Magnify.exe

  • File Path: C:\WINDOWS\SysWOW64\Magnify.exe
  • Description: Microsoft Screen Magnifier

Hashes

Type Hash
MD5 EBFA7BAB73FCF2C9F45E718F901B892F
SHA1 9FD2E4621C20837A2DCB1F5508756A25A2431EAA
SHA256 62DE892F7500D2AFD9563B6ABD0EF9F6F6E2C152C43466BD40FA12B5FB55D320
SHA384 3CF25D4EB88F4BAE9B805CE57E4FEE3735FAE4B0AC6B56724E4A6F856A85876CBDB871FDFE4F2095531E4A74D9D1A064
SHA512 001E7D7F13A2AB338BC726AB68A0F8EB3B7C176A16DC0C6CC2FE3ADFDF49827E9C788EA564A1C70822D791E4E85EE7615D3D6AD6FA9A6A26B26E3C7C97149F6F
SSDEEP 12288:m2DOUG4RYRL9esPjSwUgQgIhHyB2xuLxR9Pu1U:m2CUG4YRUs2wUgQgIhHyB2u2U
IMP 7B855A7887AD8277541E640EFE7EF96B
PESHA1 B3ED7A559194CB3A8AE2E3A73AFB2E1795741AFA
PE256 7ABFD6B14BD8DE6267794A47FF6BC0B7162B104E84DA696E820A47D4E894EAAC

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: ScreenMagnifier.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/62de892f7500d2afd9563b6abd0ef9f6f6e2c152c43466bd40fa12b5fb55d320/detection

Possible Misuse

The following table contains possible examples of Magnify.exe being misused. While Magnify.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma process_creation_stickykey_like_backdoor.yml - 'Magnify.exe' DRL 1.0
sigma win_install_reg_debugger_backdoor.yml - 'magnify.exe' DRL 1.0
sigma registry_event_stickykey_like_backdoor.yml - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger' DRL 1.0
atomic-red-team T1546.008.md * Magnifier: C:\Windows\System32\Magnify.exe MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md | parent_list | Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: “osk.exe” | String | osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe| MIT License. © 2018 Red Canary
signature-base thor_inverse_matches.yar description = “Abnormal magnify.exe (Magnifier) - typical strings not found in file” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $winxp = “Software\Microsoft\Magnify” wide CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename ==”magnify.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.