» GrooveMonitor.exe
Overview
Analysis
File Details
Behaviors (1)
Network (1)

GrooveMonitor.exe

GrooveMonitor Utility

Microsoft Corporation

The executable GrooveMonitor.exe has been detected as malware by 16 anti-virus scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘GrooveMonitor’. Infected by an entry-point obscuring polymorphic file infector which will create a peer-to-peer botnet and receives URLs of additional files to download. While running, it connects to the Internet address dev.ucoz.net on port 80 using the HTTP protocol.

File name:

GrooveMonitor.exe

Publisher:

Microsoft Corporation

Product:

GrooveMonitor Utility

Version:

12.0.4518.1014

MD5:

6067319206a6ef1a787277ca636d37dd

SHA-1:

c546ec7a0cbe93405f470714dc2fe496d3ea5a8b

SHA-256:

6191a6c2035362cee47875bb699170d7e4e47d719d9f72aaa7ce57707531f2a8

Scanner detections:

16 / 68

Status:

File is infected by a Virus

Explanation:

The file is infected by a polymorphic file infector virus.

Analysis date:

5/16/2025 5:24:02 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Win32.Sality.OG

5813612

Avira AntiVirus

W32/Sality.Y

7.11.30.172

avast!

Win32:Sality

160114-1

AVG

Win32/Tanatos.T

2015.0.4489

Boost by Reason

Optional.Startup

188838

Clam AntiVirus

W32.Sality-65

0.98/21260

Dr.Web

Win32.Sector.12

9.0.1.05190

Emsisoft Anti-Malware

Win32.Sality.OG

10.0.0.5366

ESET NOD32

Win32/Sality.NAU virus

7.0.302.0

F-Prot

W32/Sality.AK

4.6.5.141

F-Secure

Win32.Sality.OG

5.15.21

McAfee

Virus.W32/Sality.gen.z

18.0.204.0

Microsoft Security Essentials

Threat.Undefined

1.213.2997.0

Norman

Win32.Sality.OG

11.01.2016 17:30:26

Sophos

Virus 'W32/Sality-AM'

5.22

VIPRE Antivirus

Threat.416209

46444

File size:

102.3 KB (104,744 bytes)

Product version:

4.2.0.2623

Original file name:

GrooveMonitor.exe

File type:

Executable application (Win32 EXE)

Language:

Language Neutral

Common path:

C:\Program Files\microsoft office\office12\groovemonitor.exe

File PE Metadata

Compilation timestamp:

10/27/2006 4:53:53 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

8.0

CTPH (ssdeep):

3072:H9OrbBqwSSwGpn4UQTRW/lCGt6fbgUMLB0Rz8:GBq3G6UQT4MojUMLB0l

Entry address:

0x2A96

Entry point:

60, E8, A1, 02, 00, 00, 31, D2, 15, 0D, 9C, EF, F6, 0F, B7, CF, 87, F1, 84, F1, 51, 68, B5, 97, 17, 08, 2B, D2, 52, FF, 15, B4, 40, 40, 00, 33, F0, 08, C2, 71, 07, 33, F3, 0F, A3, D8, 21, F9, 81, C4, 01, 00, 00, 00, EB, 01, D5, D1, D6, 1A, E2, 33, D9, 81, C4, 01, 00, 00, 00, D1, E1, EB, 01, FD, 8D, 3D, CD, 5C, AF, B6, 81, C4, 02, 00, 00, 00, 0F, AB, C1, F7, D6, 0F, C0, E7, D1, F3, 81, C4, 04, 00, 00, 00, 23, CF, 89, EE, 0F, BE, EA, 68, B8, A1, 2E, 02, 6A, 00, FF, 15, F0, 40, 40, 00, 5B, 2B, DD, B2, 51, C0... 
[+]

Packer / compiler:

ASPack v1.08.04

Code size:

10.5 KB (10,752 bytes)

Startup File (All Users Run)

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

GrooveMonitor

Command:

"C:\Program Files\microsoft office\office12\groovemonitor.exe"

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to dev.ucoz.net (195.216.243.102:80)

Remove GrooveMonitor.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.