Edit tour

Windows Analysis Report
Grammarly.Desktop.exe

Overview

General Information

Sample Name:	Grammarly.Desktop.exe
Analysis ID:	576606
MD5:	e776a040444e7c0ee4701063a3795fd6
SHA1:	81e2c5a11f88660f1384b4e00d0896762b575b92
SHA256:	a434e9368137f7184040e62035745027ed4772f25b3715be9af0b68025500e50
Infos:

Detection

Score:	3
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

AV process strings found (often used to terminate AV products)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

One or more processes crash

PE file contains strange resources

Checks if the current process is being debugged

Binary contains a suspicious time stamp

Classification

Process Tree

System is w10x64

Grammarly.Desktop.exe (PID: 6688 cmdline: "C:\Users\user\Desktop\Grammarly.Desktop.exe" MD5: E776A040444E7C0EE4701063A3795FD6)

WerFault.exe (PID: 5580 cmdline: C:\Windows\system32\WerFault.exe -u -p 6688 -s 700 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: Grammarly.Desktop.exe

Static PE information: certificate valid

Source: Grammarly.Desktop.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: System.Core.ni.pdbRSDSD source: WER3C6F.tmp.dmp.6.dr
Source:	Binary string: C:\Gitlab-Runner\builds\bCeEXD-g\0\desktop-integrations\projectllama-win\Sources\Grammarly.Desktop\obj\Publish\Grammarly.Desktop.pdb source: Grammarly.Desktop.exe
Source:	Binary string: mscorlib.pdb source: WER3C6F.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdbRSDS source: WER3C6F.tmp.dmp.6.dr
Source:	Binary string: System.Core.pdbXl source: WER3C6F.tmp.dmp.6.dr
Source:	Binary string: Grammarly.Desktop.pdbx7Dh source: WER3C6F.tmp.dmp.6.dr
Source:	Binary string: System.pdbg source: WER3C6F.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WER3C6F.tmp.dmp.6.dr
Source:	Binary string: C:\Gitlab-Runner\builds\bCeEXD-g\0\desktop-integrations\projectllama-win\Sources\Grammarly.Desktop\obj\Publish\Grammarly.Desktop.pdb% source: Grammarly.Desktop.exe
Source:	Binary string: System.Core.pdb source: WER3C6F.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdbRSDS] source: WER3C6F.tmp.dmp.6.dr
Source:	Binary string: Grammarly.Desktop.pdb source: WER3C6F.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdb source: WER3C6F.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WER3C6F.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdb source: WER3C6F.tmp.dmp.6.dr

Source: Grammarly.Desktop.exe	String found in binary or memory: app.slack.com!web.whatsapp.com!www.linkedin.com%outlook.office.com equals www.linkedin.com (Linkedin)
Source: Grammarly.Desktop.exe	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: Grammarly.Desktop.exe	String found in binary or memory: www.google.com!www.facebook.com!web.facebook.com+business.facebook.com#www.instagram.com equals www.facebook.com (Facebook)
Source: Grammarly.Desktop.exe	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: Grammarly.Desktop.exe	String found in binary or memory: www.twitch.tv%studio.youtube.com equals www.youtube.com (Youtube)
Source: Grammarly.Desktop.exe	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)

Source: Grammarly.Desktop.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Grammarly.Desktop.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: Grammarly.Desktop.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Grammarly.Desktop.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: Grammarly.Desktop.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Grammarly.Desktop.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: Grammarly.Desktop.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Grammarly.Desktop.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Grammarly.Desktop.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: Grammarly.Desktop.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Grammarly.Desktop.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: Grammarly.Desktop.exe	String found in binary or memory: http://ocsp.digicert.com0N
Source: Grammarly.Desktop.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: Grammarly.Desktop.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: Grammarly.Desktop.exe	String found in binary or memory: http://www.grammarly.com/
Source: Grammarly.Desktop.exe	String found in binary or memory: https://www.digicert.com/CPS0

Source: Grammarly.Desktop.exe	Binary or memory string: OriginalFilename vs Grammarly.Desktop.exe
Source: Grammarly.Desktop.exe, 00000000.00000000.298777246.0000023ED67BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Grammarly.Desktop.exe
Source: Grammarly.Desktop.exe, 00000000.00000002.315883273.0000023ED67BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Grammarly.Desktop.exe

Source: C:\Users\user\Desktop\Grammarly.Desktop.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6688 -s 700

Source: Grammarly.Desktop.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\Grammarly.Desktop.exe

File read: C:\Users\user\Desktop\Grammarly.Desktop.exe

Jump to behavior

Source: Grammarly.Desktop.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Grammarly.Desktop.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Grammarly.Desktop.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Grammarly.Desktop.exe "C:\Users\user\Desktop\Grammarly.Desktop.exe"
Source: C:\Users\user\Desktop\Grammarly.Desktop.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6688 -s 700

Source: C:\Users\user\Desktop\Grammarly.Desktop.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6688

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER3C6F.tmp

Jump to behavior

Source: classification engine

Classification label: clean3.winEXE@2/5@0/0

Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\Grammarly.Desktop.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Grammarly.Desktop.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Grammarly.Desktop.exe

Static PE information: certificate valid

Source: Grammarly.Desktop.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: Grammarly.Desktop.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: System.Core.ni.pdbRSDSD source: WER3C6F.tmp.dmp.6.dr
Source:	Binary string: C:\Gitlab-Runner\builds\bCeEXD-g\0\desktop-integrations\projectllama-win\Sources\Grammarly.Desktop\obj\Publish\Grammarly.Desktop.pdb source: Grammarly.Desktop.exe
Source:	Binary string: mscorlib.pdb source: WER3C6F.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdbRSDS source: WER3C6F.tmp.dmp.6.dr
Source:	Binary string: System.Core.pdbXl source: WER3C6F.tmp.dmp.6.dr
Source:	Binary string: Grammarly.Desktop.pdbx7Dh source: WER3C6F.tmp.dmp.6.dr
Source:	Binary string: System.pdbg source: WER3C6F.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WER3C6F.tmp.dmp.6.dr
Source:	Binary string: C:\Gitlab-Runner\builds\bCeEXD-g\0\desktop-integrations\projectllama-win\Sources\Grammarly.Desktop\obj\Publish\Grammarly.Desktop.pdb% source: Grammarly.Desktop.exe
Source:	Binary string: System.Core.pdb source: WER3C6F.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdbRSDS] source: WER3C6F.tmp.dmp.6.dr
Source:	Binary string: Grammarly.Desktop.pdb source: WER3C6F.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdb source: WER3C6F.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WER3C6F.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdb source: WER3C6F.tmp.dmp.6.dr

Source: Grammarly.Desktop.exe

Static PE information: 0x9BDDC3B6 [Tue Nov 12 05:27:18 2052 UTC]

Source: C:\Users\user\Desktop\Grammarly.Desktop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Grammarly.Desktop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Grammarly.Desktop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Grammarly.Desktop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Grammarly.Desktop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Grammarly.Desktop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Grammarly.Desktop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Grammarly.Desktop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Grammarly.Desktop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Grammarly.Desktop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Grammarly.Desktop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Grammarly.Desktop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Users\user\Desktop\Grammarly.Desktop.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Grammarly.Desktop.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Grammarly.Desktop.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Grammarly.Desktop.exe

Queries volume information: C:\Users\user\Desktop\Grammarly.Desktop.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Grammarly.Desktop.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: procexp.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Timestomp	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Grammarly.Desktop.exe	0%	Virustotal		Browse
Grammarly.Desktop.exe	0%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.6.dr	false		high
http://www.grammarly.com/	Grammarly.Desktop.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	576606
Start date:	22.02.2022
Start time:	17:27:46
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Grammarly.Desktop.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean3.winEXE@2/5@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 19.1% (good quality ratio 10.6%) Quality average: 40.8% Quality standard deviation: 38.6%
HCA Information:	Successful, ratio: 100% Number of executed functions: 5 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, onedsblobprdeus16.eastus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com
Execution Graph export aborted for target Grammarly.Desktop.exe, PID 6688 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:28:54	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Grammarly.Deskto_a9425234412de8fc4c91c8cb24189d150963838_303a4faa_15a04d67\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9003876251973331
Encrypted:	false
SSDEEP:	96:ezFKwuPUeNweI1yzTzzxDi5TzpXIQcQbc6YjecEPcw35n+BHUHZopAnQFdE7dlzg:AruPUiw91Y4H1Z1gayF/u7sCS274lt2
MD5:	3223F015E0FF8A509A188B7299EF7367
SHA1:	92345000925C4B9940A62DF25D5F3C7D06447206
SHA-256:	360577C8CA6B7A38C5240C39E89F31881EFDA0530DA710A226A25E2FCF3A0D45
SHA-512:	29741EB7FDE1E713AF23934B02D42C044819A1E1607C304364660B24EB6EF2E3B7165CD6182F5F1EF16941F57F4D3CBD7FD48E33A25A1FE4E534AE76EE2D13E2
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.0.0.5.3.3.3.0.3.9.4.2.0.6.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.0.0.5.3.3.3.3.3.3.1.7.0.6.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.f.f.4.6.1.1.0.-.b.a.b.c.-.4.b.5.9.-.b.1.5.a.-.0.7.7.b.c.9.d.8.7.b.1.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.d.a.1.4.9.8.4.-.e.3.8.9.-.4.c.9.e.-.8.5.2.0.-.3.5.d.6.b.7.e.2.a.b.b.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.G.r.a.m.m.a.r.l.y...D.e.s.k.t.o.p...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.G.r.a.m.m.a.r.l.y...D.e.s.k.t.o.p...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.2.0.-.0.0.0.1.-.0.0.1.c.-.8.5.4.1.-.b.c.b.1.5.4.2.8.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.5.d.6.1.6.6.3.3.8.d.6.8.4.b.8.1.2.5.6.3.1.3.c.b.4.1.e.4.5.a.0.0.0.0.0.0.0.0.0.!.0.0.0.0.8.1.e.2.c.5.a.1.1.f.8.8.6.6.0.f.1.3.8.4.b.4.e.0.0.d.0.8.9.6.7.6.2.b.5.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3C6F.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Wed Feb 23 01:28:51 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	245435
Entropy (8bit):	3.35594850930805
Encrypted:	false
SSDEEP:	3072:Xfdyqg4GvTdGMqKb19eDEF0+M5L68/PZkl9c8Nv5bdF4iL:0q52TdOKQ9/PZib
MD5:	5C4E778CCB89C7470428284A88441628
SHA1:	A8CBA6C4A3DD7953547F7A92C147A7264F10FA82
SHA-256:	7B232843AE3533C9A7031CC7E4B877774E398A81B3781A4E0E2060C7A5A53635
SHA-512:	5374F2D4B5CF0043B2E4B1EB595E59D03032D87F9881DFFA52E8322A5089212FD3FAE1480FE525E2E89E53EE7E1151017BF1159345168435E8B2136EA7602EDA
Malicious:	false
Reputation:	low
Preview:	MDMP....... .........b....................................$...........................@=..........l.......8...........T......................................x....................................................................U...........B..............Lw................AE....T....... .....b.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4307.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8762
Entropy (8bit):	3.7068705113744995
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNivLdg6YFjFYgmfs4aSD31HCprK89bXDdfkdm:RrlsNiDdg6YBFYgmfs4aSD3mXZfD
MD5:	C6C426C5C25F0C63AAD48856C2B15D32
SHA1:	9A395CD9F208F0541FCEA9A52C320C9FD0AE6DB2
SHA-256:	19AB6A45CAAC0C529B7938BF7902247C1E12771DBFB648C5E78FE8DBE0E0F01F
SHA-512:	33242B5012B19FCDD04EEF58CC96CFE9E09589A4B33E908460CB488691F7B8253A194FB07FF5EA565345DAE439F9E5DC8627DEE0114154ABFFA968DEAA51F85D
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.8.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4441.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4746
Entropy (8bit):	4.494169075056896
Encrypted:	false
SSDEEP:	48:cvIwSD8zsZJgtBI9MCWSC8Bi8fm8M4JdgnNFeuPyq85vgctAJQjHQd:uITfruDSN5JdgFPYgoAJQjHQd
MD5:	C0F69A6CC1EBFD77128AB6B68E7A510C
SHA1:	E4EAE698115D409546B4D02F78C13CD68F067FE8
SHA-256:	D0B82381ABB4B6F6F66642833768E207EB9C53B4B80B6460E6B8F2A40A3E9E6B
SHA-512:	9739E0A338464A252991077942FAA55F1BBEEB0B3D35DA0968E235AA3E365940F04611D0A9DFF4A0215494870BCA67F7CDA4DE062C872825E8E4B72AB34C7F8B
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1398879" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.270356159744542
Encrypted:	false
SSDEEP:	12288:/WE0Th312ap8TSP5ve7dcb5GMtzr8VxmoKwPjMQ2ZlPfq+kwX2jeJ:uE0Th312ap8TSPd5
MD5:	27CDE1FA60A7A9A6D8BAF5B432D9ABFC
SHA1:	79182FF76DCE44906DE2E0392F25BE11CEEC1F6C
SHA-256:	52DF7A0F0A20A2416144DF26270E69167150683C0DAD8AC3DE0E14D432E9DE01
SHA-512:	A484F6DC3E08ABC5996BFF7828C20737B8F39FA390ED52B51158D3F20051BA0ABE4CE2F98B2FED1805B6CB68C0DB5E5CDC4EEE1C0E02CC8C319FB0E3BF2D77D8
Malicious:	false
Reputation:	low
Preview:	regfY...Y...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmZ?.T(..............................................................................................................................................................................................................................................................................................................................................N...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	3.219769642892764
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Grammarly.Desktop.exe
File size:	935408
MD5:	e776a040444e7c0ee4701063a3795fd6
SHA1:	81e2c5a11f88660f1384b4e00d0896762b575b92
SHA256:	a434e9368137f7184040e62035745027ed4772f25b3715be9af0b68025500e50
SHA512:	673291686b48243a71581820f39dc698fe2d4b3319ace82d295da58ea8739be4d9770cfb512ae081e7fcb55bd926f592733944a826b7b4267c062ee87c682d74
SSDEEP:	3072:i203GLV//ulBNPYtHKpDdde9dde5zdeKq8xv:i2032V/e3fQfUpI8h
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0......p......R.... ........@.. ..............................e5....`................................

File Icon


Icon Hash:	f0f0ec54c4c8d070

Static PE Info

General

Entrypoint:	0x49d952
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x9BDDC3B6 [Tue Nov 12 05:27:18 2052 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	4/25/2021 5:00:00 PM 6/7/2023 4:59:59 PM
Subject Chain	CN="Grammarly, Inc.", OU="Grammarly, Inc.", O="Grammarly, Inc.", L=San Francisco, S=California, C=US
Version:	3
Thumbprint MD5:	73D2BF9C5E1FC6966F9EDDFA2DA64763
Thumbprint SHA-1:	8AE0165438CED5A689073EDE15757F8067D44DB2
Thumbprint SHA-256:	DA20FD8242059F887A47E3C8264EB63BB9B3EC16A22E5BCEA7F6C11B25075BC1
Serial:	0F6FFE34105D3EB08ACA6233E6CE3A82

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9d8fd	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9e000	0x46cb8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xe2c00	0x19f0	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x9d828	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x9b958	0x9ba00	False	0.0812170557229	data	3.31800190489	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x9e000	0x46cb8	0x46e00	False	0.0445636298501	data	2.77396688236	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe6000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x9e160	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0x9e5d8	0x10a8	data
RT_ICON	0x9f690	0x25a8	data
RT_ICON	0xa1c48	0x42028	data
RT_GROUP_ICON	0xe3c80	0x3e	data
RT_VERSION	0xe3cd0	0x388	data
RT_MANIFEST	0xe4068	0xc49	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2009-2021 Grammarly Inc.
Assembly Version	1.0.3.145
InternalName	Grammarly.Desktop.exe
FileVersion	1.0.3.145
CompanyName
LegalTrademarks
Comments
ProductName	Grammarly for Windows
ProductVersion	1.0.3.145
FileDescription	Grammarly
OriginalFilename	Grammarly.Desktop.exe

Network Behavior

⊘No network behavior found

Statistics

Click to jump to process

Memory Usage

• Grammarly.Desktop.exe
• WerFault.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• Grammarly.Desktop.exe
• WerFault.exe

Click to jump to process

System Behavior

Analysis Process: Grammarly.Desktop.exePID: 6688, Parent PID: 4428

Function Logs

General

Target ID:	0
Start time:	17:28:43
Start date:	22/02/2022
Path:	C:\Users\user\Desktop\Grammarly.Desktop.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Grammarly.Desktop.exe"
Imagebase:	0x23ed65f0000
File size:	935408 bytes
MD5 hash:	E776A040444E7C0EE4701063A3795FD6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Show Windows behavior

File Activities

File Opened

File Read

File Attributes Queried

Other File Operations

Device IO

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Value Queried

Key Value Enumerated

Key Enumerated

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Queried

Process Information Set

Thread Activities

Thread Created

Thread Execution Resumed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Protection Changed

Memory Usage Statistics

Show Windows behavior

System Activities

System Information Set

System Information Queried

Show Windows behavior

Windows UI Activities

Window Created

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 5580, Parent PID: 6688

Function Logs

General

Target ID:	6
Start time:	17:28:48
Start date:	22/02/2022
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6688 -s 700
Imagebase:	0x7ff662520000
File size:	494488 bytes
MD5 hash:	2AFFE478D86272288BBEF5A00BBEF6A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

File Activities

File Opened

File Created

File Deleted

File Written

File Attributes Queried

Other File Operations

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Created

Key Deleted

Key Value Created

Key Value Modified

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Queried

Process Information Set

Show Windows behavior

Thread Activities

Thread Created

Thread Execution Resumed

Thread Execution Suspended

Thread Delayed

Thread Terminated

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

System Information Set

Language or Locale ID Queried

System Information Queried

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window Created

Process Token Activities

Token Adjusted

Show Windows behavior

Object Security Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

Analysis Process: Grammarly.Desktop.exePID: 6688, Parent PID: 4428COMMON

Executed Functions

Function 00007FFC0871057F Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.316354750.00007FFC08710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc08710000_Grammarly.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e77f744ec95aeb8634e65e4cdf4d39942d8aa28574fbe613c0e9a43439bf6e8c
Instruction ID: d9243dc904879d7c34a1a028461a3e303387a7abd4e0c0ba026abaa13955672d
Opcode Fuzzy Hash: e77f744ec95aeb8634e65e4cdf4d39942d8aa28574fbe613c0e9a43439bf6e8c
Instruction Fuzzy Hash: 2541B117A4C93A96EA10BAADB9511ED6740CFC1771B404837E18CC94EBCE1879CBC6F9

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC087105AA Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.316354750.00007FFC08710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc08710000_Grammarly.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2899eda01f63b0e659e29569c9d46c75fe89b2d231673c3d6fe5599bda4c843a
Instruction ID: 859544ba0a384e4a115eaf6f6746e720ee40f639622a32abcbf1d56e3fe76831
Opcode Fuzzy Hash: 2899eda01f63b0e659e29569c9d46c75fe89b2d231673c3d6fe5599bda4c843a
Instruction Fuzzy Hash: 93419D17A4C93E96EA117BADB9111E96740DFC1731B404837E18CC94ABCE1C69CBC6F8

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC08710658 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.316354750.00007FFC08710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc08710000_Grammarly.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1096d2fa12a69b76686b5cccf4ab004814b50ce169e5e49f981316b81542e4bf
Instruction ID: cdab798a4ba2135142036b403ddf52761cedd18a936d309d12dd590095753325
Opcode Fuzzy Hash: 1096d2fa12a69b76686b5cccf4ab004814b50ce169e5e49f981316b81542e4bf
Instruction Fuzzy Hash: 4C215912D8D93E9AFA55B6AD79221FC52809F86B20F144436E04CC95EBCD0C29C6C6B9

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC08710660 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.316354750.00007FFC08710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc08710000_Grammarly.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8309263bc9964851b51448a6516b2efe748bc002d3f9ff30fc452aeee593220
Instruction ID: 6d356944d47899b75a7313023785336e722c40b06177aef964cf8cb763d5c692
Opcode Fuzzy Hash: a8309263bc9964851b51448a6516b2efe748bc002d3f9ff30fc452aeee593220
Instruction Fuzzy Hash: A6214712D8D97E9AFA51B7AD69221FC52805F86B20F048436F04CC98EBCD0C69C686B9

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC08710F00 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.316354750.00007FFC08710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc08710000_Grammarly.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 107a4d5374f773cb2cf6b29a0af48221da0af824444226cd2e1042336b9489c7
Instruction ID: c1897705dd7969c0e03f3c1da3fba2ff66d2d806c6a491577d75305bb7c58101
Opcode Fuzzy Hash: 107a4d5374f773cb2cf6b29a0af48221da0af824444226cd2e1042336b9489c7
Instruction Fuzzy Hash: 46E092A141D7D00FDB1A972888625A5BFA0AF43300F8945EEE4C9CB4D7C66C918AC366

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Grammarly.Desktop.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Grammarly.Deskto_a9425234412de8fc4c91c8cb24189d150963838_303a4faa_15a04d67\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3C6F.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4307.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4441.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: Grammarly.Desktop.exePID: 6688, Parent PID: 4428

General

File Activities

Windows Analysis Report
Grammarly.Desktop.exe