Magnify.exe

  • File Path: C:\Windows\SysWOW64\Magnify.exe
  • Description: Microsoft Screen Magnifier

Hashes

Type Hash
MD5 0F4136E6904FE57928F6D2F9DAF5A48F
SHA1 FF1A4FEBE252EC255A0B78FE129246BD41EB0F22
SHA256 24DD719B95F5451BCDE90C3A140865BE212007BB2C077D08309F6C59F7149CC4
SHA384 4326957ED096ECD0E8D243FF9A7DB829D858A82C1A56015DF212EE2AD0AEEDC8DE1E38B9CA34AF0BA656C33AADA5071B
SHA512 6720391C57A41BBD4C56BF251CD4047EF5AF3D1829ECA51622AD20F8EB075D27DCC1445D08C8E1D26701A6F87DC981D72FB6D01BDD0858D9BC9A6FF213484013
SSDEEP 6144:SzUptVn68+qYc+AMC4pmhPj+uhgL0WuQ/OwikOTCIMG0zbuQSHzVIjQQW2PlQbvm:SWP68LZMCtng7uRbF7AkAQQxlQhh+
IMP 311022ADCA695B5FED4C0D6301A7F157
PESHA1 249C9837B01A621BA64688CD374D3CF6DA8806DA
PE256 83953A045A765F34F7A6E19DDE4B515BC7D315B8D3AC396FF16C35BDB86897D4

Runtime Data

Window Title:

Magnifier

Open Handles:

Path Type
(R-D) C:\Windows\apppatch\DirectXApps_FOD.sdb File
(R-D) C:\Windows\System32\en-US\combase.dll.mui File
(R-D) C:\Windows\System32\en-US\KernelBase.dll.mui File
(R-D) C:\Windows\System32\en-US\Magnify.exe.mui File
(R-D) C:\Windows\SystemResources\Magnify.exe.mun File
(R-D) C:\Windows\SysWOW64\en-US\windows.ui.xaml.dll.mui File
(RW-) C:\Users\user File
(RW-) C:\Windows File
(RW-) C:\Windows\SysWOW64 File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984 File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.1320_none_d94e4effe1070d4b File
(RWD) C:\Windows\Fonts\segoeui.ttf File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\1\BaseNamedObjects\1964HWNDInterface:25084a Section
\Sessions\1\BaseNamedObjects\1964HWNDInterface:2e05ec Section
\Sessions\1\BaseNamedObjects\SessionImmersiveColorPreference Section
\Sessions\1\BaseNamedObjects\windows_shell_global_counters Section
\Sessions\1\Windows\Theme449731986 Section
\Windows\Theme1396518710 Section

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\Magnify.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002EC6579AD1E670890130000000002EC
  • Thumbprint: F7C2F2C96A328C13CDA8CDB57B715BDEA2CBD1D9
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: ScreenMagnifier.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1266 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1266
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/24dd719b95f5451bcde90c3a140865be212007bb2c077d08309f6c59f7149cc4/detection

Possible Misuse

The following table contains possible examples of Magnify.exe being misused. While Magnify.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_install_reg_debugger_backdoor.yml - 'magnify.exe' DRL 1.0
sigma proc_creation_win_stickykey_like_backdoor.yml - 'Magnify.exe' DRL 1.0
sigma registry_event_stickykey_like_backdoor.yml - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger' DRL 1.0
atomic-red-team T1546.008.md * Magnifier: C:\Windows\System32\Magnify.exe MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md | parent_list | Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: “osk.exe” | String | osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe| MIT License. © 2018 Red Canary
signature-base thor_inverse_matches.yar description = “Abnormal magnify.exe (Magnifier) - typical strings not found in file” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $winxp = “Software\Microsoft\Magnify” wide CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename ==”magnify.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.