Magnify.exe

  • File Path: C:\WINDOWS\system32\Magnify.exe
  • Description: Microsoft Screen Magnifier

Hashes

Type Hash
MD5 2587CAB4856F90BD98A7D8451BD2A997
SHA1 DDB93798631E62D5AD88A1E0D15392CA86D3467A
SHA256 360CBAA2EF0F314AF6FB364D664A02403A06736B8A301AF228C344BEF7567274
SHA384 6A4B32CBD42DD1D935AD1D2E85579E0C57522E0E93238E490849DCE10857DA23C9A651150193E76FB7A8EDEA199EBE69
SHA512 8315EBDBA5E0B8C918C9A50BA117FDEC4BFA6069718F22DB88C7CF711B66471DD37DF6F76EC89A8472CA30EBA71B30063F20CABAB8FD7FE22EEAA16089CADEE7
SSDEEP 6144:RH9pV8Xv6h4WJlVY46jIx8GfOby13UtHpnzLadC8VdTiuHunwV:DpKXbqD6jI573UthaBVdA

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: ScreenMagnifier.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of Magnify.exe being misused. While Magnify.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_install_reg_debugger_backdoor.yml - 'magnify.exe' DRL 1.0
sigma proc_creation_win_stickykey_like_backdoor.yml - 'Magnify.exe' DRL 1.0
sigma registry_event_stickykey_like_backdoor.yml - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger' DRL 1.0
atomic-red-team T1546.008.md * Magnifier: C:\Windows\System32\Magnify.exe MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md | parent_list | Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: “osk.exe” | String | osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe| MIT License. © 2018 Red Canary
signature-base thor_inverse_matches.yar description = “Abnormal magnify.exe (Magnifier) - typical strings not found in file” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $winxp = “Software\Microsoft\Magnify” wide CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename ==”magnify.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.