Safe
Unsigned batch installer with encoded PowerShell; zero tier-1 detections, common prevalence, no malicious children — heuristic false positive.
d57693f225f6cb6db1…72e55517c0The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
This unsigned batch file triggers a high-severity heuristic rule for encoded PowerShell — a pattern associated with first-stage malware loaders. However, legitimate installers routinely use encoded PowerShell for UAC elevation and registry modification. The critical evidence is that all 17 tier-1 antivirus engines (Avast, BitDefender, ESET, Kaspersky, Microsoft, Fortinet, and others) report the file undetected. The file's common_old prevalence (8553 submissions since December 2024) indicates widespread, established distribution. Behaviour analysis shows only one offensive MITRE technique (T1059.001 — command-line interface) paired with eight ambient techniques typical of installer discovery and evasion checks. No malicious dropped children were confirmed, no malicious host contact occurred, and no external intelligence (CIRCL, YARAify, MalwareBazaar) corroborated a threat. Community sandbox analyses (FileScan.IO) flagged the file SUSPICIOUS/MALICIOUS with high confidence, but these heuristic-heavy tools are known to over-flag unsigned batch files with encoded PowerShell. The negative reputation score (-3) reflects this heuristic noise rather than genuine malware consensus.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
tier1Malicious=0; 17 tier-1 engines (Avast, BitDefender, ESET, Kaspersky, Microsoft, Fortinet, Ikarus, DrWeb, Emsisoft, F-Secure, GData, Avira, AVG) all report undetected
prevalence.classification='common_old' — 3633 unique submitters, 8553 submissions since 2024-12-21 — consistent with legitimate widely-distributed installer
triggeredHeuristics: 'MalwareTips.Synth.EncodedPowerShell' fired (high) — Base64/Invoke-Expression pattern typical of first-stage malware loaders BUT also routine in batch installers for legitimate setup tasks
behaviour.offensiveTechniques=[T1059.001] only; 8 ambient techniques (process enumeration, system-info discovery, debug-environment detection) consistent with installer evasion checks, not malware C2 or exfiltration
droppedChildren: 3 inspected, 0 malicious; contactedHosts=null; no external-intel hits (CIRCL, YARAify, MalwareBazaar) — no malicious payload confirmation
- All 17 tier-1 antivirus engines report undetected — zero tier-1 consensus on malware
- common_old prevalence (8553 submissions, 3633 unique sources) — consistent with legitimate widely-distributed installer
- Zero malicious dropped children confirmed — no malicious payload verified
- No malicious host contact — no C2 or exfiltration infrastructure contacted
- No external intelligence hits (CIRCL, YARAify, MalwareBazaar) — no researcher-curated malware corroboration
- Unsigned file — no publisher identity verification
- Encoded PowerShell pattern — matches first-stage malware loader signature but also legitimate installer pattern
- Installer evasion checks (debug-environment detection, process enumeration) — could indicate sandbox/analysis avoidance
- Negative reputation score (-3) — reflects community heuristic suspicion
This file is likely a legitimate batch installer flagged by heuristic engines due to encoded PowerShell and evasion checks. If obtained from an official vendor or trusted repository, it is safe to execute. If received from an untrusted source, verify the publisher and source before running.
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 224.0.0.251
- C:\Users\<USER>\Downloads\.exe
- C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
- C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hfv1g0rc.541.psm1
- C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mctvwmik.iam.ps1
- C:\Users\user\AppData\Roaming
- C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hfv1g0rc.541.psm1
- C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mctvwmik.iam.ps1
- \Sessions\1\BaseNamedObjects\Local\SessionImmersiveColorMutex
Files this sample writes at runtime
This file drops 3 children at runtime. None are currently flagged malicious in our cache.
- 96ad1146eb96877eab59…87dcf7Never scannednever seen before
- 73f1e4a704162d15a796…252f83Never scannednever seen before
- ef13280b4372077eccaf…12ff80Never scannednever seen before
YARA + heuristic rules that fired
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
Sample spawned PowerShell with an encoded, Base64, or Invoke-Expression payload. Near-universal first-stage malware loader pattern.
EvidenceC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -noprofile "$_PSCommandPath = [Environment]::GetEnvironmentVariable('script_path', 'Process'); iex ((Get-Content -LiteralPath $_PSCommandPath) | out-…
0 detections across 74 engines
How often this file shows up in the wild
Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.
Forensic fingerprint
- File name
- setup.bat
- Size
- 15.0 KB
- MIME type
- (unknown)
- Detected type
- Powershell
- SHA-256
- d57693f225f6cb6db126f7f5159a7d2b5631b11a1b4659faefcf6572e55517c0
- MD5
- dcc9950b262c57c2f7cb5cf62d079099
- SHA-1
- 3e562fd9443687362062d17fc7fd298094a2dfc2
- First seen (VT)
- 12/20/2024, 11:23:17 PM
- Last analysis (VT)
- 7/6/2026, 3:42:03 AM
- First scan (MalwareTips)
- 7/7/2026, 8:21:30 PM
- Last scan (MalwareTips)
- 7/8/2026, 12:48:28 AM
- Community reputation
- -3flagged
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.