convert.exe

  • File Path: C:\Windows\SysWOW64\convert.exe
  • Description: File System Conversion Utility

Hashes

Type Hash
MD5 403796E5FE1A26EA37D69B8D4D8BC1BA
SHA1 CFF2A6ABC5B899391B34618D2FC1C88192595030
SHA256 E0A1B8B41A7499048FC515A90865D115B3E7E3CD9356FFD702880935CD2AB2AA
SHA384 92BBC415412F5212800CCA099CB719E11BEF8B8C7B43FE8031A68B83281CD6D1E432258503DB046D1DC471FD8F2E1803
SHA512 6EC004ABDF8FB4054AF0479DB64CA06C602751D861BA5FEA3719F03864BC0A63980BAD0766540F57A0C0BEEE005130505DF5B6EF664C38D00076623EE3B480B0
SSDEEP 384:pp4z/zKn/Fuagz8Xf2Idvm/e45PNwWBqWT:ppU/zK/mzpA7OP5

Runtime Data

Usage (stdout):

Converts a FAT volume to NTFS.

CONVERT volume /FS:NTFS [/V] [/CvtArea:filename] [/NoSecurity] [/X]


  volume      Specifies the drive letter (followed by a colon),
              mount point, or volume name.
  /FS:NTFS    Specifies that the volume will be converted to NTFS.
  /V          Specifies that Convert will be run in verbose mode.
  /CvtArea:filename
              Specifies a contiguous file in the root directory
              that will be the place holder for NTFS system files.
  /NoSecurity Specifies that the security settings on the converted
              files and directories allow access by all users.
  /X          Forces the volume to dismount first if necessary.
              All open handles to the volume will not be valid.

Usage (stderr):

Invalid drive specification.

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: CONVERT.EXE
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.2457 (rs1_release_inmarket.180822-1743)
  • Product Version: 10.0.14393.2457
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of convert.exe being misused. While convert.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma apt_silence_eda.yml - '[Convert]::ToString($SYNOptions, 16)' DRL 1.0
sigma powershell_suspicious_invocation_specific.yml - '[Convert]::FromBase64String' DRL 1.0
sigma posh_pm_suspicious_invocation_specific.yml - '[Convert]::FromBase64String' DRL 1.0
sigma posh_ps_powerview_malicious_commandlets.yml - Convert-NameToSid DRL 1.0
sigma posh_ps_powerview_malicious_commandlets.yml - Convert-ADName DRL 1.0
sigma posh_ps_suspicious_invocation_specific.yml - '[Convert]::FromBase64String' DRL 1.0
sigma proc_creation_win_mimikatz_command_line.yml - 'function Convert-GuidToCompressedGuid' DRL 1.0
sigma proc_creation_win_ransom_blackbyte.yml - 'powershell -command "$x =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(' DRL 1.0
sigma proc_creation_win_susp_sharpview.yml - Convert-ADName DRL 1.0
sigma proc_creation_win_susp_sharpview.yml - Convert-SidToName DRL 1.0
atomic-red-team T1027.md $EncodedCommand =[Convert]::ToBase64String($Bytes) MIT License. © 2018 Red Canary
atomic-red-team T1027.md powershell.exe -Command “IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp #{registry_key_storage} #{registry_entry_storage}).#{registry_entry_storage})))” MIT License. © 2018 Red Canary
atomic-red-team T1053.005.md schtasks.exe /Create /F /TN “ATOMIC-T1053.005” /TR “cmd /c start /min "" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\SOFTWARE\ATOMIC-T1053.005).test)))” /sc daily /st #{time} MIT License. © 2018 Red Canary
atomic-red-team T1059.001.md iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp ‘HKCU:\Software\Classes\AtomicRedTeam’).ART))) MIT License. © 2018 Red Canary
atomic-red-team T1098.001.md $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData()) MIT License. © 2018 Red Canary
atomic-red-team T1218.009.md $Content = [System.Convert]::FromBase64String($key) MIT License. © 2018 Red Canary
signature-base apt_aus_parl_compromise.yar $x1 = “Request.Item[System.Text.Encoding.UTF8.GetString(Convert.FromBase64String("[password]"))];” ascii CC BY-NC 4.0
signature-base apt_aus_parl_compromise.yar $x2 = “eval(arguments,System.Text.Encoding.UTF8.GetString(Convert.FromBase64String("” ascii CC BY-NC 4.0
signature-base apt_aus_parl_compromise.yar $s1 = “<%@ Page Language="Jscript" validateRequest="false"%><%try{eval(System.Text.Encoding.UTF8.GetString(Convert.FromBase64String” ascii CC BY-NC 4.0
signature-base apt_aus_parl_compromise.yar $s2 = “{return System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(“ ascii CC BY-NC 4.0
signature-base apt_aus_parl_compromise.yar $a1 = “function DEC(d){return System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(d));}” fullword ascii CC BY-NC 4.0
signature-base apt_aus_parl_compromise.yar $a2 = “function ENC(d){return Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(d));}” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp.yar $x2 = “convert an XML file generated by the BLATSTING sniffer module into a pcap capture file.” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp_apr17.yar $s6 = “* Failed to convert destination address into sockaddr_storage values” fullword wide CC BY-NC 4.0
signature-base apt_hafnium.yar $s2 = “System.Text.Encoding.Default.GetString(Convert.FromBase64String(StrTr(Request.Headers.Get” CC BY-NC 4.0
signature-base apt_muddywater.yar /* iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( */ CC BY-NC 4.0
signature-base apt_oilrig.yar $s2 = “$fdn=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(‘” fullword ascii CC BY-NC 4.0
signature-base apt_oilrig_oct17.yar $s3 = “$DATA = [System.Convert]::FromBase64String([IO.File]::ReadAllText(‘%Base%’));[io.file]::WriteAllBytes(“ ascii CC BY-NC 4.0
signature-base apt_op_wocao.yar $encfile = “New-Object IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String($encfile)” CC BY-NC 4.0
signature-base apt_project_sauron_extras.yar $s2 = “Convert mode: Read log from file and convert to text” CC BY-NC 4.0
signature-base apt_tophat.yar $s1 = “= New-Object IO.MemoryStream(,[Convert]::FromBase64String("” ascii CC BY-NC 4.0
signature-base apt_turla_neuron.yar $ = “Convert.FromBase64String(temp[1])” fullword ascii CC BY-NC 4.0
signature-base apt_unc2447_sombrat.yar $x1 = “powershell.exe -c "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String([IO.File]::” ascii CC BY-NC 4.0
signature-base expl_proxyshell.yar $s01 = “.LoadXml(System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(Request[” ascii wide CC BY-NC 4.0
signature-base gen_cn_webshells.yar $s2 = “$sCmd = "convert ".$sFile." -flip -quality 80 ".$sFileOut;” fullword ascii CC BY-NC 4.0
signature-base gen_empire.yar $s1 = “$Base64Decoded = [Convert]::FromBase64String($Cpassword)” fullword ascii CC BY-NC 4.0
signature-base gen_empire.yar $s2 = “$NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes)” fullword ascii CC BY-NC 4.0
signature-base gen_invoke_thehash.yar $s3 = “$NTLM_hash_bytes = $NTLM_hash_bytes.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}” fullword ascii CC BY-NC 4.0
signature-base gen_metasploit_payloads.yar $s10 = “= [System.Convert]::FromBase64String("/” ascii CC BY-NC 4.0
signature-base gen_metasploit_payloads.yar $s5 = “= [System.Convert]::FromBase64String(“ ascii CC BY-NC 4.0
signature-base gen_powershell_empire.yar $s3 = “[Byte[]]$DllBytes = [Byte[]][Convert]::FromBase64String($DllBytes32)” fullword ascii CC BY-NC 4.0
signature-base gen_powershell_susp.yar $p3 = “[System.Convert]::FromBase64String(“ ascii CC BY-NC 4.0
signature-base gen_powershell_toolkit.yar $s3 = “if ($Env:PROCESSOR_ARCHITECTURE -eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String(‘QQBNAEQANgA0AA==’)))) {“ fullword ascii CC BY-NC 4.0
signature-base gen_powershell_toolkit.yar $s5 = “-eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String(‘MAAxADQAQwA=’))))” ascii CC BY-NC 4.0
signature-base gen_powershell_toolkit.yar $s1 = “if($MyConString -like $([Text.Encoding]::Unicode.GetString([Convert]::” ascii CC BY-NC 4.0
signature-base thor-hacktools.yar $s2 = “WSocketResolveHost: Cannot convert host address ‘%s’” CC BY-NC 4.0
signature-base thor-hacktools.yar $s2 = “System.Convert.FromBase64String(“ ascii CC BY-NC 4.0
signature-base webshell_xsl_transform.yar $x2 = “.LoadXml(System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(“ CC BY-NC 4.0
stockpile 0582dc26-e0cf-4645-88cf-f37a02279976.yml (Powershell) [Convert]::FromBase64String($(Get-Content b64.txt)) \| set-content archive.extension -encoding byte ---- Apache-2.0
stockpile 0582dc26-e0cf-4645-88cf-f37a02279976.yml $EncodedToken = [System.Convert]::ToBase64String([char[]]$Token); Apache-2.0
stockpile 0582dc26-e0cf-4645-88cf-f37a02279976.yml $FileContent = [Convert]::ToBase64String([IO.File]::ReadAllBytes($File)); Apache-2.0
stockpile 4a1120a5-971c-457f-bb07-60641b4723fd.yml $basetoken = [System.Convert]::ToBase64String([char[]]$token); Apache-2.0
stockpile 4a1120a5-971c-457f-bb07-60641b4723fd.yml $Base64EncodedFileBytes = [System.Convert]::ToBase64String($FileBytes); Apache-2.0
stockpile a201bec2-a193-4b58-bf0e-57fa621da474.yml $basetoken = [System.Convert]::ToBase64String([char[]]$token); Apache-2.0
stockpile a201bec2-a193-4b58-bf0e-57fa621da474.yml $Base64EncodedFileBytes = [System.Convert]::ToBase64String($FileBytes); Apache-2.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.

convert

Converts a disk from one disk type to another.

Syntax

convert basic
convert dynamic
convert gpt
convert mbr

Parameters

Parameter Description
convert basic command Converts an empty dynamic disk into a basic disk.
convert dynamic command Converts a basic disk into a dynamic disk.
convert gpt command Converts an empty basic disk with the master boot record (MBR) partition style into a basic disk with the GUID partition table (GPT) partition style.
convert mbr command Converts an empty basic disk with the GUID Partition Table (GPT) partition style into a basic disk with the master boot record (MBR) partition style.

Additional References

MIT License. Copyright (c) 2020-2021 Strontic.