Suspicious
Signed Screenpresso executable shows unusual process injection and LSASS access patterns despite clean engine scans, warranting caution.
59e53f855d2a982053…ed02d95642The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The file is clean across 71 engines including all tier-1 scanners, providing strong evidence of no known malware signatures. However, behavioral heuristics highlight process injection (T1055) and credential dumping patterns targeting LSASS, which are atypical for benign software. High code entropy and packing further contribute to suspicion, echoed by a prior similar imphash verdict. The verified signature by Learnpulse SAS (publisher of Screenpresso) is a positive but outweighed by these signals without historical signer data.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
triggeredHeuristics 'MalwareTips.Synth.ProcessInjection' fired (high severity, T1055, svchost.exe evidence)
triggeredHeuristics 'MalwareTips.Synth.CredentialDumper' fired (medium, lsass.exe evidence)
signing.signer='Learnpulse SAS' verified=true
peAnalysis.likelyPacked=true, highEntropyCode=true
similarHashes[0].verdict='suspicious' (matchKind=imphash)
- 0/71 engines malicious (17 tier1 clean)
- Verified Authenticode signature
- Medium prevalence, no malicious children
- No external intel hits or malicious contacts
- Process injection heuristic (T1055, svchost.exe)
- LSASS targeting (credential dump shape)
- High entropy code (7.62) and likely packed
- Offensive MITRE techniques (5 total)
- No signer history (Learnpulse SAS new to us)
- Similar imphash previously suspicious
Do not run unless verified from official Learnpulse sources. If needed for screen capture, download fresh from the vendor site and re-scan. Consider alternatives if behavior persists.
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- C:\Users\<USER>\AppData\Local\Temp\Screenpresso.log
- C:\Users\<USER>\Desktop\ScreenpressoTest.exe
- C:\Users\<USER>\AppData\Roaming\Learnpulse\Screenpresso\settings.2816.xml
- C:\Users\<USER>\AppData\Roaming\Learnpulse\Screenpresso\settings.xml
- C:\Users\<USER>\Downloads\ScreenpressoTest.exe
- C:\Users\<USER>\Desktop\ScreenpressoTest.exe
- C:\Users\<USER>\AppData\Roaming\Learnpulse\Screenpresso\settings.2816.xml
- C:\Users\<USER>\Downloads\ScreenpressoTest.exe
- C:\Users\user\AppData\Roaming\Learnpulse\Screenpresso\settings.6712.xml
- C:\Users\user\Desktop\ScreenpressoTest.exe
- LearnPulse.XLogger
- Screenpresso
- Local\SessionImmersiveColorMutex
- Global\OneSettingQueryMutex+compat+encapsulation
- \Sessions\1\BaseNamedObjects\LearnPulse.XLogger
Files this sample writes at runtime
This file drops 10 children at runtime. None are currently flagged malicious in our cache.
- 63eb4f934d2c67bd0602…ba76bdNever scannednever seen before
- 7929f599e0992f389dfb…abc316Never scannednever seen before
- dcfcb556cf6949b53224…dd5d49Never scannednever seen before
- b51684cb1f9f3a344d7f…fd81f5Never scannednever seen before
- a41474388172c6ad6d21…c664ffNever scannednever seen before
- c1394ad54051572b5477…c5fbe7Never scannednever seen before
- 1b93f19822373a582c81…ffa348Never scannednever seen before
- 5d1b71b48adecb418295…dc825cNever scannednever seen before
- e98012fa12128c004b3a…849d55Never scannednever seen before
- 29be126d6343369f28fb…a5945aNever scannednever seen before
YARA + heuristic rules that fired
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
EvidenceC:\Windows\System32\svchost.exe -k NetworkService -pSandbox observed process activity targeting LSASS (Windows credential store). Legitimate software has no business reading LSASS memory — this is Mimikatz-shape behaviour.
EvidenceC:\Windows\system32\lsass.exe
0 detections across 76 engines
Section entropy & packers
Executable sections have high entropy (7.2+) — the code is compressed or encrypted and only decrypted at runtime. Classic packing behaviour.
How often this file shows up in the wild
Moderate prevalence — neither rare nor common. No strong prior applies.
Forensic fingerprint
- File name
- Screenpresso.exe
- Size
- 45.84 MB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- 59e53f855d2a98205381a72ce833d8c2c7270adc059438bd23538ced02d95642
- MD5
- 49b95d19cd1455a02421293dd779b2e6
- SHA-1
- cef5ee5e1d0182c7a1dd5b5abbe99874fcf66c81
- PE imphash
- f34d5f2d4577ed6d9ceec516c1f5a744
- First seen (VT)
- 3/27/2026, 7:46:38 AM
- Last analysis (VT)
- 4/23/2026, 5:15:30 AM
- First scan (MalwareTips)
- 4/24/2026, 4:42:41 AM
- Last scan (MalwareTips)
- 4/24/2026, 4:43:58 AM
- Code signer
- Learnpulse SASverified
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.