convert.exe

  • File Path: C:\WINDOWS\system32\convert.exe
  • Description: File System Conversion Utility

Hashes

Type Hash
MD5 27810AD3D1479BDF78517EFDB7D05938
SHA1 5C6BFE796FC727555E15DC3A6A69F62D54F7ED8C
SHA256 934E31A623332839C4068C8565EFD5E9718B58C46B42D865034A690CDD3FB1A1
SHA384 C48858869FD2E1213546827B147BDD67FF3B2796F1B3BE03FBCC1254F216683B98E8DB06AE52A3174AF18E196A33D173
SHA512 39AED39711173327E27A2CA91D0F8845CA61B4664ED742ED96BDF3FBDA21F8C045463F94F2477E1E5833A1E9A962914BF940635235DA172B58156AE1578AC51C
SSDEEP 384:LRR3cNJyL/72TtOfKuXvZ7ThK8y7jPNzW3qW:LjCJyLz8tkXvxWjPe

Runtime Data

Usage (stdout):

Converts a FAT volume to NTFS.

CONVERT volume /FS:NTFS [/V] [/CvtArea:filename] [/NoSecurity] [/X]


  volume      Specifies the drive letter (followed by a colon),
              mount point, or volume name.
  /FS:NTFS    Specifies that the volume will be converted to NTFS.
  /V          Specifies that Convert will be run in verbose mode.
  /CvtArea:filename
              Specifies a contiguous file in the root directory
              that will be the place holder for NTFS system files.
  /NoSecurity Specifies that the security settings on the converted
              files and directories allow access by all users.
  /X          Forces the volume to dismount first if necessary.
              All open handles to the volume will not be valid.

Usage (stderr):

Invalid drive specification.

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: CONVERT.EXE
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of convert.exe being misused. While convert.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma apt_silence_eda.yml - '[Convert]::ToString($SYNOptions, 16)' DRL 1.0
sigma powershell_suspicious_invocation_specific.yml - '[Convert]::FromBase64String' DRL 1.0
sigma posh_pm_suspicious_invocation_specific.yml - '[Convert]::FromBase64String' DRL 1.0
sigma posh_ps_powerview_malicious_commandlets.yml - Convert-NameToSid DRL 1.0
sigma posh_ps_powerview_malicious_commandlets.yml - Convert-ADName DRL 1.0
sigma posh_ps_suspicious_invocation_specific.yml - '[Convert]::FromBase64String' DRL 1.0
sigma proc_creation_win_mimikatz_command_line.yml - 'function Convert-GuidToCompressedGuid' DRL 1.0
sigma proc_creation_win_ransom_blackbyte.yml - 'powershell -command "$x =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(' DRL 1.0
sigma proc_creation_win_susp_sharpview.yml - Convert-ADName DRL 1.0
sigma proc_creation_win_susp_sharpview.yml - Convert-SidToName DRL 1.0
atomic-red-team T1027.md $EncodedCommand =[Convert]::ToBase64String($Bytes) MIT License. © 2018 Red Canary
atomic-red-team T1027.md powershell.exe -Command “IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp #{registry_key_storage} #{registry_entry_storage}).#{registry_entry_storage})))” MIT License. © 2018 Red Canary
atomic-red-team T1053.005.md schtasks.exe /Create /F /TN “ATOMIC-T1053.005” /TR “cmd /c start /min "" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\SOFTWARE\ATOMIC-T1053.005).test)))” /sc daily /st #{time} MIT License. © 2018 Red Canary
atomic-red-team T1059.001.md iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp ‘HKCU:\Software\Classes\AtomicRedTeam’).ART))) MIT License. © 2018 Red Canary
atomic-red-team T1098.001.md $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData()) MIT License. © 2018 Red Canary
atomic-red-team T1218.009.md $Content = [System.Convert]::FromBase64String($key) MIT License. © 2018 Red Canary
signature-base apt_aus_parl_compromise.yar $x1 = “Request.Item[System.Text.Encoding.UTF8.GetString(Convert.FromBase64String("[password]"))];” ascii CC BY-NC 4.0
signature-base apt_aus_parl_compromise.yar $x2 = “eval(arguments,System.Text.Encoding.UTF8.GetString(Convert.FromBase64String("” ascii CC BY-NC 4.0
signature-base apt_aus_parl_compromise.yar $s1 = “<%@ Page Language="Jscript" validateRequest="false"%><%try{eval(System.Text.Encoding.UTF8.GetString(Convert.FromBase64String” ascii CC BY-NC 4.0
signature-base apt_aus_parl_compromise.yar $s2 = “{return System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(“ ascii CC BY-NC 4.0
signature-base apt_aus_parl_compromise.yar $a1 = “function DEC(d){return System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(d));}” fullword ascii CC BY-NC 4.0
signature-base apt_aus_parl_compromise.yar $a2 = “function ENC(d){return Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(d));}” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp.yar $x2 = “convert an XML file generated by the BLATSTING sniffer module into a pcap capture file.” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp_apr17.yar $s6 = “* Failed to convert destination address into sockaddr_storage values” fullword wide CC BY-NC 4.0
signature-base apt_hafnium.yar $s2 = “System.Text.Encoding.Default.GetString(Convert.FromBase64String(StrTr(Request.Headers.Get” CC BY-NC 4.0
signature-base apt_muddywater.yar /* iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( */ CC BY-NC 4.0
signature-base apt_oilrig.yar $s2 = “$fdn=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(‘” fullword ascii CC BY-NC 4.0
signature-base apt_oilrig_oct17.yar $s3 = “$DATA = [System.Convert]::FromBase64String([IO.File]::ReadAllText(‘%Base%’));[io.file]::WriteAllBytes(“ ascii CC BY-NC 4.0
signature-base apt_op_wocao.yar $encfile = “New-Object IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String($encfile)” CC BY-NC 4.0
signature-base apt_project_sauron_extras.yar $s2 = “Convert mode: Read log from file and convert to text” CC BY-NC 4.0
signature-base apt_tophat.yar $s1 = “= New-Object IO.MemoryStream(,[Convert]::FromBase64String("” ascii CC BY-NC 4.0
signature-base apt_turla_neuron.yar $ = “Convert.FromBase64String(temp[1])” fullword ascii CC BY-NC 4.0
signature-base apt_unc2447_sombrat.yar $x1 = “powershell.exe -c "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String([IO.File]::” ascii CC BY-NC 4.0
signature-base expl_proxyshell.yar $s01 = “.LoadXml(System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(Request[” ascii wide CC BY-NC 4.0
signature-base gen_cn_webshells.yar $s2 = “$sCmd = "convert ".$sFile." -flip -quality 80 ".$sFileOut;” fullword ascii CC BY-NC 4.0
signature-base gen_empire.yar $s1 = “$Base64Decoded = [Convert]::FromBase64String($Cpassword)” fullword ascii CC BY-NC 4.0
signature-base gen_empire.yar $s2 = “$NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes)” fullword ascii CC BY-NC 4.0
signature-base gen_invoke_thehash.yar $s3 = “$NTLM_hash_bytes = $NTLM_hash_bytes.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}” fullword ascii CC BY-NC 4.0
signature-base gen_metasploit_payloads.yar $s10 = “= [System.Convert]::FromBase64String("/” ascii CC BY-NC 4.0
signature-base gen_metasploit_payloads.yar $s5 = “= [System.Convert]::FromBase64String(“ ascii CC BY-NC 4.0
signature-base gen_powershell_empire.yar $s3 = “[Byte[]]$DllBytes = [Byte[]][Convert]::FromBase64String($DllBytes32)” fullword ascii CC BY-NC 4.0
signature-base gen_powershell_susp.yar $p3 = “[System.Convert]::FromBase64String(“ ascii CC BY-NC 4.0
signature-base gen_powershell_toolkit.yar $s3 = “if ($Env:PROCESSOR_ARCHITECTURE -eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String(‘QQBNAEQANgA0AA==’)))) {“ fullword ascii CC BY-NC 4.0
signature-base gen_powershell_toolkit.yar $s5 = “-eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String(‘MAAxADQAQwA=’))))” ascii CC BY-NC 4.0
signature-base gen_powershell_toolkit.yar $s1 = “if($MyConString -like $([Text.Encoding]::Unicode.GetString([Convert]::” ascii CC BY-NC 4.0
signature-base thor-hacktools.yar $s2 = “WSocketResolveHost: Cannot convert host address ‘%s’” CC BY-NC 4.0
signature-base thor-hacktools.yar $s2 = “System.Convert.FromBase64String(“ ascii CC BY-NC 4.0
signature-base webshell_xsl_transform.yar $x2 = “.LoadXml(System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(“ CC BY-NC 4.0
stockpile 0582dc26-e0cf-4645-88cf-f37a02279976.yml (Powershell) [Convert]::FromBase64String($(Get-Content b64.txt)) \| set-content archive.extension -encoding byte ---- Apache-2.0
stockpile 0582dc26-e0cf-4645-88cf-f37a02279976.yml $EncodedToken = [System.Convert]::ToBase64String([char[]]$Token); Apache-2.0
stockpile 0582dc26-e0cf-4645-88cf-f37a02279976.yml $FileContent = [Convert]::ToBase64String([IO.File]::ReadAllBytes($File)); Apache-2.0
stockpile 4a1120a5-971c-457f-bb07-60641b4723fd.yml $basetoken = [System.Convert]::ToBase64String([char[]]$token); Apache-2.0
stockpile 4a1120a5-971c-457f-bb07-60641b4723fd.yml $Base64EncodedFileBytes = [System.Convert]::ToBase64String($FileBytes); Apache-2.0
stockpile a201bec2-a193-4b58-bf0e-57fa621da474.yml $basetoken = [System.Convert]::ToBase64String([char[]]$token); Apache-2.0
stockpile a201bec2-a193-4b58-bf0e-57fa621da474.yml $Base64EncodedFileBytes = [System.Convert]::ToBase64String($FileBytes); Apache-2.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


convert

Converts a disk from one disk type to another.

Syntax

convert basic
convert dynamic
convert gpt
convert mbr

Parameters

Parameter Description
convert basic command Converts an empty dynamic disk into a basic disk.
convert dynamic command Converts a basic disk into a dynamic disk.
convert gpt command Converts an empty basic disk with the master boot record (MBR) partition style into a basic disk with the GUID partition table (GPT) partition style.
convert mbr command Converts an empty basic disk with the GUID Partition Table (GPT) partition style into a basic disk with the master boot record (MBR) partition style.

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.