When you run the WMI command:

wmic process get name, creationdate

you get a list of process names, and their creation dates.

When I was testing it on my VM I realized that the results expose my VM as a sandbox. Since I saved the VM snapshot a while ago, the creation dates of many running processes were really old. Only a few processes had today’s date.

So, if you see any process (or a cluster of processes) that is older than… say… 6-12 months, it is highly possible that the sample is executed inside a sandbox. While the uptimes are much longer now than in the past, systems that run processes for more than a year are suspicious; after all, patching affects all the systems and if there was no restart within last year it’s at least unusual…