File verdict·Decided by the MT AI Engine
Our call

Safe

Unsigned batch installer with encoded PowerShell; zero tier-1 detections, common prevalence, no malicious children — heuristic false positive.

Trust score82Moderate trust
MT AI confidence · 78%
setup.bat
15.0 KB
d57693f225f6cb6db172e55517c0
Antivirus engines
0 of 74 flagged
Code signing
Unsigned
Age
First seen 2y ago
MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

78%Confidence
High
Reasoning

This unsigned batch file triggers a high-severity heuristic rule for encoded PowerShell — a pattern associated with first-stage malware loaders. However, legitimate installers routinely use encoded PowerShell for UAC elevation and registry modification. The critical evidence is that all 17 tier-1 antivirus engines (Avast, BitDefender, ESET, Kaspersky, Microsoft, Fortinet, and others) report the file undetected. The file's common_old prevalence (8553 submissions since December 2024) indicates widespread, established distribution. Behaviour analysis shows only one offensive MITRE technique (T1059.001 — command-line interface) paired with eight ambient techniques typical of installer discovery and evasion checks. No malicious dropped children were confirmed, no malicious host contact occurred, and no external intelligence (CIRCL, YARAify, MalwareBazaar) corroborated a threat. Community sandbox analyses (FileScan.IO) flagged the file SUSPICIOUS/MALICIOUS with high confidence, but these heuristic-heavy tools are known to over-flag unsigned batch files with encoded PowerShell. The negative reputation score (-3) reflects this heuristic noise rather than genuine malware consensus.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

  1. tier1Malicious=0; 17 tier-1 engines (Avast, BitDefender, ESET, Kaspersky, Microsoft, Fortinet, Ikarus, DrWeb, Emsisoft, F-Secure, GData, Avira, AVG) all report undetected

  2. prevalence.classification='common_old' — 3633 unique submitters, 8553 submissions since 2024-12-21 — consistent with legitimate widely-distributed installer

  3. triggeredHeuristics: 'MalwareTips.Synth.EncodedPowerShell' fired (high) — Base64/Invoke-Expression pattern typical of first-stage malware loaders BUT also routine in batch installers for legitimate setup tasks

  4. behaviour.offensiveTechniques=[T1059.001] only; 8 ambient techniques (process enumeration, system-info discovery, debug-environment detection) consistent with installer evasion checks, not malware C2 or exfiltration

  5. droppedChildren: 3 inspected, 0 malicious; contactedHosts=null; no external-intel hits (CIRCL, YARAify, MalwareBazaar) — no malicious payload confirmation

Points in its favour
  • All 17 tier-1 antivirus engines report undetected — zero tier-1 consensus on malware
  • common_old prevalence (8553 submissions, 3633 unique sources) — consistent with legitimate widely-distributed installer
  • Zero malicious dropped children confirmed — no malicious payload verified
  • No malicious host contact — no C2 or exfiltration infrastructure contacted
  • No external intelligence hits (CIRCL, YARAify, MalwareBazaar) — no researcher-curated malware corroboration
Points against
  • Unsigned file — no publisher identity verification
  • Encoded PowerShell pattern — matches first-stage malware loader signature but also legitimate installer pattern
  • Installer evasion checks (debug-environment detection, process enumeration) — could indicate sandbox/analysis avoidance
  • Negative reputation score (-3) — reflects community heuristic suspicion
What to do

This file is likely a legitimate batch installer flagged by heuristic engines due to encoded PowerShell and evasion checks. If obtained from an official vendor or trusted repository, it is safe to execute. If received from an untrusted source, verify the publisher and source before running.

Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK
9

Adversary techniques mapped to the MITRE ATT&CK framework.

T1010T1036T1057T1059.001T1064T1082T1202T1497T1574.002
Spawned processes
12
$(unnamed)
"C:\Windows\system32\cmd.exe" /c start /wait "" "C:\Users\<USER>\Desktop\install.bat"
$(unnamed)
C:\Windows\system32\cmd.exe /K "C:\Users\<USER>\Desktop\install.bat"
$(unnamed)
C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\setup.bat" "
$(unnamed)
C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
$(unnamed)
C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo marco "
$(unnamed)
C:\Windows\System32\findstr.exe findstr /C:"polo"
$(unnamed)
C:\Windows\System32\findstr.exe findstr /V /C:"polo"
$(unnamed)
C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\user\Desktop\" "
+4 more processes captured.
Network activity
1
IP addresses1
  • 224.0.0.251
Filesystem & mutexes
14
Files written11
  • C:\Users\<USER>\Downloads\.exe
  • C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
  • C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hfv1g0rc.541.psm1
  • C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mctvwmik.iam.ps1
  • C:\Users\user\AppData\Roaming
+6 more
Files deleted2
  • C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hfv1g0rc.541.psm1
  • C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mctvwmik.iam.ps1
Mutexes created1
  • \Sessions\1\BaseNamedObjects\Local\SessionImmersiveColorMutex
Dropped payload

Files this sample writes at runtime

This file drops 3 children at runtime. None are currently flagged malicious in our cache.

3 unseen
  • 96ad1146eb96877eab5987dcf7Never scanned
    never seen before
  • 73f1e4a704162d15a796252f83Never scanned
    never seen before
  • ef13280b4372077eccaf12ff80Never scanned
    never seen before
No researcher-database hits
External threat-intel sources were not collected for this scan.
Signature matches

YARA + heuristic rules that fired

A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.

1 synthesis
MITRE ATT&CK profile
Execution× 1
MalwareTips synthesis rules
Our heuristics on VT data + sandbox behaviour
  • EncodedPowerShellhigh

    Sample spawned PowerShell with an encoded, Base64, or Invoke-Expression payload. Near-universal first-stage malware loader pattern.

    Evidence
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -noprofile "$_PSCommandPath = [Environment]::GetEnvironmentVariable('script_path', 'Process'); iex ((Get-Content -LiteralPath $_PSCommandPath) | out-…
Antivirus engine breakdown

0 detections across 74 engines

0 malicious0 suspicious74 clean
Tier-117 engines
0flag
Top commercial AVs (low FP rate)
Tier-240 engines
0flag
Mainstream engines with mixed FP rates
Low-trust17 engines
0flag
Heuristic / generic-AI engines (high FP rate)
All 74 engines report this file as clean.
Hash d57693f225f6… cross-referenced against 74 AV engines via our AV network.
Prevalence

How often this file shows up in the wild

Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.

Common & old
Unique uploaders
3,633
Hundreds of people have uploaded this — common.
Total submissions
8,553
Includes repeat uploads by the same source.
First seen by VT
2y ago
Dec 20, 2024
Prevalence quadrant
Rare · New
Targeted malware lives here
Common · New
Just-released software
Rare · Old
Niche or internal tooling
here
Common · Old
Trusted legitimate binaries
File identity

Forensic fingerprint

File biography
First seen (VT)
12/20/2024, 11:23:17 PM
First seen (MalwareBazaar)
Last analysis (VT)
7/6/2026, 3:42:03 AM
Scanned here
7/8/2026, 12:48:28 AM
File name
setup.bat
Size
15.0 KB
MIME type
(unknown)
Detected type
Powershell
SHA-256
d57693f225f6cb6db126f7f5159a7d2b5631b11a1b4659faefcf6572e55517c0
MD5
dcc9950b262c57c2f7cb5cf62d079099
SHA-1
3e562fd9443687362062d17fc7fd298094a2dfc2
First seen (VT)
12/20/2024, 11:23:17 PM
Last analysis (VT)
7/6/2026, 3:42:03 AM
First scan (MalwareTips)
7/7/2026, 8:21:30 PM
Last scan (MalwareTips)
7/8/2026, 12:48:28 AM
Community reputation
-3flagged
Behavior tags
detect-debug-environmentpowershelllong-sleeps
Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…
Loading reports…
Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.