Yeah, it's implementation problem, that Virustotal registers whole VM's activity, including OS activity, instead of registering application's activity only, because system activity can include various confusing transactions, such as connectivity checks, NTP queries, update checks, Smart Screen queries, etc., that are completely unrelated to application being examined. There are some other suspicious activities, such as rundll attempts, that can be treated by users as performed by application, while they're performed by Virustotal itself. So, Virustotal sandbox shouldn't be treated as precise tool to determine if application is clean or not.