convert.exe
- File Path:
C:\Windows\system32\convert.exe
- Description: File System Conversion Utility
Hashes
Type | Hash |
---|---|
MD5 | 7428F525CBC2AB967913609B11125506 |
SHA1 | 1C5D5E33612B2983FAD12B516DF5CD7EE192C16B |
SHA256 | 9678122ABE2FFEDA75912DA16B188C755B7517EA1DA8E51BBA38934F2A5D3252 |
SHA384 | 0F9E555EA227314A863CB9F3AF987EB01B889D844B820819DB08D5DA939E3E75986452BA711AC1C269CDB2A1FFF27458 |
SHA512 | 1B812A859CEEA40988BBD62FEF899AA1CD17F5CFD7A6FF034F1484EF0D654D324C4C89EEACBFAAC966148372D38F24A1DC19967B5C7AF80C800982D96EE73C44 |
SSDEEP | 384:bOR9OuS0dzglLXebaxQSyE8mtP1wx2Ck8dRwKRSnBPNjWCqW:bOyN0dMl7eWxVyETm2SSBPz |
IMP | D950A0891AA3651B49F0BAFE5E2CEF68 |
PESHA1 | DD0F83388645B68947904DD0A143A5BF87515C3A |
PE256 | A536DFA4FFBAC26CC9862FC2F5BE6EF3DFEEE0C7F4C8862037A49930FE7EDDAC |
Runtime Data
Usage (stdout):
Converts a FAT volume to NTFS.
CONVERT volume /FS:NTFS [/V] [/CvtArea:filename] [/NoSecurity] [/X]
volume Specifies the drive letter (followed by a colon),
mount point, or volume name.
/FS:NTFS Specifies that the volume will be converted to NTFS.
/V Specifies that Convert will be run in verbose mode.
/CvtArea:filename
Specifies a contiguous file in the root directory
that will be the place holder for NTFS system files.
/NoSecurity Specifies that the security settings on the converted
files and directories allow access by all users.
/X Forces the volume to dismount first if necessary.
All open handles to the volume will not be valid.
Usage (stderr):
Invalid drive specification.
Loaded Modules:
Path |
---|
C:\Windows\system32\convert.exe |
C:\Windows\System32\KERNEL32.DLL |
C:\Windows\System32\KERNELBASE.dll |
C:\Windows\SYSTEM32\ntdll.dll |
Signature
- Status: Signature verified.
- Serial:
3300000266BD1580EFA75CD6D3000000000266
- Thumbprint:
A4341B9FD50FB9964283220A36A1EF6F6FAA7840
- Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: CONVERT.EXE
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.19041.1 (WinBuild.160101.0800)
- Product Version: 10.0.19041.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/73
- VirusTotal Link: https://www.virustotal.com/gui/file/9678122abe2ffeda75912da16b188c755b7517ea1da8e51bba38934f2a5d3252/detection
Possible Misuse
The following table contains possible examples of convert.exe
being misused. While convert.exe
is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
Source | Source File | Example | License |
---|---|---|---|
sigma | apt_silence_eda.yml | - '[Convert]::ToString($SYNOptions, 16)' |
DRL 1.0 |
sigma | powershell_suspicious_invocation_specific.yml | - '[Convert]::FromBase64String' |
DRL 1.0 |
sigma | posh_pm_suspicious_invocation_specific.yml | - '[Convert]::FromBase64String' |
DRL 1.0 |
sigma | posh_ps_powerview_malicious_commandlets.yml | - Convert-NameToSid |
DRL 1.0 |
sigma | posh_ps_powerview_malicious_commandlets.yml | - Convert-ADName |
DRL 1.0 |
sigma | posh_ps_suspicious_invocation_specific.yml | - '[Convert]::FromBase64String' |
DRL 1.0 |
sigma | proc_creation_win_mimikatz_command_line.yml | - 'function Convert-GuidToCompressedGuid' |
DRL 1.0 |
sigma | proc_creation_win_ransom_blackbyte.yml | - 'powershell -command "$x =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(' |
DRL 1.0 |
sigma | proc_creation_win_susp_sharpview.yml | - Convert-ADName |
DRL 1.0 |
sigma | proc_creation_win_susp_sharpview.yml | - Convert-SidToName |
DRL 1.0 |
atomic-red-team | T1027.md | $EncodedCommand =[Convert]::ToBase64String($Bytes) | MIT License. © 2018 Red Canary |
atomic-red-team | T1027.md | powershell.exe -Command “IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp #{registry_key_storage} #{registry_entry_storage}).#{registry_entry_storage})))” | MIT License. © 2018 Red Canary |
atomic-red-team | T1053.005.md | schtasks.exe /Create /F /TN “ATOMIC-T1053.005” /TR “cmd /c start /min "" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\SOFTWARE\ATOMIC-T1053.005).test)))” /sc daily /st #{time} | MIT License. © 2018 Red Canary |
atomic-red-team | T1059.001.md | iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp ‘HKCU:\Software\Classes\AtomicRedTeam’).ART))) | MIT License. © 2018 Red Canary |
atomic-red-team | T1098.001.md | $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData()) | MIT License. © 2018 Red Canary |
atomic-red-team | T1218.009.md | $Content = [System.Convert]::FromBase64String($key) | MIT License. © 2018 Red Canary |
signature-base | apt_aus_parl_compromise.yar | $x1 = “Request.Item[System.Text.Encoding.UTF8.GetString(Convert.FromBase64String("[password]"))];” ascii | CC BY-NC 4.0 |
signature-base | apt_aus_parl_compromise.yar | $x2 = “eval(arguments,System.Text.Encoding.UTF8.GetString(Convert.FromBase64String("” ascii | CC BY-NC 4.0 |
signature-base | apt_aus_parl_compromise.yar | $s1 = “<%@ Page Language="Jscript" validateRequest="false"%><%try{eval(System.Text.Encoding.UTF8.GetString(Convert.FromBase64String” ascii | CC BY-NC 4.0 |
signature-base | apt_aus_parl_compromise.yar | $s2 = “{return System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(“ ascii | CC BY-NC 4.0 |
signature-base | apt_aus_parl_compromise.yar | $a1 = “function DEC(d){return System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(d));}” fullword ascii | CC BY-NC 4.0 |
signature-base | apt_aus_parl_compromise.yar | $a2 = “function ENC(d){return Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(d));}” fullword ascii | CC BY-NC 4.0 |
signature-base | apt_eqgrp.yar | $x2 = “convert an XML file generated by the BLATSTING sniffer module into a pcap capture file.” fullword ascii | CC BY-NC 4.0 |
signature-base | apt_eqgrp_apr17.yar | $s6 = “* Failed to convert destination address into sockaddr_storage values” fullword wide | CC BY-NC 4.0 |
signature-base | apt_hafnium.yar | $s2 = “System.Text.Encoding.Default.GetString(Convert.FromBase64String(StrTr(Request.Headers.Get” | CC BY-NC 4.0 |
signature-base | apt_muddywater.yar | /* iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( */ | CC BY-NC 4.0 |
signature-base | apt_oilrig.yar | $s2 = “$fdn=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(‘” fullword ascii | CC BY-NC 4.0 |
signature-base | apt_oilrig_oct17.yar | $s3 = “$DATA = [System.Convert]::FromBase64String([IO.File]::ReadAllText(‘%Base%’));[io.file]::WriteAllBytes(“ ascii | CC BY-NC 4.0 |
signature-base | apt_op_wocao.yar | $encfile = “New-Object IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String($encfile)” | CC BY-NC 4.0 |
signature-base | apt_project_sauron_extras.yar | $s2 = “Convert mode: Read log from file and convert to text” | CC BY-NC 4.0 |
signature-base | apt_tophat.yar | $s1 = “= New-Object IO.MemoryStream(,[Convert]::FromBase64String("” ascii | CC BY-NC 4.0 |
signature-base | apt_turla_neuron.yar | $ = “Convert.FromBase64String(temp[1])” fullword ascii | CC BY-NC 4.0 |
signature-base | apt_unc2447_sombrat.yar | $x1 = “powershell.exe -c "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String([IO.File]::” ascii | CC BY-NC 4.0 |
signature-base | expl_proxyshell.yar | $s01 = “.LoadXml(System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(Request[” ascii wide | CC BY-NC 4.0 |
signature-base | gen_cn_webshells.yar | $s2 = “$sCmd = "convert ".$sFile." -flip -quality 80 ".$sFileOut;” fullword ascii | CC BY-NC 4.0 |
signature-base | gen_empire.yar | $s1 = “$Base64Decoded = [Convert]::FromBase64String($Cpassword)” fullword ascii | CC BY-NC 4.0 |
signature-base | gen_empire.yar | $s2 = “$NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes)” fullword ascii | CC BY-NC 4.0 |
signature-base | gen_invoke_thehash.yar | $s3 = “$NTLM_hash_bytes = $NTLM_hash_bytes.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}” fullword ascii | CC BY-NC 4.0 |
signature-base | gen_metasploit_payloads.yar | $s10 = “= [System.Convert]::FromBase64String("/” ascii | CC BY-NC 4.0 |
signature-base | gen_metasploit_payloads.yar | $s5 = “= [System.Convert]::FromBase64String(“ ascii | CC BY-NC 4.0 |
signature-base | gen_powershell_empire.yar | $s3 = “[Byte[]]$DllBytes = [Byte[]][Convert]::FromBase64String($DllBytes32)” fullword ascii | CC BY-NC 4.0 |
signature-base | gen_powershell_susp.yar | $p3 = “[System.Convert]::FromBase64String(“ ascii | CC BY-NC 4.0 |
signature-base | gen_powershell_toolkit.yar | $s3 = “if ($Env:PROCESSOR_ARCHITECTURE -eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String(‘QQBNAEQANgA0AA==’)))) {“ fullword ascii | CC BY-NC 4.0 |
signature-base | gen_powershell_toolkit.yar | $s5 = “-eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String(‘MAAxADQAQwA=’))))” ascii | CC BY-NC 4.0 |
signature-base | gen_powershell_toolkit.yar | $s1 = “if($MyConString -like $([Text.Encoding]::Unicode.GetString([Convert]::” ascii | CC BY-NC 4.0 |
signature-base | thor-hacktools.yar | $s2 = “WSocketResolveHost: Cannot convert host address ‘%s’” | CC BY-NC 4.0 |
signature-base | thor-hacktools.yar | $s2 = “System.Convert.FromBase64String(“ ascii | CC BY-NC 4.0 |
signature-base | webshell_xsl_transform.yar | $x2 = “.LoadXml(System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(“ | CC BY-NC 4.0 |
stockpile | 0582dc26-e0cf-4645-88cf-f37a02279976.yml | (Powershell) [Convert]::FromBase64String($(Get-Content b64.txt)) \| set-content archive.extension -encoding byte ---- |
Apache-2.0 |
stockpile | 0582dc26-e0cf-4645-88cf-f37a02279976.yml | $EncodedToken = [System.Convert]::ToBase64String([char[]]$Token); |
Apache-2.0 |
stockpile | 0582dc26-e0cf-4645-88cf-f37a02279976.yml | $FileContent = [Convert]::ToBase64String([IO.File]::ReadAllBytes($File)); |
Apache-2.0 |
stockpile | 4a1120a5-971c-457f-bb07-60641b4723fd.yml | $basetoken = [System.Convert]::ToBase64String([char[]]$token); |
Apache-2.0 |
stockpile | 4a1120a5-971c-457f-bb07-60641b4723fd.yml | $Base64EncodedFileBytes = [System.Convert]::ToBase64String($FileBytes); |
Apache-2.0 |
stockpile | a201bec2-a193-4b58-bf0e-57fa621da474.yml | $basetoken = [System.Convert]::ToBase64String([char[]]$token); |
Apache-2.0 |
stockpile | a201bec2-a193-4b58-bf0e-57fa621da474.yml | $Base64EncodedFileBytes = [System.Convert]::ToBase64String($FileBytes); |
Apache-2.0 |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
convert
Converts a disk from one disk type to another.
Syntax
convert basic
convert dynamic
convert gpt
convert mbr
Parameters
Parameter | Description |
---|---|
convert basic command | Converts an empty dynamic disk into a basic disk. |
convert dynamic command | Converts a basic disk into a dynamic disk. |
convert gpt command | Converts an empty basic disk with the master boot record (MBR) partition style into a basic disk with the GUID partition table (GPT) partition style. |
convert mbr command | Converts an empty basic disk with the GUID Partition Table (GPT) partition style into a basic disk with the master boot record (MBR) partition style. |
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.