Created the Thursday 01 October 2020. Updated 2 years, 1 month ago.

This technique uses the GetForegroundWindow and Sleep APIs to attempt to evade sandboxes. Many sandboxes do not alter the foreground window like a user would in a normal desktop environment.

It accomplishes this by making a call to GetForegroundWindow, which returns a handle to the current window. Then the malware sample will sleep for a short time, followed by another call to GetForegroundWindow. If the foreground window has not changed, the malware assumes it is in a sandbox or analysis virtual machine and will continue this loop until the foreground window changes. If there is no change, the program will loop indefinitely or may make a call to ExitProcess.

Technique Identifier


Technique Tag


Code Snippets

Kyle Cucci


This technique is using the API GetForegroundWindow.

#include <winuser.h> // Required import for GetForegroundWindow API
int main()
    //Get a handle to user's current foreground window.
    int foregroundWindowHandle1 = GetForegroundWindow(); 
    do {
        //Sleep for .1 second.
        //Get a handle to user's current foreground window again.
        int foregroundWindowHandle2 = GetForegroundWindow(); 
    //While the handles to the current foreground windows are equal, continue to loop.
    while (foregroundWindowHandle1 == foregroundWindowHandle2);
    return 0;

Additional Resources

External Links

Subscribe to our Newsletter

The information entered into this form is mandatory. It will be subjected to computer processing. It is processed by computer in order to support our users and readers. The recipients of the data will be :

According to the Data Protection Act of January 6th, 1978, you have at any time, a right of access to and rectification of all of your personal data. If you wish to exercise this right and gain access to your personal data, please write to Thomas Roccia at

You may also oppose, for legitimate reasons, the processing of your personal data.