File verdict·Decided by the MT AI Engine
Our call

Suspicious

Old signed PopCap EXE with adware label, process injection, LSASS access, and direct-IP contacts but minimal engine detections.

netfilterVerified · PopCap Games
Trust score45Caution
MT AI confidence · 65%
plants-vs-zombies-1-0-25m.exe
32.2 MB
1b93627bbd0ad30e1731565c51cc
Antivirus engines
1 of 74 flagged
Code signing
Signed by PopCap Games
Age
First seen 12y ago
MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

65%Confidence
High
Reasoning

The file carries a verified 2010 PopCap Games signature yet exhibits multiple offensive MITRE techniques including process injection into svchost and LSASS credential access. Direct-IP C2 to 19 addresses without domain resolution is atypical for legitimate software. Only a single tier-2 adware detection exists against 69 undetected and 17 tier-1 clean reports, but the behavioural signals and revoked/invalid signature tags prevent a clean classification. Prevalence as common_old and lack of tier-1 family consensus keep the assessment in mixed-signals territory.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

  1. engines.topDetections[0]: Zillya tier2 'Adware.NetFilter.Win32.208' (adwarePua=true)

  2. signing.signer: 'PopCap Games' verified=true (2010 signing date)

  3. behaviour.offensiveTechniques: T1055, T1547.001, T1548 (3 offensive MITRE)

  4. behaviour.contactedIps: 19 direct IPs, zero domains (MalwareTips.Synth.DirectIpC2 evidence)

  5. prevalence.classification: common_old (3702 uniqueSources, 11390 submissions)

Points in its favour
  • 17 tier-1 engines clean
  • Common_old prevalence (3702 sources)
  • No malicious sandbox verdict
  • No malicious dropped children
  • No tier-1 family consensus
Points against
  • Process injection (T1055) into svchost
  • LSASS credential access (Mimikatz-shape)
  • Direct-IP C2 without DNS
  • Revoked certificate + invalid signature
  • Adware label from tier-2 engine
What to do

Treat as suspicious; avoid execution and scan with additional sources before any use.

Threat family attribution

netfilter corroborated by 2 sources

  • VT (74 engines)
    netfilter
  • MT AI Engine
    netfilter
Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK
24

Adversary techniques mapped to the MITRE ATT&CK framework.

T1012T1027T1027.005T1036T1047T1055T1056T1057T1071T1082T1083T1091T1112T1120T1129T1222T1497T1497.001T1518T1518.001T1547.001T1547.009T1548T1574.002
Spawned processes
15
$(unnamed)
"C:\Users\<USER>\Desktop\software.exe"
$(unnamed)
C:\Windows\system32\services.exe
$(unnamed)
C:\Windows\System32\svchost.exe -k NetworkService -p
$(unnamed)
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
$(unnamed)
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
$(unnamed)
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
$(unnamed)
C:\Windows\system32\lsass.exe
$(unnamed)
%SAMPLEPATH%\1b93627bbd0ad30e17639a41a8a375400b87ea20b7e65fc4ccba1a31565c51cc.exe
+7 more processes captured.
Network activity
20
IP addresses20
  • 23.216.147.76
  • 20.99.184.37
  • 192.229.211.108
  • 20.99.185.48
  • 23.216.147.64
  • 20.99.186.246
  • 20.99.133.109
  • 131.253.33.203
  • 20.69.140.28
  • 192.168.0.1
+10 more
Filesystem & mutexes
40
Files written15
  • C:\Users\<USER>\AppData\Local\Temp\popcfg2\defines.xml
  • C:\Users\<USER>\AppData\Local\Temp\popcfg2\eula.rtf
  • C:\Users\<USER>\AppData\Local\Temp\popcfg2\install.xml
  • C:\Users\<USER>\AppData\Local\Temp\popcfg2\leeme.html
  • C:\Users\<USER>\AppData\Local\Temp\popcfg2\logo.bmp
+10 more
Files deleted15
  • C:\ProgramData\Microsoft\Windows\WER\Temp\WER1BDF.tmp.WERInternalMetadata.xml
  • C:\ProgramData\Microsoft\Windows\WER\Temp\WER1BE0.tmp.WERInternalMetadata.xml
  • C:\ProgramData\Microsoft\Windows\WER\Temp\WER1CAC.tmp.csv
  • C:\ProgramData\Microsoft\Windows\WER\Temp\WER1C9B.tmp.csv
  • C:\ProgramData\Microsoft\Windows\WER\Temp\WER1CDC.tmp.txt
+10 more
Mutexes created10
  • Local\DirectSound DllMain mutex (0x00000988)
  • Local\DirectSound DllMain mutex (0x00000AD0)
  • Local\DirectSound DllMain mutex (0x00000C1C)
  • \Sessions\1\BaseNamedObjects\Local\DirectSound DllMain mutex (0x00001AC4)
  • \Sessions\1\BaseNamedObjects\Local\DirectSound DllMain mutex (0x00001D1C)
+5 more
Dropped payload

Files this sample writes at runtime

This file drops 10 children at runtime. None are currently flagged malicious in our cache.

10 unseen
  • 220a8df432908e3b3101420df9Never scanned
    never seen before
  • a0e57e5920f21ad3200bd52739Never scanned
    never seen before
  • 8b053f90e6c1817e0af1706ba8Never scanned
    never seen before
  • 7f3e2f0ec8926e7911fef56ea1Never scanned
    never seen before
  • ba556d9af45e08eaccafb9d9afNever scanned
    never seen before
  • e0450e59cbffffa8987c23bb4dNever scanned
    never seen before
  • 41f45a46ee56626ff26984026bNever scanned
    never seen before
  • 03ba16e1040d0df023f47d67bfNever scanned
    never seen before
  • cfa4f2c6c2a8f86896c58115c2Never scanned
    never seen before
  • 3e4d78fcc11eecb23af1261321Never scanned
    never seen before
No researcher-database hits
External threat-intel sources were not collected for this scan.
Signature matches

YARA + heuristic rules that fired

A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.

3 synthesis
MITRE ATT&CK profile
Defense evasion× 1Cred access× 1C2× 1
MalwareTips synthesis rules
Our heuristics on VT data + sandbox behaviour
  • ProcessInjectionhigh

    MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.

    Evidence
    C:\Windows\System32\svchost.exe -k NetworkService -p
  • CredentialDumpermedium

    Sandbox observed process activity targeting LSASS (Windows credential store). Legitimate software has no business reading LSASS memory — this is Mimikatz-shape behaviour.

    Evidence
    C:\Windows\system32\lsass.exe
  • DirectIpC2medium

    Sample contacted 19 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.

    Evidence
    23.216.147.76 · 20.99.184.37 · 192.229.211.108
Antivirus engine breakdown

1 detection across 74 engines

1 malicious0 suspicious73 clean
Tier-117 engines
0flag
Top commercial AVs (low FP rate)
Tier-238 engines
1flag
Mainstream engines with mixed FP rates
Low-trust19 engines
0flag
Heuristic / generic-AI engines (high FP rate)
Zillya
malicious
Adware.NetFilter.Win32.208
Hash 1b93627bbd0a… cross-referenced against 74 AV engines via our AV network.
PE forensics

Section entropy & packers

Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.

ent 8.00Unpacked
Section entropy4 sections
.text
6.51
.rdata
4.62
.data
3.95
.rsrc
5.61
0.0Packed threshold 7.28.0
Prevalence

How often this file shows up in the wild

Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.

Common & old
Unique uploaders
3,702
Hundreds of people have uploaded this — common.
Total submissions
11,390
Includes repeat uploads by the same source.
First seen by VT
12y ago
Mar 31, 2014
Prevalence quadrant
Rare · New
Targeted malware lives here
Common · New
Just-released software
Rare · Old
Niche or internal tooling
here
Common · Old
Trusted legitimate binaries
File identity

Forensic fingerprint

File biography
First seen (VT)
3/31/2014, 2:39:54 AM
First seen (MalwareBazaar)
Last analysis (VT)
7/4/2026, 5:55:38 AM
Scanned here
7/4/2026, 8:34:05 AM
File name
plants-vs-zombies-1-0-25m.exe
Size
32.19 MB
MIME type
(unknown)
Detected type
Win32 EXE
SHA-256
1b93627bbd0ad30e17639a41a8a375400b87ea20b7e65fc4ccba1a31565c51cc
MD5
fe7f05f76369fa10ca054790b1b4e4ec
SHA-1
62616b1dc6c0d79df29d60eb40ab8f0dbc435758
PE imphash
2da9090feb3b5ad189a8a38d81052da5
First seen (VT)
3/31/2014, 2:39:54 AM
Last analysis (VT)
7/4/2026, 5:55:38 AM
First scan (MalwareTips)
7/4/2026, 8:34:05 AM
Last scan (MalwareTips)
7/4/2026, 8:34:05 AM
Code signer
PopCap Gamesverified
Community reputation
-2flagged
Behavior tags
runtime-modulesrevoked-certoverlayinvalid-signaturechecks-usb-busdetect-debug-environmentchecks-user-inputsoftware-collectionpeexecalls-wmidirect-cpu-clock-accesssignedchecks-bios
Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…
Loading reports…
Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.