Safe
Plain-text config file with zero engine detections, NSRL reference hit, and widespread historical submissions.
60099cf91bb1a5717f…8c560bf3d5The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
Zero malicious detections from 53 reporting engines, including 13 tier-1 engines, rules out active malware consensus. The CIRCL NSRL hit with knownMalicious=null confirms the file as a recognised benign Android-related config. High submission volume over 2437 days further supports commodity benign status. Sandbox commands such as schtasks and auditpol are common in legitimate installers or system utilities and do not override the engine and prevalence evidence.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
engines.malicious=0 and engines.tier1Malicious=0 across 53 reporting engines
externalIntel.circl.hit=true, source=nsrl_android, knownMalicious=null
prevalence.classification=common_old (3633 submitters, 7426 submissions)
behaviour.offensiveTechniques=[T1055,T1560.002,T1620] with triggeredHeuristics showing MalwareTips.Synth.ProcessInjection and MalwareTips.Synth.PersistenceScheduledTask
- Zero malicious engine detections
- CIRCL NSRL reference hit
- Common_old prevalence with thousands of submissions
Treat the file as safe; no remediation steps needed.
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- https://graph.facebook.com/v5.0/759281501125987/mobile_sdk_gk?fields=gatekeepers&format=json&sdk_version=5.15.3&sdk=android&platform=android
- https://firebase-settings.crashlytics.com/spi/v2/platforms/android/gmp/1%3A95522726848%3Aandroid%3A9f877958e647664e/settings?build_version=31&display_version=2.5.5
- https://firebaseinstallations.googleapis.com/v1/projects/customer-care-numbers/installations
- https://firebase-settings.crashlytics.com/spi/v2/platforms/android/gmp/1:95522726848:android:9f877958e647664e/settings?instance=b52847f565bd94ab816ed3bfce3650d131fad804&source=1&build_version=31&display_version=2.5.5
- C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db
- C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db
- C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db
- C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1024.db
- C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db
- C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\services_rdr.dat
- C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\services_rdri.dat
- C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\services_rdrk.dat
- C:\Users\user\AppData\LocalLow\Adobe\Acrobat\11.0\ReaderMessages-journal
- C:\Users\user\AppData\Local\Adobe\Acrobat\11.0\AdobeFnt14.lst.1004
- Local\ZonesCacheCounterMutex
- Local\ZonesLockedCacheCounterMutex
- Local\MSCTF.Asm.MutexDefault1
- Global\C::Users:user:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwWriterMutex
- Global\C::Users:user:AppData:Local:Microsoft:Windows:Explorer:thumbcache_32.db!dfMaintainer
1 corroborating signal from researcher-curated sources
YARA + heuristic rules that fired
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
Sample spawned schtasks / PowerShell scheduled-task cmdlets / sc create. Persistence mechanism.
EvidenceC:\Windows\system32\schtasks.exe /delete /f /TN Microsoft\Windows\Customer Experience Improvement Program\UploaderMITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
Evidenceauditpol /set /subcategory:Security State Change /success:enable /failure:enable
0 detections across 74 engines
How often this file shows up in the wild
Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.
Forensic fingerprint
- File name
- config
- Size
- 3.2 KB
- MIME type
- (unknown)
- Detected type
- Text
- SHA-256
- 60099cf91bb1a5717fc1f2d23cf36a61d3bfb70d9489fbb6f4bae98c560bf3d5
- MD5
- d9bc824737177af5792846f26507231c
- SHA-1
- c44835e4881d95a97b597bebff5deba0233a5887
- First seen (VT)
- 11/1/2019, 11:44:38 PM
- Last analysis (VT)
- 7/2/2026, 12:11:05 AM
- First scan (MalwareTips)
- 7/4/2026, 5:56:27 PM
- Last scan (MalwareTips)
- 7/4/2026, 5:56:27 PM
- Community reputation
- +3trusted
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.