcap packets are created fine, then so far so good.

About crashes and hangs when LOG_API is injected: well, this problem was one of the reasons why I decided to stop BSA development, but in theory after David's suggestion to change to named pipes and using a new injection mechanism, these issues should have been solved.

If you experiment any problems when injecting LOG_API, like hangs, report the problem to David, please. He is now officially in charge of fixing and updating LOG_API issues.

If you report a problem, please specify Windows version and release. That may be important to solve the problem.

 

I have changeed a bit the way the hooks are installed, it seams to have increased the speed quite a lot, try the new release: https://github.com/sandboxie-plus/LogApiDll/releases/download/1.0.4b/LogApiDll.zip

 

In a fast test I can tell now LOG_API is MUCH faster than before, but some kind of problem has been introduced. I sandboxed notepad.exe, typed a few chars, I select "Save" or "Save as" and I get an error message telling about insufficient memory.

System: Windows 7 Ultimate 64 bits

 

mmh.... yea, wtf... there was an issue with the used libs, I have switched to the old once, rebuild the project and re-uploaded the fixed dll's after testing.
Now it should be fast and working

 

New release: https://github.com/sandboxie-plus/LogApiDll/releases/download/1.0.5/LogApiDll.zip

There was a memory corruption issue that only resulted in problems with the new libs, now fixed.

 

I can confirm memory corruption issue is fixed. Thanks!

I'm finishing BSA 1.89 Beta 5. In this version VirusTotal information will be back to reports.

 

BSA 1.89 Beta 5 can be downloaded from here:

https://1fichier.com/?716fodhlg017ixhho4bs

The package includes improved LOG_API dlls (much faster) and a few fixes.

VirusTotal information is available again. To get this function working you must follow next instructions:

1) Sign up for the VirusTotal Community:

https://www.virustotal.com/#/join-us

After registering you will receive an API key.

2) Copy and paste your API key to a file named "virustotal_apikey.txt"

3) Put "virustotal_apikey.txt" in BSA folder.

Don't forget to include VirusTotal information in reports enabling the option: Options > Report Options > Information > VirusTotal

Also you must be aware of VirusTotal's public API limitations:

"The Public API is limited to 4 requests per minute."

https://developers.virustotal.com/reference

 

Buster, FANTASTIC news! I've periodically checked over the years to see if this tool has gotten a revival, but have been dismayed that it never has. It was such an amazingly useful tool, I'm surprised nobody else has created similar. When I saw that you and this tool were back, it totally made my day. Thanks a lot for your work!

 

You can thank the revival to David. He has been so kind to keep alive Sandboxie and not only that, he has been very collaborative taking a look at LOG_API and researching what's going wrong with it.

It would be nice if you can download BSA version 1.89 Beta 5 and test it. If you have any question, just tell me.

 

I just installed Win10Pcap and I didn't notice any difference with old WinPcap. Everything worked as expected so it has my blessings.

 

I just noticed a bug in Beta 5. In a clean installation BSA will show next error message: Invalid pipe name specified!

Just close BSA and open it again.

The bug will be fixed in Beta 6.

 

Few observations.

1. If someone uses Actual Window Manager (like I do) - disable it during analysis. Otherwise the process will hang.
2. When I opened notepad.exe, put some letters, saved it and tried to close - I've got an error:

3. When BSA proceeds to analyse using PEID - I've got another error:

4. The resulted report is quite funny:

Spoiler: General Report

Report generated with Buster Sandbox Analyzer 1.89 at 00:11:47 on 08/06/2020

Detailed report of suspicious malware actions:

Checked for debuggers
Code injection in process: C:\Windows\System32\WerFault.exe
Created a mutex named: Local\IDMEventMonitor
Created an event named: Global\CPFATE_11532_v4.0.30319
Created an event named: Local\ActualTools_LockMonitor
Created an event named: Local\ActualTools_UnlockMonitor
Detected Anti-Malware Analyzer routine: Disk information query
Detected keylogger functionality
Detected privilege modification
Detected process privilege elevation
Enumerated running processes
Error reporting dialog change: machine\software\microsoft\windows\windows error reporting\dontshowui = 00000001
Got input locale identifiers
Got user name information
Got volume information
Hid file from user: C:\WINDOWS\SbiePst.dat
Installs a hook procedure that monitors keystroke messages
Installs a hook procedure that monitors mouse messages
Malicious category given by Adobe Malware Classifier
Traces of Max++
Used a pipe for inter-process communication

Risk evaluation result: High

Spoiler: Detailed Report

Report generated with Buster Sandbox Analyzer 1.89 at 00:11:47 on 08/06/2020

[ General information ]
* File name: C:\Windows\notepad.exe
* File length: 181248 bytes
* File signature (PEiD): Not a valid PE file
* File signature (Exeinfo): Image is 64 bit executable - Not supported > *** Unknown EXE ^ CPU : 0x8664 AMD x64- Checksum is Set - Std Compiler section , maybe new MS C++ compiler [+ DigitaL Signature]
* File type: EXE
* TLS hooks: NO
* File entropy: 6.38338 (79.7923%)
* ssdeep signature: 3072:4GPGNDPjlam62b+jJQQUQhLBiW+3mCzSJSrVrvkwuS4GvRep:5GN70v2b+jJTh4WsmCz8SVrfvp
* Adobe Malware Classifier: Malicious
* MD5 hash: 06e6c0482562459adb462ca9008262f8

[ Changes to filesystem ]
* Creates file (hidden) C:\WINDOWS\SbiePst.dat
File length: 202 bytes
File type: Error
MD5 hash: 6c5eef357f31d70d93a9609b131078dd
* Creates file E:\Users\SR\Desktop\4646.txt
File length: 16 bytes
File type: Error
MD5 hash: 78405d30a0acf0eef4f0b04b8c26bc72
* Creates file C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_notepad.exe_4d57149e88eb30f454d2a2ab9e2b49a25ec8b6f9_275a8a3c_c10a09c9-d50b-4593-92f8-f78ca887d978\Report.wer
File length: 7150 bytes
File type: Unknown
MD5 hash: a2dbd3978a4cb8aea756bfc7d9d7497a
* Creates file C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_notepad.exe_a920e551f0d96621cdd21af6cf20a4ee608750fe_275a8a3c_52dcd971-c4f3-40bb-a943-82d3e55bde64\Report.wer
File length: 24574 bytes
File type: Unknown
MD5 hash: 417bcdaf0368a2913a9d0233a62b11b9
* Creates file (empty) C:\ProgramData\Microsoft\Windows\WER\Temp\WER50EF.tmp
* Creates file (empty) C:\ProgramData\Microsoft\Windows\WER\Temp\WER7552.tmp
* Creates file (empty) C:\ProgramData\Microsoft\Windows\WER\Temp\WER75DF.tmp
* Creates file (empty) C:\ProgramData\Microsoft\Windows\WER\Temp\WER904A.tmp
* Creates file (empty) C:\ProgramData\Microsoft\Windows\WER\Temp\WERA00B.tmp
* Creates file C:\ProgramData\Microsoft\Windows\WER\Temp\WERA00B.tmp.WERInternalMetadata.xml
File length: 8140 bytes
File type: XML
MD5 hash: 1818b993223d2b8de06c5628142c2b20
* Creates file (empty) C:\ProgramData\Microsoft\Windows\WER\Temp\WERA089.tmp
* Creates file C:\ProgramData\Microsoft\Windows\WER\Temp\WERA089.tmp.xml
File length: 4818 bytes
File type: XML
MD5 hash: b7dc139d12dad368f453b767965c2837
* Creates file (empty) C:\Users\SR\AppData\Local\CrashDumps\11532.dmp
* Deletes file C:\Users\SR\AppData\Local\CrashDumps\notepad++.exe.1072.dmp
* Deletes file C:\Users\SR\AppData\Local\CrashDumps\notepad++.exe.4280.dmp
* Creates file (empty) C:\Users\SR\AppData\Local\CrashDumps\notepad.exe.11532.dmp
* Modifies file C:\Users\SR\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db
File length: 3145728 bytes
File type: Unknown
MD5 hash: 31ae98dba94b0857c69ea3e1595a6818
* Modifies file C:\Users\SR\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db
File length: 8388608 bytes
File type: Unknown
MD5 hash: 107fb8f8aa5758a89783639ba1b23fec
* Modifies file C:\Users\SR\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
File length: 465552 bytes
File type: Unknown
MD5 hash: 95a6e13d6e20d51be853855c2e9a2731
* Creates file (empty) C:\Users\SR\AppData\Local\Temp\WER5110.tmp
* Creates file (empty) C:\Users\SR\AppData\Local\Temp\WER905B.tmp
* Creates file C:\Users\SR\AppData\Local\Temp\WER905B.tmp.WERDataCollectionStatus.txt
File length: 1702 bytes
File type: Unknown
MD5 hash: 3c891b12fe01c96fa8d972af1c513764

[ Changes to registry ]
* Creates Registry key HKEY_LOCAL_MACHINE\software\classes\clsid\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\IdentityCRL\ClockData
* Creates value "DontShowUI=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting
* Creates value "AllFlights=FX:1180989E" in key HKEY_LOCAL_MACHINE\software\microsoft\WindowsSelfHost\FIDs
binary data=460058003A00310031003800300039003800390045000000
* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\WindowsSelfHost\FIDs\ByFID\FX:1180989E
* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\WindowsSelfHost\FIDs\Unknown
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{0000911a-0000-0000-007e-000000000000}
old value empty
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{0ce69195-9018-4c48-9830-0200b268b803}
old value empty
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{24f976e5-5bcb-4559-9545-ce0f2407920b}
old value empty
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{2f506b1f-0694-436c-93b2-6ca77d0b1ffa}
old value empty
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{30760f17-a251-4144-af66-8327b22ff3d9}
old value empty
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{42efd17d-37fd-48e8-9806-d5cd2f4dea14}
old value empty
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{474969ae-0000-0000-0000-100000000000}
old value empty
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{5235d7b3-904a-4e8d-a6d5-b41912e850f6}
old value empty
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{5898fcaf-0000-0000-0000-100000000000}
old value empty
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{5e81a179-8eff-476e-b328-cfa3c5b6d4be}
old value empty
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6af050e6-213c-4e00-905b-d96bbe3b5aee}
old value empty
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{8200d956-0000-0000-007e-000000000000}
old value empty
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{8fbe738e-e5dd-42ab-9a16-6747d5d4e99e}
old value empty
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{adaaffc6-67bd-4458-8cba-e02493a62c2f}
old value empty
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{adb07e1a-83cc-11e9-9929-7c2a31388091}
old value empty
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{b0066714-0000-0000-0000-200000000000}
old value empty
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{ba98ea8b-8aca-4712-aa04-36664ed1730b}
old value empty
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{bc64a1e1-bbb6-43a8-adb5-e034cb2eab2e}
old value empty
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{e04bea89-26d0-4da5-b368-05f7f07b8790}
old value empty
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{e7f36579-0000-0000-0000-100000000000}
old value empty
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{e7f36579-0000-0000-0000-10a835000000}
old value empty
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{e7f36579-0000-0000-0000-500600000000}
old value empty
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{e7f36579-0000-0000-0000-602200000000}
old value empty
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{fc07db17-c53d-441c-84a1-1c85dfc4c105}
old value empty
* Creates value "112=Start.exedd!l," in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
binary data=530074006100720074002E006500780065000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000064000000640000008202000021010000000000000000000000000000000000006C000000830000002C0400009F020000000000000000000000000000000000000100000000000000
* Modifies value "MRUListEx=63000000700000000000000003000000130000004D0000004C000000220000006400000006000000070000003D000000300000000900000008000000050000000A000000040000000D00000043000000390000003800000034000000280000006D0000006F000000020000006E000000150000006B0000000E00000042000000600000001F000000470000006C00000023000000140000006A000000330000002F000000690000001E000000660000006800000067000000240000001D0000000C000000180000005800000021000000450000005900000017000000400000003F0000006500000048000000610000004F0000002E0000004400000057000000620000002C0000001B0000000B0000005F000000350000005E0000005D0000005C000000200000005B0000000F0000005A000000250000005200000056000000540000005500000053000000510000005000000036000000290000004E000000320000004B0000004A0000004900000046000000410000003E0000003C0000003A0000003B0000003700000031000000260000002D0000002B0000002A000000270000001C000000010000001A0000001900000016000000110000001200000010000000FFFFFFFF" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
old value "MRUListEx=0300000000000000130000004D0000004C00000022000000640000000600000007000000630000003D000000300000000900000008000000050000000A000000040000000D00000043000000390000003800000034000000280000006D0000006F000000020000006E000000150000006B0000000E00000042000000600000001F000000470000006C00000023000000140000006A000000330000002F000000690000001E000000660000006800000067000000240000001D0000000C000000180000005800000021000000450000005900000017000000400000003F0000006500000048000000610000004F0000002E0000004400000057000000620000002C0000001B0000000B0000005F000000350000005E0000005D0000005C000000200000005B0000000F0000005A000000250000005200000056000000540000005500000053000000510000005000000036000000290000004E000000320000004B0000004A0000004900000046000000410000003E0000003C0000003A0000003B0000003700000031000000260000002D0000002B0000002A000000270000001C000000010000001A0000001900000016000000110000001200000010000000FFFFFFFF"
* Modifies value "99=NOTEPAD.EXEQNY" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
binary data=4E004F00540045005000410044002E00450058004500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000510400004E000000D9060000E1030000000000000000000000000000000000005904000081000000190800009D020000000000000000000000000000000000000100000000000000
old value "99=NOTEPAD.EXE>7Fj"
binary data=4E004F00540045005000410044002E004500580045000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003E00000037000000C6020000CA03000000000000000000000000000000000000460000006A0000000604000086020000000000000000000000000000000000000100000000000000
* Modifies value "7=Start.exei+0/idwN$P" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
binary data=530074006100720074002E00650078006500000014001F50E04FD020EA3A6910A2D808002B30309D19002F433A5C000000000000000000000000000000000000005600310000000000C65029B1100057696E646F777300400009000400EFBE734EAC24C65029B12E0000004C13020000000C000000000000000000000000000000A8106B00570069006E0064006F0077007300000016000000
old value "7=CamtasiaStudio.exei+0.ez:Z1CmaiB1.Camtasia"
binary data=430061006D0074006100730069006100530074007500640069006F002E00650078006500000014001F50E04FD020EA3A6910A2D808002B30309D14002E80922B16D365937A46956B92703ACA08AF5A00310000000000B350CE73100043616D74617369610000420009000400EFBEA5503194B350CE732E00000003340000000013000000000000000000000000000000DFE2EF00430061006D0074006100730069006100000018000000
* Modifies value "MRUListEx=17000000070000000000000016000000100000000300000001000000040000000C000000150000000600000013000000110000000F0000000D000000120000000E00000014000000090000000A00000018000000080000000B0000000500000002000000FFFFFFFF" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
old value "MRUListEx=1600000000000000100000000300000001000000040000000C00000015000000060000001700000013000000110000000F0000000D000000120000000E00000014000000090000000A00000018000000080000000B000000050000000200000007000000FFFFFFFF"
* Modifies value "23=notepad.exei+0:.:,L&&Q%**" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
binary data=6E006F00740065007000610064002E00650078006500000014001F50E04FD020EA3A6910A2D808002B30309D3A002E803ACCBFB42CDB4C42B0297FE99A87C641260001002600EFBE11000000516225CBFC54D40112272AD49C10D50112272AD49C10D50114000000
old value "23=NOTEPAD.EXEi+0:.:,L&&Q%**"
binary data=4E004F00540045005000410044002E00450058004500000014001F50E04FD020EA3A6910A2D808002B30309D3A002E803ACCBFB42CDB4C42B0297FE99A87C641260001002600EFBE11000000516225CBFC54D40112272AD49C10D50112272AD49C10D50114000000
* Modifies value "6=i+0:.:,L&&Q%**Z244.xB.4646.txt" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\*
binary data=14001F50E04FD020EA3A6910A2D808002B30309D3A002E803ACCBFB42CDB4C42B0297FE99A87C641260001002600EFBE11000000516225CBFC54D40112272AD49C10D50112272AD49C10D50114005A00320000000000000000008000343634362E7478740000420009000400EFBE00000000000000002E000000000000000000000000000000000000000000000000000000000034003600340036002E00740078007400000018000000
old value "6=i+0:.:,L&&Q%j[^T2n.n>.np.png"
binary data=14001F50E04FD020EA3A6910A2D808002B30309D3A002E803ACCBFB42CDB4C42B0297FE99A87C641260001002600EFBE11000000516225CBFC54D4016A095BFC8EF7D50184625EFC8EF7D501140054003200000000000000000080006E702E706E6700003E0009000400EFBE00000000000000002E00000000000000000000000000000000000000000000000000000000006E0070002E0070006E006700000016000000
* Modifies value "0=i+0:.:,L&&Q%**Z244.xB.4646.txt" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\txt
binary data=14001F50E04FD020EA3A6910A2D808002B30309D3A002E803ACCBFB42CDB4C42B0297FE99A87C641260001002600EFBE11000000516225CBFC54D40112272AD49C10D50112272AD49C10D50114005A00320000000000000000008000343634362E7478740000420009000400EFBE00000000000000002E000000000000000000000000000000000000000000000000000000000034003600340036002E00740078007400000018000000
old value "0=i+0/rpoMP(elodtt"
binary data=14001F50E04FD020EA3A6910A2D808002B30309D19002F453A5C0000000000000000000000000000000000000056003100000000007150C5AD100044726F70426F7800400009000400EFBE354D7BB67150C5AD2E0000003000000000000100000000000000000000000000000027285000440072006F00700042006F00780000001600660032000000000000000000800064656C6C2D6F6C642E74787400004A0009000400EFBE00000000000000002E0000000000000000000000000000000000000000000000000000000000640065006C006C002D006F006C0064002E0074007800740000001C000000
* Modifies value "MRUListEx=00000000040000000D0000000A000000010000000E000000060000000F00000009000000080000000C0000000B0000000700000005000000030000000200000013000000110000001000000012000000FFFFFFFF" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\txt
old value "MRUListEx=040000000D0000000A000000010000000E000000060000000F00000009000000080000000C0000000B000000070000000500000003000000020000001300000011000000100000001200000000000000FFFFFFFF"
* Creates value "(Default)=31" in key HKEY_CURRENT_USER\software\SandboxAutoExec
* Modifies value "MRUListEx=0900000002000000040000000D00000003000000140000000000000008000000050000000A0000000600000001000000FFFFFFFF" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1
old value "MRUListEx=09000000040000000D0000000300000014000000000000000800000002000000050000000A0000000600000001000000FFFFFFFF"
* Modifies value "MRUListEx=0000000006000000010000000300000002000000FFFFFFFF" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2
old value "MRUListEx=0600000001000000030000000200000000000000FFFFFFFF"
* Creates value "Mode=00000004" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\255\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
* Creates value "LogicalViewMode=00000001" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\255\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
* Creates value "FFlags=00000001" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\255\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
* Creates value "IconSize=00000010" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\255\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
* Creates value "Sort=000000000000000000000000000000000100000030F125B7EF471A10A5F102608C9EEBAC0A00000001000000" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\255\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
* Creates value "ColInfo=00000000000000000000000000000000FDDFDFFD100000000000000000000000040000001800000030F125B7EF471A10A5F102608C9EEBAC0A0000001001000030F125B7EF471A10A5F102608C9EEBAC0E0000009000000030F125B7EF471A10A5F102608C9EEBAC040000007800000030F125B7EF471A10A5F102608C9EEBAC0C00000050000000" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\255\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
* Creates value "GroupByKey:FMTID=7B00300030003000300030003000300030002D0030003000300030002D0030003000300030002D0030003000300030002D003000300030003000300030003000300030003000300030007D000000" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\255\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
* Creates value "GroupByDirection=00000001" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\255\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
* Creates value "Mode=00000004" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\622\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
* Creates value "LogicalViewMode=00000001" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\622\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
* Creates value "FFlags=00000001" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\622\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
* Creates value "IconSize=00000010" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\622\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
* Creates value "Sort=000000000000000000000000000000000100000030F125B7EF471A10A5F102608C9EEBAC0A00000001000000" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\622\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
* Creates value "ColInfo=00000000000000000000000000000000FDDFDFFD100000000000000000000000040000001800000030F125B7EF471A10A5F102608C9EEBAC0A0000001001000030F125B7EF471A10A5F102608C9EEBAC0E0000009000000030F125B7EF471A10A5F102608C9EEBAC040000007800000030F125B7EF471A10A5F102608C9EEBAC0C00000050000000" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\622\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
* Creates value "GroupByKey:FMTID=7B00300030003000300030003000300030002D0030003000300030002D0030003000300030002D0030003000300030002D003000300030003000300030003000300030003000300030007D000000" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\622\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
* Creates value "GroupByDirection=00000001" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\622\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
* Creates value "notepad.exe.FriendlyAppName=11043B043E043A043D043E0442040000" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows
* Creates value "notepad.exe.ApplicationCompany=Microsoft Corporation" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows
binary data=4D006900630072006F0073006F0066007400200043006F00720070006F0072006100740069006F006E000000

[ Network services ]
* No changes

[ Process/window/string information ]
* Keylogger functionality.
* Gets user name information.
* Gets input locale identifiers.
* Gets volume information.
* Checks for debuggers.
* Installs a hook procedure that monitors mouse messages.
* Installs a hook procedure that monitors keystroke messages.
* Uses a pipe for inter-process communication.
* Anti-Malware Analyzer routine: Disk information query.
* Creates an event named "Local\ActualTools_LockMonitor".
* Creates an event named "Local\ActualTools_UnlockMonitor".
* Creates a mutex "Local\IDMEventMonitor".
* Creates an event named "Global\CPFATE_11532_v4.0.30319".
* Enables privilege SeDebugPrivilege.
* Enables privilege SeUnsolicitedInputPrivilege.
* Injects code into process "C:\Windows\System32\WerFault.exe".
* Enumerates running processes.
* Enables process privileges.
* Sleeps 68 seconds.

As I can see in detailed report the system inspects not sandboxed program, but the whole system activity (Explorer for instance). It's a little bit annoying because I have to either run it in a totally clean environment or manually filter the output.