Which executable, the initial sandbox breakout or the payload? Presuming you mean the sandbox, the executable wasn't a direct executable, it was something a little more clever and in keeping with Sandboxie's stated operational use: Peter, nobody doubts a claim when someone reports that a virus slipped by their antivirus software. This isn't any different, as far as I can tell the difference is nobody seems to have informed anyone here about the existence of sandbox/vm vulnerabilities. In the prior post I detailed the attack type and the resultant payload and gave public examples of everything needed to accomplish it both from a sandbox or a vm, and a small article about the field of vm malware. Specifics aren't particularly important because the specific exploit used may change, but the attack is the same. Just like what kind of message a scammer sends about the money you inherited/won/held in escrow, the details may change but it is still the same scam. The PoC we used in the 2009 version of Sandboxie may not work in the latest version or the latest windows or otherwise. However, it proves the attack historically, and merely by changing the exploit specifics to something that does work, the attack is resurrected. This is because the underlying vulnerability never disappeared: encouraging unsafe behaviors in an inadequately secured environment. Testing malware in an inadequately protected sandbox or vm is not a good idea.