home

screensteps.exe

Blue Mango Multimedia LLC

The file screensteps.exe by Blue Mango Multimedia has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the Inno Setup installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from www.bluemangolearning.com.
Publisher:
ScreenSteps   (signed by Blue Mango Multimedia LLC)

Product:
ScreenSteps

MD5:
0fecca673cac264bba2da84a7fcd213f

SHA-1:
5366a6134e1b267131f1033a77ff2049e4e861bd

SHA-256:
a6615fbf0323b508237659ed54e75bc3098f115248ab7b92565e96d1ed355067

Scanner detections:
1 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Analysis date:
11/28/2024 1:32:55 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.InstallCore.CSH (L)
16.11.30.19

File size:
36.4 MB (38,163,840 bytes)

Product version:
4.0

Copyright:
Copyright (c) 2008-2016 ScreenSteps

Installer:
Inno Setup

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\screensteps.exe.eutjhbl.partial

Digital Signature
Signed by:
Blue Mango Multimedia LLC

Authority:
COMODO CA Limited

Valid from:
1/10/2016 6:00:00 PM

Valid to:
1/10/2019 5:59:59 PM

Subject:
CN=Blue Mango Multimedia LLC, O=Blue Mango Multimedia LLC, STREET=1948 Foxhall Road, L=McLean, S=Virginia, PostalCode=22101, C=US

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
2D9CB898B6409704BF430D4ABBBB83C1

File PE Metadata
Compilation timestamp:
6/19/1992 5:22:17 PM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
786432:qqaN8kXDADGLwDJPybKZBLCfgQDABv1PCL8SLQS5eCSjL:KN8Mw0wDJab4BLkgGmqnUoK

Entry address:
0x9C40

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, 86, 94, FF, FF, E8, 8D, A6, FF, FF, E8, 1C, A9, FF, FF, E8, BF, A9, FF, FF, E8, 5E, C9, FF, FF, E8, C9, F2, FF, FF, E8, 30, F4, FF, FF, 33, C0, 55, 68, FC, A2, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, C5, A2, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 96, FE, FF, FF, E8, C9, FA, FF, FF, 8D, 55, F0, 33, C0, E8, 83, CF, FF, FF, 8B, 55, F0, B8, 24, CE, 40, 00, E8, 32, 95, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, 24, CE...
 
[+]

Entropy:
8.0000

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
37 KB (37,888 bytes)

The file screensteps.exe has been seen being distributed by the following URL.

https://www.bluemangolearning.com/download/screensteps/4_0/.../ScreenSteps.exe

Remove screensteps.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.