Suspicious
Old signed PopCap EXE with adware label, process injection, LSASS access, and direct-IP contacts but minimal engine detections.
1b93627bbd0ad30e17…31565c51ccThe verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The file carries a verified 2010 PopCap Games signature yet exhibits multiple offensive MITRE techniques including process injection into svchost and LSASS credential access. Direct-IP C2 to 19 addresses without domain resolution is atypical for legitimate software. Only a single tier-2 adware detection exists against 69 undetected and 17 tier-1 clean reports, but the behavioural signals and revoked/invalid signature tags prevent a clean classification. Prevalence as common_old and lack of tier-1 family consensus keep the assessment in mixed-signals territory.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
engines.topDetections[0]: Zillya tier2 'Adware.NetFilter.Win32.208' (adwarePua=true)
signing.signer: 'PopCap Games' verified=true (2010 signing date)
behaviour.offensiveTechniques: T1055, T1547.001, T1548 (3 offensive MITRE)
behaviour.contactedIps: 19 direct IPs, zero domains (MalwareTips.Synth.DirectIpC2 evidence)
prevalence.classification: common_old (3702 uniqueSources, 11390 submissions)
- 17 tier-1 engines clean
- Common_old prevalence (3702 sources)
- No malicious sandbox verdict
- No malicious dropped children
- No tier-1 family consensus
- Process injection (T1055) into svchost
- LSASS credential access (Mimikatz-shape)
- Direct-IP C2 without DNS
- Revoked certificate + invalid signature
- Adware label from tier-2 engine
Treat as suspicious; avoid execution and scan with additional sources before any use.
netfilter corroborated by 2 sources
- VT (74 engines)netfilter
- MT AI Enginenetfilter
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 23.216.147.76
- 20.99.184.37
- 192.229.211.108
- 20.99.185.48
- 23.216.147.64
- 20.99.186.246
- 20.99.133.109
- 131.253.33.203
- 20.69.140.28
- 192.168.0.1
- C:\Users\<USER>\AppData\Local\Temp\popcfg2\defines.xml
- C:\Users\<USER>\AppData\Local\Temp\popcfg2\eula.rtf
- C:\Users\<USER>\AppData\Local\Temp\popcfg2\install.xml
- C:\Users\<USER>\AppData\Local\Temp\popcfg2\leeme.html
- C:\Users\<USER>\AppData\Local\Temp\popcfg2\logo.bmp
- C:\ProgramData\Microsoft\Windows\WER\Temp\WER1BDF.tmp.WERInternalMetadata.xml
- C:\ProgramData\Microsoft\Windows\WER\Temp\WER1BE0.tmp.WERInternalMetadata.xml
- C:\ProgramData\Microsoft\Windows\WER\Temp\WER1CAC.tmp.csv
- C:\ProgramData\Microsoft\Windows\WER\Temp\WER1C9B.tmp.csv
- C:\ProgramData\Microsoft\Windows\WER\Temp\WER1CDC.tmp.txt
- Local\DirectSound DllMain mutex (0x00000988)
- Local\DirectSound DllMain mutex (0x00000AD0)
- Local\DirectSound DllMain mutex (0x00000C1C)
- \Sessions\1\BaseNamedObjects\Local\DirectSound DllMain mutex (0x00001AC4)
- \Sessions\1\BaseNamedObjects\Local\DirectSound DllMain mutex (0x00001D1C)
Files this sample writes at runtime
This file drops 10 children at runtime. None are currently flagged malicious in our cache.
- 220a8df432908e3b3101…420df9Never scannednever seen before
- a0e57e5920f21ad3200b…d52739Never scannednever seen before
- 8b053f90e6c1817e0af1…706ba8Never scannednever seen before
- 7f3e2f0ec8926e7911fe…f56ea1Never scannednever seen before
- ba556d9af45e08eaccaf…b9d9afNever scannednever seen before
- e0450e59cbffffa8987c…23bb4dNever scannednever seen before
- 41f45a46ee56626ff269…84026bNever scannednever seen before
- 03ba16e1040d0df023f4…7d67bfNever scannednever seen before
- cfa4f2c6c2a8f86896c5…8115c2Never scannednever seen before
- 3e4d78fcc11eecb23af1…261321Never scannednever seen before
YARA + heuristic rules that fired
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
EvidenceC:\Windows\System32\svchost.exe -k NetworkService -pSandbox observed process activity targeting LSASS (Windows credential store). Legitimate software has no business reading LSASS memory — this is Mimikatz-shape behaviour.
EvidenceC:\Windows\system32\lsass.exeSample contacted 19 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence23.216.147.76 · 20.99.184.37 · 192.229.211.108
1 detection across 74 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How often this file shows up in the wild
Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.
Forensic fingerprint
- File name
- plants-vs-zombies-1-0-25m.exe
- Size
- 32.19 MB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- 1b93627bbd0ad30e17639a41a8a375400b87ea20b7e65fc4ccba1a31565c51cc
- MD5
- fe7f05f76369fa10ca054790b1b4e4ec
- SHA-1
- 62616b1dc6c0d79df29d60eb40ab8f0dbc435758
- PE imphash
- 2da9090feb3b5ad189a8a38d81052da5
- First seen (VT)
- 3/31/2014, 2:39:54 AM
- Last analysis (VT)
- 7/4/2026, 5:55:38 AM
- First scan (MalwareTips)
- 7/4/2026, 8:34:05 AM
- Last scan (MalwareTips)
- 7/4/2026, 8:34:05 AM
- Code signer
- PopCap Gamesverified
- Community reputation
- -2flagged
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.