• File Path: C:\windows\system32\Magnify.exe
  • Description: Microsoft Screen Magnifier


Type Hash
MD5 184D10CE4DC3456B5A39BE9CD273E7E5
SHA1 0F3DCA80EAB4C4D721A54E605AE465CB79E9B5FE
SHA256 DF7A3919ABE2DA4172FDB97D086D81518A2BCD4B030F644F51488F92198C4776
SHA384 718F54BAEFFFDD82736531D85E14376DB99B2D5379D47B5943AA6FF8897424C1AD2E524323C11D7FEEB19447A31443FD
SHA512 ED5B05C7310F18AE28B5C68AADB17A7744B91C0AE79AFF16DF312CE8AF875EE591EB4B5F614199CD744289328C8CF542AD338B4145EB11365C07DB97FF0D02BE
SSDEEP 12288:vYLNC3ri77QKTt8XB04dDuc/04dDuc/vq:v0agQu/4xI4x7v


  • Status: The file C:\windows\system32\Magnify.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: ScreenMagnifier.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\Magnify.exe 65
C:\windows\SysWOW64\Magnify.exe 63
C:\Windows\SysWOW64\Magnify.exe 54

Possible Misuse

The following table contains possible examples of Magnify.exe being misused. While Magnify.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_install_reg_debugger_backdoor.yml - '*\CurrentVersion\Image File Execution Options\magnify.exe*' DRL 1.0
sigma sysmon_stickykey_like_backdoor.yml - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger' DRL 1.0
sigma sysmon_stickykey_like_backdoor.yml - '*cmd.exe Magnify.exe *' DRL 1.0
atomic-red-team * Magnifier: C:\Windows\System32\Magnify.exe MIT License. © 2018 Red Canary
atomic-red-team | parent_list | Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: “osk.exe” | String | osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe| MIT License. © 2018 Red Canary
signature-base thor_inverse_matches.yar description = “Abnormal magnify.exe (Magnifier) - typical strings not found in file” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $winxp = “Software\Microsoft\Magnify” wide CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename ==”magnify.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.