I have a question regarding working of sandbox and D+
When an application is made to run in sandboxed environment then does defense+ monitors the behavior of that application. Coz I ran this malware in sandbox and at that time I didn’t see any popups but when I executed that same malware outside the sandbox there were D+ popups.
Yes, D+ monitors sandboxed applications. It will automatically block most actions, and give alerts for some actions (e.g. Windows/WinEvent Hooks). But of course that depends on what the sandboxed application is trying to do, and also on the level Treat unrecognized files as is set to. You can see the blocked actions in Defense+ > View Defense+ Events.