Downloaded from "warez" or "crack" forums as a compressed .zip or .rar archive. Indicators of Compromise (IOCs):

May attempt to create a registry key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run to ensure it starts with the system.

Files labeled "sandboxie-4-14-full-patch.exe" or similar are frequently identified as or Potentially Unwanted Programs (PUPs) . Below is a general behavior write-up for this type of threat: Threat Type: Trojan / Credential Stealer.

Sandboxie 4.14 was a commercial version developed before the software became open-source in 2020. Because it required a license key for "full" features (like running multiple sandboxes simultaneously), many "full patches" appeared on third-party sites.

Ronen Tzur (later acquired by Invincea, then Sophos).