For example. We can test for six or so conditions to detect a sandbox for #sandboxevasion. Including but not limited to, vCPU threads, physical memory, uptime, whether or not it’s domain joined, unique files created on disk, etc. Since we can check for a sandbox after X amount of seconds plus random jitter, we can create a asynchronous #junkcode #deadcode process controlled by a #mutex #thread #fiber or #semaphore, that periodically returns control flow to the dispatcher. Then returns to main()

#MixedBooleanArithmetics is the process of using the integers returned from arithmetic operators, with bitwise operators such as AND, OR, XOR, NEGATE, etc. It has many practical applications, including creating #OpaquePredicates, #ObfuscatingPointers, #OrdinalObfuscation before deobfuscating it in a LoadLibraryW -> GetProcAddress() function, or running #junkcode to fool sandboxes. The latter is particularly interesting because instead of merely exiting, we can keep testing for sandbox conditions