File verdict·Decided by the MT AI Engine

Our call

Suspicious

Item: Anadius Updater Tool for Windows.zip
Rating: 2.5
Author: MalwareTips File Scanner

Unsigned ZIP containing Sims 4 updater executable flagged as PUP by six tier-1 engines with defense-evasion behavior.

PUP

Trust score48Caution

MT AI confidence · 72%

Anadius Updater Tool for Windows.zip

19.9 MB

749ef77d0616070491…8feb0ed4a6

Antivirus engines

14 of 75 flagged

Code signing

Unsigned

Age

First seen 5mo ago

MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

72%Confidence

High

Reasoning

The sample shows clear PUP characteristics through multiple high-trust engine detections focused on unwanted or cracked software. Behavioral signals including direct IP communication and anti-analysis tactics support treating it as potentially harmful. Medium prevalence and absence of strong tier-1 family consensus or sandbox malice prevent a full malicious classification. Overall mixed signals align with borderline PUA tooling.

Key signals · 4

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

engines.topDetections: 6 tier-1 engines (Avast, Sophos, Symantec) label PUP/PUA or PUP/Crack
behaviour.offensiveTechniques: T1486 + T1562.001 with direct IP 162.159.36.2 and triggered MalwareTips.Synth.DirectIpC2
prevalence.classification: medium across 1142 submitters; file contains sims-4-updater-v2.4.10.exe
signing.signed=false and no similarHashes RAG matches

Points in its favour

No malicious dropped children
Medium prevalence with many submitters
No sandbox malicious verdict

Points against

PUP detections from tier-1 engines
Offensive MITRE techniques T1486 and T1562.001
Direct IP contact without DNS
Anti-analysis tags present

What to do

Treat as unwanted software. Avoid running the extracted executable and remove the archive to prevent potential system modifications or unwanted behavior.

Threat family attribution

PUP corroborated by 1 source

MT AI Engine
PUP

Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK

Adversary techniques mapped to the MITRE ATT&CK framework.

T1047T1070.006T1071T1082T1106T1486T1497T1562.001

Spawned processes

$(unnamed)

"C:\Users\<USER>\AppData\Local\Temp\sims-4-updater-v2.4.10.exe"

$(unnamed)

sims-4-updater-v2.4.10.exe

$(unnamed)

C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWow64\unarchiver.exe" "C:\Users\user\Desktop\616070491a1e0a65795021fc9d0d29e657369529324688feb0ed4a6.zip"

$(unnamed)

C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\014tw3cc.smi" "C:\Users\user\Desktop\616070491a1e0a65795021fc9d0d29e657369529324688feb0ed4a6.zip"

$(unnamed)

C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

$(unnamed)

C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\014tw3cc.smi\sims-4-updater-v2.4.10.exe"

$(unnamed)

C:\Users\user\AppData\Local\Temp\014tw3cc.smi\sims-4-updater-v2.4.10.exe

Network activity

IP addresses1

162.159.36.2

Filesystem & mutexes

Files written15

C:\Users\<USER>\AppData\Local\Temp\_MEI46842\Pythonwin\mfc140u.dll
C:\Users\<USER>\AppData\Local\Temp\_MEI46842\Pythonwin\win32ui.pyd
C:\Users\<USER>\AppData\Local\Temp\_MEI46842\VCRUNTIME140.dll
C:\Users\<USER>\AppData\Local\Temp\_MEI46842\VCRUNTIME140_1.dll
C:\Users\<USER>\AppData\Local\Temp\_MEI46842\_asyncio.pyd

+10 more

Files deleted1

C:\Users\<USER>\AppData\Local\Temp\wpzz139z

Dropped payload

Files this sample writes at runtime

This file drops 10 children at runtime. None are currently flagged malicious in our cache.

10 unseen

21baa6669389d8284059…14844dNever scanned
never seen before
360b2c9242365d6c0fda…be3d9aNever scanned
never seen before
cd2f60075064dfc2e65c…356b08Never scanned
never seen before
2f4d915840c287c54188…066384Never scanned
never seen before
036c32dc38a30a7f09ce…68d72dNever scanned
never seen before
ef59713151ac9ee78e13…470e48Never scanned
never seen before
9362f48e2ade1ba5a991…43c204Never scanned
never seen before
1947f8b188ab4ab6aa72…368fb7Never scanned
never seen before
4a9d4a76514f399a9652…e2336dNever scanned
never seen before
d2a7999e234e33828888…723b6fNever scanned
never seen before

No researcher-database hits

External threat-intel sources were not collected for this scan.

Signature matches

YARA + heuristic rules that fired

One or more medium-severity heuristic rules matched. Not definitive, but the patterns match known malware behaviour.

1 synthesis

MITRE ATT&CK profile

C2× 1

MalwareTips synthesis rules

Our heuristics on VT data + sandbox behaviour

DirectIpC2
T1071
medium
Sample contacted 1 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence
162.159.36.2

Antivirus engine breakdown

14 detections across 75 engines

14 malicious0 suspicious61 clean

Tier-117 engines

6flag

Top commercial AVs (low FP rate)

Tier-238 engines

5flag

Mainstream engines with mixed FP rates

Low-trust20 engines

3flag

Heuristic / generic-AI engines (high FP rate)

Avast

malicious

Other:PUP-gen [PUP]

AVG

malicious

Other:PUP-gen [PUP]

Avira

malicious

PUA/PUP

Cynet

malicious

Malicious (score: 99)

DeepInstinct

malicious

MALICIOUS

F-Secure

malicious

PotentialRisk.PUA/PUP

Google

malicious

Detected

Gridinsoft

malicious

PUP.Win64.Gen.cl

MaxSecure

malicious

Trojan.Malware.340867217.susgen

Panda

malicious

PUP/Crack

Sophos

malicious

Generic Reputation PUA (PUA)

Symantec

malicious

PUA.Gen.2

TrellixENS

malicious

Artemis!6DC3624A0D17

Varist

malicious

ABApplication.YD

Hash 749ef77d0616… cross-referenced against 75 AV engines via our AV network.

Prevalence

How often this file shows up in the wild

Moderate prevalence — neither rare nor common. No strong prior applies.

Medium

Unique uploaders

1,142

Hundreds of people have uploaded this — common.

Total submissions

1,428

Includes repeat uploads by the same source.

First seen by VT

5mo ago

Jan 3, 2026

Prevalence quadrant

Rare · New

Targeted malware lives here

Common · New

Just-released software

Rare · Old

Niche or internal tooling

Common · Old

Trusted legitimate binaries

File identity

Forensic fingerprint

File biography

First seen (VT)

1/3/2026, 11:42:18 AM

First seen (MalwareBazaar)

—

Last analysis (VT)

5/20/2026, 9:38:43 AM

Scanned here

5/20/2026, 5:21:26 PM

File name: Anadius Updater Tool for Windows.zip
Size: 19.88 MB
MIME type: (unknown)
Detected type: ZIP
SHA-256: 749ef77d0616070491a1e0a65795021fc9d0d29e657369529324688feb0ed4a6
MD5: b6d0df97c73ea3b7b5ecaa90d1621099
SHA-1: f2ec401be0d8bae6fd9ca751b4e0f3f896d3cd05
First seen (VT): 1/3/2026, 11:42:18 AM
Last analysis (VT): 5/20/2026, 9:38:43 AM
First scan (MalwareTips): 5/20/2026, 5:21:26 PM
Last scan (MalwareTips): 5/20/2026, 5:21:26 PM

Behavior tags

long-sleepscalls-wmichecks-bioszipcontains-pedetect-debug-environment

Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…

Loading reports…

Scan another

Check a different file

URL instead?

Check if a link is safe

Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.