Hi,
Thankyou for the nice guide unfortunately many malware can detect when running inside a VM or sandbox and runs normally others install on the system but stay dormant for several hours/days before starting to act.
IMO the best method is to always have image backups, today running a backup/restore can be done very quickly tranfering the data from LAN, USB3 drive, etc.