File name:

GrammarlyInstaller.exe

Full analysis: https://app.any.run/tasks/9803eef3-fc37-48f1-8e8a-60ec8d1cb64f
Verdict: Malicious activity
Analysis date: September 29, 2024, 05:06:26
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

E5E775428D0288022460B7B5B40BB50C

SHA1:

033C306D496B40316586F5CF6F0230BAA934679B

SHA256:

F8C57549C632A2C5EDA7A85A5BE7B1B26E8065F1FA6C6BF59A5F78DA43C08DF2

SSDEEP:

196608:XLoQpO2UFeD6ldXnR6AcipQk4dFa360JEuJB3HKPQh/4Apm04JbGe2:hLgdXR6xDdF30WuJB3qY/HuCR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • GrammarlyInstaller.exe (PID: 3476)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • GrammarlyInstaller.exe (PID: 3476)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • GrammarlyInstaller.exe (PID: 3476)

    • Executable content was dropped or overwritten

      • GrammarlyInstaller.exe (PID: 3476)

    • Process drops legitimate windows executable

      • GrammarlyInstaller.exe (PID: 3476)

    • Creates a software uninstall entry

      • GrammarlyInstaller.exe (PID: 3476)

    • Reads security settings of Internet Explorer

      • GrammarlyInstaller.exe (PID: 3476)
      • Grammarly.Desktop.exe (PID: 6516)

    • Checks Windows Trust Settings

      • Grammarly.Desktop.exe (PID: 6516)

    • Get information on the list of running processes

      • GrammarlyInstaller.exe (PID: 3476)

    • There is functionality for taking screenshot (YARA)

      • Grammarly.Desktop.exe (PID: 6516)

  • INFO

    • Checks supported languages

      • GrammarlyInstaller.exe (PID: 3476)
      • Grammarly.Desktop.exe (PID: 6516)

    • Create files in a temporary directory

      • GrammarlyInstaller.exe (PID: 3476)

    • Reads the computer name

      • GrammarlyInstaller.exe (PID: 3476)
      • Grammarly.Desktop.exe (PID: 6516)

    • Reads the machine GUID from the registry

      • GrammarlyInstaller.exe (PID: 3476)
      • Grammarly.Desktop.exe (PID: 6516)

    • Creates files or folders in the user directory

      • GrammarlyInstaller.exe (PID: 3476)

    • The process uses the downloaded file

      • GrammarlyInstaller.exe (PID: 3476)
      • Grammarly.Desktop.exe (PID: 6516)

    • Process checks computer location settings

      • GrammarlyInstaller.exe (PID: 3476)

    • Creates files in the program directory

      • Grammarly.Desktop.exe (PID: 6516)

    • Checks proxy server information

      • Grammarly.Desktop.exe (PID: 6516)

    • Application launched itself

      • msedge.exe (PID: 5144)

    • Reads the software policy settings

      • Grammarly.Desktop.exe (PID: 6516)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:09:25 21:56:47+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 141824
UninitializedDataSize: 2048
EntryPoint: 0x3640
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.2.101.1482
ProductVersionNumber: 1.2.101.1482
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Grammarly
FileDescription: Grammarly for Windows
FileVersion: 1.2.101.1482
LegalCopyright: Copyright © 2009-2024 Grammarly Inc.
ProductName: Grammarly for Windows
ProductVersion: 1.2.101.1482
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
169
Monitored processes
47
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start grammarlyinstaller.exe THREAT grammarly.desktop.exe tasklist.exe no specs conhost.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
740"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5376 --field-trial-handle=2324,i,16320393550101483161,5091473474289240114,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
840\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetasklist.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
880"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6100 --field-trial-handle=2324,i,16320393550101483161,5091473474289240114,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
992"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2480 --field-trial-handle=2324,i,16320393550101483161,5091473474289240114,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1336"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3708 --field-trial-handle=2324,i,16320393550101483161,5091473474289240114,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1536"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5572 --field-trial-handle=2324,i,16320393550101483161,5091473474289240114,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1712"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --no-appcompat-clear --mojo-platform-channel-handle=5352 --field-trial-handle=2324,i,16320393550101483161,5091473474289240114,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1768"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2316 --field-trial-handle=2324,i,16320393550101483161,5091473474289240114,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1804"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5776 --field-trial-handle=2324,i,16320393550101483161,5091473474289240114,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
2224"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=1384 --field-trial-handle=2324,i,16320393550101483161,5091473474289240114,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
Total events
13 396
Read events
13 337
Write events
57
Delete events
2

Modification events

(PID) Process:(3476) GrammarlyInstaller.exeKey:HKEY_CURRENT_USER\SOFTWARE\Grammarly
Operation:writeName:installer_container_id
Value:
WIN-INSTALL-3B5D2486-62AD-4B2D-B72E-D2F4DFCB1F19
(PID) Process:(3476) GrammarlyInstaller.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:GlobalAssocChangedCounter
Value:
95
(PID) Process:(3476) GrammarlyInstaller.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Grammarly
Value:
(PID) Process:(3476) GrammarlyInstaller.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Grammarly
Value:
C:\Users\admin\AppData\Local\Grammarly\DesktopIntegrations\Grammarly.Desktop.exe
(PID) Process:(3476) GrammarlyInstaller.exeKey:HKEY_CLASSES_ROOT\grammarly.windows-extension
Operation:writeName:URL Protocol
Value:
(PID) Process:(3476) GrammarlyInstaller.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Grammarly Desktop Integrations
Operation:writeName:DisplayName
Value:
Grammarly for Windows
(PID) Process:(3476) GrammarlyInstaller.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Grammarly Desktop Integrations
Operation:writeName:UninstallString
Value:
"C:\Users\admin\AppData\Local\Grammarly\DesktopIntegrations\Uninstall.exe"
(PID) Process:(3476) GrammarlyInstaller.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Grammarly Desktop Integrations
Operation:writeName:QuietUninstallString
Value:
"C:\Users\admin\AppData\Local\Grammarly\DesktopIntegrations\Uninstall.exe" /S
(PID) Process:(3476) GrammarlyInstaller.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Grammarly Desktop Integrations
Operation:writeName:InstallLocation
Value:
"C:\Users\admin\AppData\Local\Grammarly\DesktopIntegrations"
(PID) Process:(3476) GrammarlyInstaller.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Grammarly Desktop Integrations
Operation:writeName:DisplayIcon
Value:
"C:\Users\admin\AppData\Local\Grammarly\DesktopIntegrations\MainIconBR.ico"
Executable files
155
Suspicious files
189
Text files
157
Unknown types
0

Dropped files

PID
Process
Filename
Type
3476GrammarlyInstaller.exeC:\Users\admin\AppData\Local\Grammarly\DesktopIntegrations\DynamicData.dllexecutable
MD5:69ED79E6C4DD9BE8460E4722D2382F74
SHA256:3FA64E109F200EC2D622F57D405619164E69BD2105EC2B7A2C1DEBB87E0AAE26
3476GrammarlyInstaller.exeC:\Users\admin\AppData\Local\Temp\nsn7445.tmp\NScurl.dllexecutable
MD5:E746969A96345CA1D329F5D64310B0A4
SHA256:8D8FC1D4EEAB292C88829F410BAB72BD36E9A2507B041C1E8675E4378B7B6E81
3476GrammarlyInstaller.exeC:\Users\admin\AppData\Local\Grammarly\DesktopIntegrations\FSharp.Core.dllexecutable
MD5:73BBFAB836FB8DC989E88D05ABA33054
SHA256:5BB08885557D08D5E39C7A834F32C002A8A36044D5E9EA54B74C7D828CFA7EEB
3476GrammarlyInstaller.exeC:\Users\admin\AppData\Local\Grammarly\DesktopIntegrations\FParsecCS.dllexecutable
MD5:4CB8DF209079835F8F9D7413561756F8
SHA256:73EC83D02C0479AC65D59971DE59A49DAFD25C4D597C28D8BE74A74CEB4EEDA4
3476GrammarlyInstaller.exeC:\Users\admin\AppData\Local\Grammarly\DesktopIntegrations\Grammarly.Auth.FSharp.dllexecutable
MD5:9B3BE33CD5C54799F62CA25248261909
SHA256:C257BA6782270AFFEBC62570D1E247F6FBA6125F65CDA4734311D628634AFEDB
3476GrammarlyInstaller.exeC:\Users\admin\AppData\Local\Grammarly\DesktopIntegrations\Grammarly.Auth.dllexecutable
MD5:1E3CFA1BC5BE4055E01C8DCED0C6CE12
SHA256:BC6BC2CF985191B696641699E4B5594EDD3666B6D5C25558706546A8A270F96F
3476GrammarlyInstaller.exeC:\Users\admin\AppData\Local\Grammarly\DesktopIntegrations\Grammarly.CheetahClient.Protocol.dllexecutable
MD5:6A3A4A4E362146E06F0378CAE90D8853
SHA256:545BED2F6F443D9C80BCB38CFD00BEE41D2CFC60640DA05E5CA28866ADA59D81
3476GrammarlyInstaller.exeC:\Users\admin\AppData\Local\Grammarly\DesktopIntegrations\Grammarly.Client.WebUI.dll.configxml
MD5:F843B026780F88F0D738CCE4855CFAAE
SHA256:F1700DAF427E443746FCC6BEB694656E491FF0CF67500C68B2E0FF0B1553C525
3476GrammarlyInstaller.exeC:\Users\admin\AppData\Local\Grammarly\DesktopIntegrations\Dapper.dllexecutable
MD5:2C66C0379C4EE050EB15FEF2CC061ECB
SHA256:88FD131A783559FD9B2635F7328E0A27F0D658FE83F0EE1D5C960076F6D260A7
3476GrammarlyInstaller.exeC:\Users\admin\AppData\Local\Grammarly\DesktopIntegrations\FParsec.dllexecutable
MD5:FEDAD834EA8CF455A1DA113BF5DA8062
SHA256:9D9025489080819FDF7FE2C624B2588310C04319B37E1EB85B2D4F8A7BEB8975
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
341
TCP/UDP connections
245
DNS requests
228
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2120
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6516
Grammarly.Desktop.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
5000
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6516
Grammarly.Desktop.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
6516
Grammarly.Desktop.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAP6qsgCBPlyGsHkT1nKyns%3D
unknown
whitelisted
GET
401
13.107.6.158:443
https://business.bing.com/api/v1/user/token/microsoftgraph?&clienttype=edge-omnibox
unknown
POST
200
100.24.247.35:443
https://f-log-win-extension.grammarly.io/logv2?extended=0
unknown
unknown
POST
200
34.235.76.68:443
https://win-extension.femetrics.grammarly.io/import
unknown
unknown
POST
200
52.20.121.129:443
https://f-log-win-extension.grammarly.io/logv2?extended=0
unknown
unknown
POST
200
44.198.154.75:443
https://f-log-win-extension.grammarly.io/logv2?extended=0
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
2120
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5000
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5000
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4324
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3476
GrammarlyInstaller.exe
3.217.105.80:443
win-extension.femetrics.grammarly.io
AMAZON-AES
US
suspicious

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 142.250.184.206
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
win-extension.femetrics.grammarly.io
  • 3.217.105.80
  • 50.16.95.115
  • 44.205.67.122
  • 34.235.76.68
  • 34.196.4.150
  • 52.201.20.81
unknown
f-log-win-extension.grammarly.io
  • 100.24.247.35
  • 44.198.154.75
  • 3.226.174.242
  • 3.223.12.253
  • 18.233.254.209
  • 34.206.163.117
  • 34.238.30.146
  • 52.20.121.129
unknown
ocsp.digicert.com
  • 192.229.221.95
whitelisted
browser.pipe.aria.microsoft.com
  • 104.208.16.92
whitelisted
auth.grammarly.com
  • 34.111.113.62
whitelisted
gnar.grammarly.com
  • 3.224.205.2
  • 44.212.204.137
  • 23.23.121.72
  • 34.206.61.193
  • 3.89.14.139
  • 54.225.170.55
  • 52.2.205.185
  • 3.232.175.126
  • 52.73.175.178
whitelisted
treatment.grammarly.com
  • 34.233.208.136
  • 3.228.111.8
  • 34.236.207.71
  • 35.169.218.70
  • 18.214.29.204
  • 3.227.121.156
whitelisted

Threats

PID
Process
Class
Message
992
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] An application monitoring request to sentry .io
992
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] An application monitoring request to sentry .io
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
GrammarlyInstaller.exe