Safe
Adobe-signed AcroTray.exe with zero malicious detections, clean tier-1 consensus, and benign runtime behaviour.
311c46b24603d425f7…a9b31b642cThe verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
AcroTray.exe is a well-established Adobe Acrobat Reader component with a 9-year submission history (first seen 2016-10-11). The file carries a valid Adobe Systems signature matched to our curated trusted-publisher list. All 17 tier-1 antivirus engines (Avast, AVG, Avira, BitDefender, DrWeb, Emsisoft, ESET-NOD32, F-Secure, Fortinet, GData, Ikarus, Kaspersky, and others) report it clean. Behavioural analysis shows zero offensive MITRE techniques and only ambient system-discovery operations typical of legitimate software. The 'DirectIpC2' heuristic fired on a sandbox placeholder token ('<MACHINE_DNS_SERVER>'), not a real external IP, and community annotations reference only legitimate certificate-chain URLs (Thawte, Symantec OCSP/CRL endpoints). No malicious sandbox verdict, no malicious host contact, no dropped malicious children. The evidence converges on a benign signed installer.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
signing.verified=true, signer='Adobe Systems', trustedPublisher.matched=true — legitimately signed by curated trusted publisher
tier1Malicious=0; tier1ReportedClean=17 (Avast, AVG, Avira, BitDefender, DrWeb, Emsisoft, ESET-NOD32, F-Secure, Fortinet, GData, Ikarus, Kaspersky) — no tier-1 engines flagged malicious
behaviour.offensiveCount=0; all 7 MITRE techniques are ambient (T1010, T1012, T1082, T1083, T1112, T1129, T1564.003) — benign system discovery
triggeredHeuristics 'MalwareTips.Synth.DirectIpC2' fired on '<MACHINE_DNS_SERVER>' placeholder token — sandbox instrumentation artifact, not real C2
prevalence.classification='medium' (54 submissions, 22 sources since 2016) — established Adobe Acrobat Reader component with long history
- Signed by Adobe Systems (curated trusted publisher)
- 17 tier-1 antivirus engines report clean
- Zero malicious detections across 72 engines
- Benign runtime behaviour (system discovery only, no offensive techniques)
- 9-year submission history with medium prevalence (54 submissions, 22 sources)
This file is safe. It is a legitimate Adobe Acrobat Reader component with a verified signature, clean tier-1 consensus, and benign behaviour profile. No remediation is needed.
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- <MACHINE_DNS_SERVER>
- C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
- C:\Windows\System32\Tasks\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector
YARA + heuristic rules that fired
One or more medium-severity heuristic rules matched. Not definitive, but the patterns match known malware behaviour.
Sample contacted 1 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence<MACHINE_DNS_SERVER>
0 detections across 76 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How often this file shows up in the wild
Moderate prevalence — neither rare nor common. No strong prior applies.
Forensic fingerprint
- File name
- AcroTray.exe
- Size
- 1.78 MB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- 311c46b24603d425f7e2791d286e07e1de9562374b337d47778403a9b31b642c
- MD5
- 18a7d576c182e67f73db5e0e7ad284ec
- SHA-1
- 29174ebc6b219fd7fd00ac05d8c96fa10e81175a
- PE imphash
- 48dba7f205ad53a5053e0b48670569d4
- First seen (VT)
- 10/11/2016, 8:36:32 AM
- Last analysis (VT)
- 3/3/2024, 12:01:34 AM
- First scan (MalwareTips)
- 6/13/2026, 10:04:18 AM
- Last scan (MalwareTips)
- 6/13/2026, 10:04:18 AM
- Code signer
- Adobe Systemsverified
- Community reputation
- +32trusted
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.