• File Path: C:\Windows\system32\Magnify.exe
  • Description: Microsoft Screen Magnifier


Type Hash
MD5 88156DA1B88F03E6591359587F3FAF2C
SHA1 3E44758C3140A0129700DDAE611F70D3492E5C39
SHA256 82EA54BB8C1A96AE09CB240BB14CFF8A6A6E612F76FBB0AE39A4A10E2E3CB318
SHA384 69451F3B26743B2DB192F5057994FE127599723E1F7447E6369F16776165CE325D6877A67FDE59158AB30D3E9CDCBCDA
SHA512 60A297B4656CCA770C81E6FD09927DFECA51383DA9809565E5E5F428F85494BEB711A6604FE2372896D5F0B805CC3FAC0F5022227D79012D6D50AB5B52889EC1
SSDEEP 12288:t4ZkNIN03Ps/n6Vpt8XB04dDuc/04dDuc/vq:t4boEgp/4xI4x7v


  • Status: Signature verified.
  • Serial: 33000000BCE120FDD27CC8EE930000000000BC
  • Thumbprint: E85459B23C232DB3CB94C7A56D47678F58E8E51E
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: ScreenMagnifier.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.0 (rs1_release.160715-1616)
  • Product Version: 10.0.14393.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\windows\system32\Magnify.exe 65
C:\windows\SysWOW64\Magnify.exe 61
C:\Windows\SysWOW64\Magnify.exe 55

Possible Misuse

The following table contains possible examples of Magnify.exe being misused. While Magnify.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_install_reg_debugger_backdoor.yml - '*\CurrentVersion\Image File Execution Options\magnify.exe*' DRL 1.0
sigma sysmon_stickykey_like_backdoor.yml - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger' DRL 1.0
sigma sysmon_stickykey_like_backdoor.yml - '*cmd.exe Magnify.exe *' DRL 1.0
atomic-red-team * Magnifier: C:\Windows\System32\Magnify.exe MIT License. © 2018 Red Canary
atomic-red-team | parent_list | Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: “osk.exe” | String | osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe| MIT License. © 2018 Red Canary
signature-base thor_inverse_matches.yar description = “Abnormal magnify.exe (Magnifier) - typical strings not found in file” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $winxp = “Software\Microsoft\Magnify” wide CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename ==”magnify.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.