• File Path: C:\WINDOWS\system32\Magnify.exe
  • Description: Microsoft Screen Magnifier


Type Hash
MD5 2587CAB4856F90BD98A7D8451BD2A997
SHA1 DDB93798631E62D5AD88A1E0D15392CA86D3467A
SHA256 360CBAA2EF0F314AF6FB364D664A02403A06736B8A301AF228C344BEF7567274
SHA384 6A4B32CBD42DD1D935AD1D2E85579E0C57522E0E93238E490849DCE10857DA23C9A651150193E76FB7A8EDEA199EBE69
SHA512 8315EBDBA5E0B8C918C9A50BA117FDEC4BFA6069718F22DB88C7CF711B66471DD37DF6F76EC89A8472CA30EBA71B30063F20CABAB8FD7FE22EEAA16089CADEE7
SSDEEP 6144:RH9pV8Xv6h4WJlVY46jIx8GfOby13UtHpnzLadC8VdTiuHunwV:DpKXbqD6jI573UthaBVdA


  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: ScreenMagnifier.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of Magnify.exe being misused. While Magnify.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_install_reg_debugger_backdoor.yml - '*\CurrentVersion\Image File Execution Options\magnify.exe*' DRL 1.0
sigma sysmon_stickykey_like_backdoor.yml - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger' DRL 1.0
sigma sysmon_stickykey_like_backdoor.yml - '*cmd.exe Magnify.exe *' DRL 1.0
atomic-red-team * Magnifier: C:\Windows\System32\Magnify.exe MIT License. © 2018 Red Canary
atomic-red-team | parent_list | Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: “osk.exe” | String | osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe| MIT License. © 2018 Red Canary
signature-base thor_inverse_matches.yar description = “Abnormal magnify.exe (Magnifier) - typical strings not found in file” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $winxp = “Software\Microsoft\Magnify” wide CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename ==”magnify.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.