Magnify.exe

  • File Path: C:\WINDOWS\system32\Magnify.exe
  • Description: Microsoft Screen Magnifier

Hashes

Type Hash
MD5 BCAB41F69CE78DC3EDBA8C2E51161D44
SHA1 C402D24FE3E31F8CF5C2BA996686850B391AE031
SHA256 66659CB6A0E4BA9EC7581C903D448877B25A7499D576A9D98EC06DE110C42AFA
SHA384 E72D56BAF5837B506456119C3266245A79864E6C92252ABBA3286E8422DEBE1513D0084F269269311F3BE823B6BF492E
SHA512 C6992867202569148BEFFE4CB535E57EAB1660C66491EB3235B9C326CDCE99BD899F37A70CE7FA40459652F5E207E54F78EFF81566D4B13F9C6B12D9EBE39239
SSDEEP 12288:PHW1rkFR2fE5wlINrrXF1WVFL+isTf9P9AS2Y:e1rTWrrVoqdf9qS2
IMP 2AAA426C9C60A1CDE1813D7E9180490C
PESHA1 C6F5830F0659966E983F6F713867B7ECC6552987
PE256 DDFCB179F1885CC70878BB68DCDF37E03AF739B619E1865D6A7A4FAB7FF14CA0

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: ScreenMagnifier.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/72
  • VirusTotal Link: https://www.virustotal.com/gui/file/66659cb6a0e4ba9ec7581c903d448877b25a7499d576a9d98ec06de110c42afa/detection

Possible Misuse

The following table contains possible examples of Magnify.exe being misused. While Magnify.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma process_creation_stickykey_like_backdoor.yml - 'Magnify.exe' DRL 1.0
sigma win_install_reg_debugger_backdoor.yml - 'magnify.exe' DRL 1.0
sigma registry_event_stickykey_like_backdoor.yml - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger' DRL 1.0
atomic-red-team T1546.008.md * Magnifier: C:\Windows\System32\Magnify.exe MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md | parent_list | Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: “osk.exe” | String | osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe| MIT License. © 2018 Red Canary
signature-base thor_inverse_matches.yar description = “Abnormal magnify.exe (Magnifier) - typical strings not found in file” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $winxp = “Software\Microsoft\Magnify” wide CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename ==”magnify.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.