Magnify.exe
- File Path:
C:\Windows\system32\Magnify.exe - Description: Microsoft Screen Magnifier
Hashes
| Type | Hash |
|---|---|
| MD5 | 4029890C147E3B4C6F41DFB5F9834D42 |
| SHA1 | 10D08B3F6DABE8171CA2DD52E5737E3402951C75 |
| SHA256 | 57137F784594793DC0669042CCD3A71DDBFEDEB77DA6D97173D82613E08ADD4D |
| SHA384 | BB1E315A593C2C855128AAE4E832744701DA608DD596ECCA949D87886F57D8D966632EF13F27897AE9AD4DE20FF49A65 |
| SHA512 | DBDC60F8692F13C23DBED0B76E9C6758A5B413BD6AAF4E4D0BA74E69C0871EB759DA95C3F85A31D972388B545DCF3BB8ABBCBEDD29A1E7E48C065130B98B893D |
| SSDEEP | 12288:4QuHcVUuw5xoDzF8Q4ejsGL3H4RLPsQitWsNr:JuiUuA+AG8RLPfiwE |
| IMP | 6216450101152D0036F417D9E310935B |
| PESHA1 | 7D8DF3BDD4343CD281139E2AA63F535F85447870 |
| PE256 | C3BD34FF570C4FBA87044A9C32FC5BD0A91C36F0784010DFCB41D7E6AC1F0AE7 |
Runtime Data
Window Title:
Magnifier
Open Handles:
| Path | Type |
|---|---|
| (R–) C:\Windows\Speech_OneCore\Engines\TTS\en-US\NUSData\M1033David.keyboard.WVE | File |
| (R-D) C:\Windows\apppatch\DirectXApps_FOD.sdb | File |
| (R-D) C:\Windows\System32\en-US\combase.dll.mui | File |
| (R-D) C:\Windows\System32\en-US\KernelBase.dll.mui | File |
| (R-D) C:\Windows\System32\en-US\Magnify.exe.mui | File |
| (R-D) C:\Windows\System32\en-US\SRH.dll.mui | File |
| (R-D) C:\Windows\System32\en-US\windows.ui.xaml.dll.mui | File |
| (R-D) C:\Windows\SystemResources\Magnify.exe.mun | File |
| (RW-) C:\Users\user | File |
| (RW-) C:\Windows\System32 | File |
| (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e | File |
| (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.1320_none_91a11828cc8ae445 | File |
| (RWD) C:\Windows\Fonts\segoeui.ttf | File |
| \BaseNamedObjects__ComCatalogCache__ | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 | Section |
| \BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 | Section |
| \BaseNamedObjects\NLS_CodePage_437_3_2_0_0 | Section |
| \Sessions\1\BaseNamedObjects{73444B0D-3A11-4743-9CCD-437C6A841629}-Map-GLOBAL | Section |
| \Sessions\1\BaseNamedObjects{CC6EFD99-8292-49F5-A838-376806FD3A44}-Map-S-1-16-12288 | Section |
| \Sessions\1\BaseNamedObjects\1e24HWNDInterface:70054 | Section |
| \Sessions\1\BaseNamedObjects\1e24HWNDInterface:70066 | Section |
| \Sessions\1\BaseNamedObjects\SessionImmersiveColorPreference | Section |
| \Sessions\1\BaseNamedObjects\windows_shell_global_counters | Section |
| \Sessions\1\Windows\Theme449731986 | Section |
| \Windows\Theme1396518710 | Section |
Loaded Modules:
| Path |
|---|
| C:\Windows\System32\ADVAPI32.dll |
| C:\Windows\System32\combase.dll |
| C:\Windows\system32\dwmapi.dll |
| C:\Windows\System32\GDI32.dll |
| C:\Windows\System32\gdi32full.dll |
| C:\Windows\System32\KERNEL32.DLL |
| C:\Windows\System32\KERNELBASE.dll |
| C:\Windows\system32\MAGNIFICATION.dll |
| C:\Windows\system32\Magnify.exe |
| C:\Windows\System32\msvcp_win.dll |
| C:\Windows\System32\msvcrt.dll |
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\System32\ole32.dll |
| C:\Windows\system32\OLEACC.dll |
| C:\Windows\System32\OLEAUT32.dll |
| C:\Windows\System32\RPCRT4.dll |
| C:\Windows\System32\sechost.dll |
| C:\Windows\System32\shcore.dll |
| C:\Windows\System32\SHELL32.dll |
| C:\Windows\System32\ucrtbase.dll |
| C:\Windows\system32\UIAutomationCore.DLL |
| C:\Windows\System32\USER32.dll |
| C:\Windows\System32\win32u.dll |
| C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\COMCTL32.dll |
| C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.1320_none_91a11828cc8ae445\gdiplus.dll |
Signature
- Status: Signature verified.
- Serial:
33000002EC6579AD1E670890130000000002EC - Thumbprint:
F7C2F2C96A328C13CDA8CDB57B715BDEA2CBD1D9 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: ScreenMagnifier.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.19041.1 (WinBuild.160101.0800)
- Product Version: 10.0.19041.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/73
- VirusTotal Link: https://www.virustotal.com/gui/file/57137f784594793dc0669042ccd3a71ddbfedeb77da6d97173d82613e08add4d/detection
Possible Misuse
The following table contains possible examples of Magnify.exe being misused. While Magnify.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | proc_creation_win_install_reg_debugger_backdoor.yml | - 'magnify.exe' |
DRL 1.0 |
| sigma | proc_creation_win_stickykey_like_backdoor.yml | - 'Magnify.exe' |
DRL 1.0 |
| sigma | registry_event_stickykey_like_backdoor.yml | - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger' |
DRL 1.0 |
| atomic-red-team | T1546.008.md | * Magnifier: C:\Windows\System32\Magnify.exe |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.008.md | | parent_list | Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: “osk.exe” | String | osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe| | MIT License. © 2018 Red Canary |
| signature-base | thor_inverse_matches.yar | description = “Abnormal magnify.exe (Magnifier) - typical strings not found in file” | CC BY-NC 4.0 |
| signature-base | thor_inverse_matches.yar | $winxp = “Software\Microsoft\Magnify” wide | CC BY-NC 4.0 |
| signature-base | thor_inverse_matches.yar | filename ==”magnify.exe” | CC BY-NC 4.0 |
MIT License. Copyright (c) 2020-2021 Strontic.