convert.exe
- File Path:
C:\WINDOWS\system32\convert.exe
- Description: File System Conversion Utility
Hashes
Type | Hash |
---|---|
MD5 | 27810AD3D1479BDF78517EFDB7D05938 |
SHA1 | 5C6BFE796FC727555E15DC3A6A69F62D54F7ED8C |
SHA256 | 934E31A623332839C4068C8565EFD5E9718B58C46B42D865034A690CDD3FB1A1 |
SHA384 | C48858869FD2E1213546827B147BDD67FF3B2796F1B3BE03FBCC1254F216683B98E8DB06AE52A3174AF18E196A33D173 |
SHA512 | 39AED39711173327E27A2CA91D0F8845CA61B4664ED742ED96BDF3FBDA21F8C045463F94F2477E1E5833A1E9A962914BF940635235DA172B58156AE1578AC51C |
SSDEEP | 384:LRR3cNJyL/72TtOfKuXvZ7ThK8y7jPNzW3qW:LjCJyLz8tkXvxWjPe |
Runtime Data
Usage (stdout):
Converts a FAT volume to NTFS.
CONVERT volume /FS:NTFS [/V] [/CvtArea:filename] [/NoSecurity] [/X]
volume Specifies the drive letter (followed by a colon),
mount point, or volume name.
/FS:NTFS Specifies that the volume will be converted to NTFS.
/V Specifies that Convert will be run in verbose mode.
/CvtArea:filename
Specifies a contiguous file in the root directory
that will be the place holder for NTFS system files.
/NoSecurity Specifies that the security settings on the converted
files and directories allow access by all users.
/X Forces the volume to dismount first if necessary.
All open handles to the volume will not be valid.
Usage (stderr):
Invalid drive specification.
Signature
- Status: Signature verified.
- Serial:
330000023241FB59996DCC4DFF000000000232
- Thumbprint:
FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
- Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: CONVERT.EXE
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.18362.1 (WinBuild.160101.0800)
- Product Version: 10.0.18362.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
Possible Misuse
The following table contains possible examples of convert.exe
being misused. While convert.exe
is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
Source | Source File | Example | License |
---|---|---|---|
sigma | apt_silence_eda.yml | - '[Convert]::ToString($SYNOptions, 16)' |
DRL 1.0 |
sigma | powershell_suspicious_invocation_specific.yml | - '[Convert]::FromBase64String' |
DRL 1.0 |
sigma | posh_pm_suspicious_invocation_specific.yml | - '[Convert]::FromBase64String' |
DRL 1.0 |
sigma | posh_ps_powerview_malicious_commandlets.yml | - Convert-NameToSid |
DRL 1.0 |
sigma | posh_ps_powerview_malicious_commandlets.yml | - Convert-ADName |
DRL 1.0 |
sigma | posh_ps_suspicious_invocation_specific.yml | - '[Convert]::FromBase64String' |
DRL 1.0 |
sigma | proc_creation_win_mimikatz_command_line.yml | - 'function Convert-GuidToCompressedGuid' |
DRL 1.0 |
sigma | proc_creation_win_ransom_blackbyte.yml | - 'powershell -command "$x =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(' |
DRL 1.0 |
sigma | proc_creation_win_susp_sharpview.yml | - Convert-ADName |
DRL 1.0 |
sigma | proc_creation_win_susp_sharpview.yml | - Convert-SidToName |
DRL 1.0 |
atomic-red-team | T1027.md | $EncodedCommand =[Convert]::ToBase64String($Bytes) | MIT License. © 2018 Red Canary |
atomic-red-team | T1027.md | powershell.exe -Command “IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp #{registry_key_storage} #{registry_entry_storage}).#{registry_entry_storage})))” | MIT License. © 2018 Red Canary |
atomic-red-team | T1053.005.md | schtasks.exe /Create /F /TN “ATOMIC-T1053.005” /TR “cmd /c start /min "" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\SOFTWARE\ATOMIC-T1053.005).test)))” /sc daily /st #{time} | MIT License. © 2018 Red Canary |
atomic-red-team | T1059.001.md | iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp ‘HKCU:\Software\Classes\AtomicRedTeam’).ART))) | MIT License. © 2018 Red Canary |
atomic-red-team | T1098.001.md | $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData()) | MIT License. © 2018 Red Canary |
atomic-red-team | T1218.009.md | $Content = [System.Convert]::FromBase64String($key) | MIT License. © 2018 Red Canary |
signature-base | apt_aus_parl_compromise.yar | $x1 = “Request.Item[System.Text.Encoding.UTF8.GetString(Convert.FromBase64String("[password]"))];” ascii | CC BY-NC 4.0 |
signature-base | apt_aus_parl_compromise.yar | $x2 = “eval(arguments,System.Text.Encoding.UTF8.GetString(Convert.FromBase64String("” ascii | CC BY-NC 4.0 |
signature-base | apt_aus_parl_compromise.yar | $s1 = “<%@ Page Language="Jscript" validateRequest="false"%><%try{eval(System.Text.Encoding.UTF8.GetString(Convert.FromBase64String” ascii | CC BY-NC 4.0 |
signature-base | apt_aus_parl_compromise.yar | $s2 = “{return System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(“ ascii | CC BY-NC 4.0 |
signature-base | apt_aus_parl_compromise.yar | $a1 = “function DEC(d){return System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(d));}” fullword ascii | CC BY-NC 4.0 |
signature-base | apt_aus_parl_compromise.yar | $a2 = “function ENC(d){return Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(d));}” fullword ascii | CC BY-NC 4.0 |
signature-base | apt_eqgrp.yar | $x2 = “convert an XML file generated by the BLATSTING sniffer module into a pcap capture file.” fullword ascii | CC BY-NC 4.0 |
signature-base | apt_eqgrp_apr17.yar | $s6 = “* Failed to convert destination address into sockaddr_storage values” fullword wide | CC BY-NC 4.0 |
signature-base | apt_hafnium.yar | $s2 = “System.Text.Encoding.Default.GetString(Convert.FromBase64String(StrTr(Request.Headers.Get” | CC BY-NC 4.0 |
signature-base | apt_muddywater.yar | /* iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( */ | CC BY-NC 4.0 |
signature-base | apt_oilrig.yar | $s2 = “$fdn=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(‘” fullword ascii | CC BY-NC 4.0 |
signature-base | apt_oilrig_oct17.yar | $s3 = “$DATA = [System.Convert]::FromBase64String([IO.File]::ReadAllText(‘%Base%’));[io.file]::WriteAllBytes(“ ascii | CC BY-NC 4.0 |
signature-base | apt_op_wocao.yar | $encfile = “New-Object IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String($encfile)” | CC BY-NC 4.0 |
signature-base | apt_project_sauron_extras.yar | $s2 = “Convert mode: Read log from file and convert to text” | CC BY-NC 4.0 |
signature-base | apt_tophat.yar | $s1 = “= New-Object IO.MemoryStream(,[Convert]::FromBase64String("” ascii | CC BY-NC 4.0 |
signature-base | apt_turla_neuron.yar | $ = “Convert.FromBase64String(temp[1])” fullword ascii | CC BY-NC 4.0 |
signature-base | apt_unc2447_sombrat.yar | $x1 = “powershell.exe -c "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String([IO.File]::” ascii | CC BY-NC 4.0 |
signature-base | expl_proxyshell.yar | $s01 = “.LoadXml(System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(Request[” ascii wide | CC BY-NC 4.0 |
signature-base | gen_cn_webshells.yar | $s2 = “$sCmd = "convert ".$sFile." -flip -quality 80 ".$sFileOut;” fullword ascii | CC BY-NC 4.0 |
signature-base | gen_empire.yar | $s1 = “$Base64Decoded = [Convert]::FromBase64String($Cpassword)” fullword ascii | CC BY-NC 4.0 |
signature-base | gen_empire.yar | $s2 = “$NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes)” fullword ascii | CC BY-NC 4.0 |
signature-base | gen_invoke_thehash.yar | $s3 = “$NTLM_hash_bytes = $NTLM_hash_bytes.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}” fullword ascii | CC BY-NC 4.0 |
signature-base | gen_metasploit_payloads.yar | $s10 = “= [System.Convert]::FromBase64String("/” ascii | CC BY-NC 4.0 |
signature-base | gen_metasploit_payloads.yar | $s5 = “= [System.Convert]::FromBase64String(“ ascii | CC BY-NC 4.0 |
signature-base | gen_powershell_empire.yar | $s3 = “[Byte[]]$DllBytes = [Byte[]][Convert]::FromBase64String($DllBytes32)” fullword ascii | CC BY-NC 4.0 |
signature-base | gen_powershell_susp.yar | $p3 = “[System.Convert]::FromBase64String(“ ascii | CC BY-NC 4.0 |
signature-base | gen_powershell_toolkit.yar | $s3 = “if ($Env:PROCESSOR_ARCHITECTURE -eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String(‘QQBNAEQANgA0AA==’)))) {“ fullword ascii | CC BY-NC 4.0 |
signature-base | gen_powershell_toolkit.yar | $s5 = “-eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String(‘MAAxADQAQwA=’))))” ascii | CC BY-NC 4.0 |
signature-base | gen_powershell_toolkit.yar | $s1 = “if($MyConString -like $([Text.Encoding]::Unicode.GetString([Convert]::” ascii | CC BY-NC 4.0 |
signature-base | thor-hacktools.yar | $s2 = “WSocketResolveHost: Cannot convert host address ‘%s’” | CC BY-NC 4.0 |
signature-base | thor-hacktools.yar | $s2 = “System.Convert.FromBase64String(“ ascii | CC BY-NC 4.0 |
signature-base | webshell_xsl_transform.yar | $x2 = “.LoadXml(System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(“ | CC BY-NC 4.0 |
stockpile | 0582dc26-e0cf-4645-88cf-f37a02279976.yml | (Powershell) [Convert]::FromBase64String($(Get-Content b64.txt)) \| set-content archive.extension -encoding byte ---- |
Apache-2.0 |
stockpile | 0582dc26-e0cf-4645-88cf-f37a02279976.yml | $EncodedToken = [System.Convert]::ToBase64String([char[]]$Token); |
Apache-2.0 |
stockpile | 0582dc26-e0cf-4645-88cf-f37a02279976.yml | $FileContent = [Convert]::ToBase64String([IO.File]::ReadAllBytes($File)); |
Apache-2.0 |
stockpile | 4a1120a5-971c-457f-bb07-60641b4723fd.yml | $basetoken = [System.Convert]::ToBase64String([char[]]$token); |
Apache-2.0 |
stockpile | 4a1120a5-971c-457f-bb07-60641b4723fd.yml | $Base64EncodedFileBytes = [System.Convert]::ToBase64String($FileBytes); |
Apache-2.0 |
stockpile | a201bec2-a193-4b58-bf0e-57fa621da474.yml | $basetoken = [System.Convert]::ToBase64String([char[]]$token); |
Apache-2.0 |
stockpile | a201bec2-a193-4b58-bf0e-57fa621da474.yml | $Base64EncodedFileBytes = [System.Convert]::ToBase64String($FileBytes); |
Apache-2.0 |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
convert
Converts a disk from one disk type to another.
Syntax
convert basic
convert dynamic
convert gpt
convert mbr
Parameters
Parameter | Description |
---|---|
convert basic command | Converts an empty dynamic disk into a basic disk. |
convert dynamic command | Converts a basic disk into a dynamic disk. |
convert gpt command | Converts an empty basic disk with the master boot record (MBR) partition style into a basic disk with the GUID partition table (GPT) partition style. |
convert mbr command | Converts an empty basic disk with the GUID Partition Table (GPT) partition style into a basic disk with the master boot record (MBR) partition style. |
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.