Safe
Single low-trust detection on a verified Grammarly-signed installer with classic AV-on-AV false-positive indicators.
701c9a0330f3833e4a…00150da518The reasoning behind this verdict
The MT AI Engine weighs every signal from this scan — antivirus detections, sandbox behaviour, code signing, prevalence and historical matches — to reach a single, evidence-based verdict.
The engine profile shows onlyLowTrustFlagging with zero tier-1 malicious detections, aligning directly with the av_on_av_fp_pattern heuristic. Signing is verified under the Grammarly name with no brand mismatch. While sandbox behaviour includes process injection and direct-IP contacts, the absence of malicious sandbox verdicts, dropped malicious children, or known-bad hosts keeps the overall risk low. Medium prevalence and the installer filename further support a benign commercial software interpretation.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
engines: 1/70 malicious (VBA32 low_trust 'suspected of Trojan.Notifier.gen'), tier1Malicious=0, 17 tier-1 clean
signing.verified=true, signer='Grammarly'
triggeredHeuristics: av_on_av_fp_pattern fired (low severity) with filename_security_software
behaviour.offensiveTechniques count=7 but hasMaliciousSandboxVerdict=false and no malicious contacted hosts
prevalence.classification=medium, similarHashes[0].verdict=suspicious (imphash match, signerCoMatch=false)
- Verified Grammarly signature
- 17 tier-1 engines clean
- Medium prevalence with installer filename
- No malicious dropped children or hosts
- 7 offensive MITRE techniques observed in sandbox
- Direct-IP contacts with no DNS resolution
- Process activity targeting LSASS
Treat as a legitimate Grammarly installer; the single low-trust detection is consistent with known AV-on-AV false-positive patterns for security-related filenames.
What to do now
This file looks safe based on everything we checked.
This file is safe to use.
Good habit: only download files from the official website or an app store.
Keep your antivirus and Windows updates switched on so you stay protected.
notifier corroborated by 1 source
- VT (74 engines)notifier
1 contradiction resolved by the scoring engine
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 54.175.123.242
- 100.24.238.212
- 52.205.175.213
- 18.161.134.40
- 100.24.81.88
- 150.171.28.10
- 98.86.205.215
- 98.90.16.77
- 52.0.26.200
- 150.171.27.11
- https://win-extension.femetrics.grammarly.io/import
- https://in.grammarly.com/v1/events/ingestion_front_end?datasetName=installer
- https://f-log-win-extension.grammarly.io/logv2?extended=0
- https://download-windows.grammarly.com/GrammarlyInstaller.exe
- https://bat.bing.com/action/0?sr=1.000000&et=windows-sdk-w32_1.3.6&ver=2.4&evt=custom&ti=247009686&sh=1050&vid=e622e40f510b476da83fff17da884595&sw=1400&ea=launch
- https://bat.bing.com/action/0?sr=1.000000&et=windows-sdk-w32_1.3.6&ver=2.4&evt=custom&ti=247009686&sh=1050&vid=e622e40f510b476da83fff17da884595&sw=1400&ea=activation
- C:\Users\<USER>\AppData\Local\Temp\nsxC4B8.tmp
- C:\Users\<USER>\AppData\Local\Temp\nsnC4C9.tmp\System.dll
- C:\Users\<USER>\AppData\Local\Temp\grammarly-micro\micro-installer.log
- C:\Users\<USER>\AppData\Local\Temp\nsnC4C9.tmp\Banner.dll
- C:\Users\<USER>\AppData\Local\Temp\nsnC4C9.tmp\nsExec.dll
- C:\Users\<USER>\AppData\Local\Temp\nsnC4C9.tmp\Banner.dll
- C:\Users\<USER>\AppData\Local\Temp\nsnC4C9.tmp\nsExec.dll
- C:\Users\<USER>\AppData\Local\Temp\nsnC4C9.tmp\System.dll
- C:\Users\<USER>\AppData\Local\Temp\nsnC4C9.tmp\
- C:\Users\<USER>\AppData\Local\Temp\nsl99.tmp\NScurl.dll
- grammarly.desktop.installer-6e9b97a3-dfe7-4a91-afbe-8e51f7be6d6c
- cversions.3.m
- Global\.net memory cache 4.0
- com.grammarly.ProjectLlama.SingleInstance
- Local\ChromeProcessSingletonStartup!
Files this sample writes at runtime
This file drops 10 children at runtime. None are currently flagged malicious in our cache.
- 5748e60942c4a7f2e256…3df5a4Never scannednever seen before
- c1188ade07520b2f4224…0ec500Never scannednever seen before
- 4820bebf9970fac5cc8b…e4d97dNever scannednever seen before
- fbcfe23a2ecb82b7100c…dc0f2dNever scannednever seen before
- 4dabe379aa7380a8e5b9…89db18Never scannednever seen before
- b121689861b506dbc9c3…1c00bbNever scannednever seen before
- da3f122d19f811a0ee68…fde700Never scannednever seen before
- 318b502c9916b709ad9c…e972e0Never scannednever seen before
- d43ddec15370d5b6be6b…103f00Never scannednever seen before
- 25b58f05de7756ca0ea6…929fd2Never scannednever seen before
YARA & heuristic rule matches
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
EvidenceC:\Windows\Explorer.EXESandbox observed process activity targeting LSASS (Windows credential store). Legitimate software has no business reading LSASS memory — this is Mimikatz-shape behaviour.
EvidenceC:\Windows\system32\lsass.exeSample contacted 14 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence54.175.123.242 · 100.24.238.212 · 52.205.175.213
1 detection across 74 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How widely this file has been seen
Moderate prevalence — neither rare nor common. No strong prior applies.
Forensic fingerprint
- File name
- GrammarlyOnlineSetup.e5J0Ova0tvcjatj3dsji0602.exe
- Size
- 95.5 KB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- 701c9a0330f3833e4a82712cf92dbe4e76a9a05e412dfdad25af2900150da518
- MD5
- d147b251173d360e8885bc605e81f2ee
- SHA-1
- 6e91519bc115e0723de7c16d666a81e9f5fa78c5
- PE imphash
- 46ce5c12b293febbeb513b196aa7f843
- First seen (VT)
- 6/29/2026, 8:29:23 AM
- Last analysis (VT)
- 7/11/2026, 3:44:39 PM
- First scan (MalwareTips)
- 7/13/2026, 1:56:39 PM
- Last scan (MalwareTips)
- 7/13/2026, 1:56:39 PM
- Code signer
- Grammarlyverified
Safety FAQ
Common questions about GrammarlyOnlineSetup.e5J0Ova0tvcjatj3dsji0602.exe, answered from the scan data above.
- GrammarlyOnlineSetup.e5J0Ova0tvcjatj3dsji0602.exe appears safe. 73 of 74 antivirus engines report it clean, with only 1 low-confidence detection that read as false positives. It carries a verified digital signature from Grammarly. As a habit, only run files you downloaded from the official source, since attackers sometimes distribute trojanised copies of legitimate software under the same name.
- GrammarlyOnlineSetup.e5J0Ova0tvcjatj3dsji0602.exe is a Windows executable program, about 96 KB. Our analysis found no threat indicators for it. It carries a verified digital signature from Grammarly. A file's name can be reused by different files, so we identify it by its cryptographic hash (below).
- 1 of 74 antivirus engines flagged GrammarlyOnlineSetup.e5J0Ova0tvcjatj3dsji0602.exe, 1 of them as outright malicious. A small number of detections can include false positives, so we weigh which engines flagged it and what else the file does, not just the raw count.
- Yes — GrammarlyOnlineSetup.e5J0Ova0tvcjatj3dsji0602.exe carries a valid digital signature from Grammarly, which confirms the file hasn't been tampered with since that publisher signed it. A valid signature is a positive signal, but note that malware is occasionally signed with stolen or abused certificates, so it isn't proof of safety on its own.
- The SHA-256 hash of GrammarlyOnlineSetup.e5J0Ova0tvcjatj3dsji0602.exe is 701c9a0330f3833e4a82712cf92dbe4e76a9a05e412dfdad25af2900150da518, and its MD5 is d147b251173d360e8885bc605e81f2ee. This hash is the file's unique fingerprint — two files with the same SHA-256 are identical. Use it to confirm you're looking at exactly this file (not just one with the same name) when comparing against antivirus databases or a download's published checksum.
- Based on this scan, yes — GrammarlyOnlineSetup.e5J0Ova0tvcjatj3dsji0602.exe shows no threat indicators and is properly signed. The important caveat is source: make sure you downloaded it from the official website or a trusted store, because attackers sometimes distribute malware-laced copies under a legitimate file's name. If your own antivirus flags it while we report it clean, that is most often a false positive, but verify the source before overriding your antivirus.
- This report reflects the scan run on July 13, 2026. Because a file's hash never changes, the identity of GrammarlyOnlineSetup.e5J0Ova0tvcjatj3dsji0602.exe is fixed — but antivirus coverage improves over time, so a file that looks clean today can pick up detections later (and vice-versa). If you need the latest picture, MalwareTips staff can re-run the analysis from scratch.
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.