convert.exe

  • File Path: C:\Windows\system32\convert.exe
  • Description: File System Conversion Utility

Hashes

Type Hash
MD5 7428F525CBC2AB967913609B11125506
SHA1 1C5D5E33612B2983FAD12B516DF5CD7EE192C16B
SHA256 9678122ABE2FFEDA75912DA16B188C755B7517EA1DA8E51BBA38934F2A5D3252
SHA384 0F9E555EA227314A863CB9F3AF987EB01B889D844B820819DB08D5DA939E3E75986452BA711AC1C269CDB2A1FFF27458
SHA512 1B812A859CEEA40988BBD62FEF899AA1CD17F5CFD7A6FF034F1484EF0D654D324C4C89EEACBFAAC966148372D38F24A1DC19967B5C7AF80C800982D96EE73C44
SSDEEP 384:bOR9OuS0dzglLXebaxQSyE8mtP1wx2Ck8dRwKRSnBPNjWCqW:bOyN0dMl7eWxVyETm2SSBPz
IMP D950A0891AA3651B49F0BAFE5E2CEF68
PESHA1 DD0F83388645B68947904DD0A143A5BF87515C3A
PE256 A536DFA4FFBAC26CC9862FC2F5BE6EF3DFEEE0C7F4C8862037A49930FE7EDDAC

Runtime Data

Usage (stdout):

Converts a FAT volume to NTFS.

CONVERT volume /FS:NTFS [/V] [/CvtArea:filename] [/NoSecurity] [/X]


  volume      Specifies the drive letter (followed by a colon),
              mount point, or volume name.
  /FS:NTFS    Specifies that the volume will be converted to NTFS.
  /V          Specifies that Convert will be run in verbose mode.
  /CvtArea:filename
              Specifies a contiguous file in the root directory
              that will be the place holder for NTFS system files.
  /NoSecurity Specifies that the security settings on the converted
              files and directories allow access by all users.
  /X          Forces the volume to dismount first if necessary.
              All open handles to the volume will not be valid.

Usage (stderr):

Invalid drive specification.

Loaded Modules:

Path
C:\Windows\system32\convert.exe
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SYSTEM32\ntdll.dll

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: CONVERT.EXE
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/9678122abe2ffeda75912da16b188c755b7517ea1da8e51bba38934f2a5d3252/detection

Possible Misuse

The following table contains possible examples of convert.exe being misused. While convert.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma apt_silence_eda.yml - '[Convert]::ToString($SYNOptions, 16)' DRL 1.0
sigma powershell_suspicious_invocation_specific.yml - '[Convert]::FromBase64String' DRL 1.0
sigma posh_pm_suspicious_invocation_specific.yml - '[Convert]::FromBase64String' DRL 1.0
sigma posh_ps_powerview_malicious_commandlets.yml - Convert-NameToSid DRL 1.0
sigma posh_ps_powerview_malicious_commandlets.yml - Convert-ADName DRL 1.0
sigma posh_ps_suspicious_invocation_specific.yml - '[Convert]::FromBase64String' DRL 1.0
sigma proc_creation_win_mimikatz_command_line.yml - 'function Convert-GuidToCompressedGuid' DRL 1.0
sigma proc_creation_win_ransom_blackbyte.yml - 'powershell -command "$x =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(' DRL 1.0
sigma proc_creation_win_susp_sharpview.yml - Convert-ADName DRL 1.0
sigma proc_creation_win_susp_sharpview.yml - Convert-SidToName DRL 1.0
atomic-red-team T1027.md $EncodedCommand =[Convert]::ToBase64String($Bytes) MIT License. © 2018 Red Canary
atomic-red-team T1027.md powershell.exe -Command “IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp #{registry_key_storage} #{registry_entry_storage}).#{registry_entry_storage})))” MIT License. © 2018 Red Canary
atomic-red-team T1053.005.md schtasks.exe /Create /F /TN “ATOMIC-T1053.005” /TR “cmd /c start /min "" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\SOFTWARE\ATOMIC-T1053.005).test)))” /sc daily /st #{time} MIT License. © 2018 Red Canary
atomic-red-team T1059.001.md iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp ‘HKCU:\Software\Classes\AtomicRedTeam’).ART))) MIT License. © 2018 Red Canary
atomic-red-team T1098.001.md $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData()) MIT License. © 2018 Red Canary
atomic-red-team T1218.009.md $Content = [System.Convert]::FromBase64String($key) MIT License. © 2018 Red Canary
signature-base apt_aus_parl_compromise.yar $x1 = “Request.Item[System.Text.Encoding.UTF8.GetString(Convert.FromBase64String("[password]"))];” ascii CC BY-NC 4.0
signature-base apt_aus_parl_compromise.yar $x2 = “eval(arguments,System.Text.Encoding.UTF8.GetString(Convert.FromBase64String("” ascii CC BY-NC 4.0
signature-base apt_aus_parl_compromise.yar $s1 = “<%@ Page Language="Jscript" validateRequest="false"%><%try{eval(System.Text.Encoding.UTF8.GetString(Convert.FromBase64String” ascii CC BY-NC 4.0
signature-base apt_aus_parl_compromise.yar $s2 = “{return System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(“ ascii CC BY-NC 4.0
signature-base apt_aus_parl_compromise.yar $a1 = “function DEC(d){return System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(d));}” fullword ascii CC BY-NC 4.0
signature-base apt_aus_parl_compromise.yar $a2 = “function ENC(d){return Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(d));}” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp.yar $x2 = “convert an XML file generated by the BLATSTING sniffer module into a pcap capture file.” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp_apr17.yar $s6 = “* Failed to convert destination address into sockaddr_storage values” fullword wide CC BY-NC 4.0
signature-base apt_hafnium.yar $s2 = “System.Text.Encoding.Default.GetString(Convert.FromBase64String(StrTr(Request.Headers.Get” CC BY-NC 4.0
signature-base apt_muddywater.yar /* iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( */ CC BY-NC 4.0
signature-base apt_oilrig.yar $s2 = “$fdn=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(‘” fullword ascii CC BY-NC 4.0
signature-base apt_oilrig_oct17.yar $s3 = “$DATA = [System.Convert]::FromBase64String([IO.File]::ReadAllText(‘%Base%’));[io.file]::WriteAllBytes(“ ascii CC BY-NC 4.0
signature-base apt_op_wocao.yar $encfile = “New-Object IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String($encfile)” CC BY-NC 4.0
signature-base apt_project_sauron_extras.yar $s2 = “Convert mode: Read log from file and convert to text” CC BY-NC 4.0
signature-base apt_tophat.yar $s1 = “= New-Object IO.MemoryStream(,[Convert]::FromBase64String("” ascii CC BY-NC 4.0
signature-base apt_turla_neuron.yar $ = “Convert.FromBase64String(temp[1])” fullword ascii CC BY-NC 4.0
signature-base apt_unc2447_sombrat.yar $x1 = “powershell.exe -c "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String([IO.File]::” ascii CC BY-NC 4.0
signature-base expl_proxyshell.yar $s01 = “.LoadXml(System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(Request[” ascii wide CC BY-NC 4.0
signature-base gen_cn_webshells.yar $s2 = “$sCmd = "convert ".$sFile." -flip -quality 80 ".$sFileOut;” fullword ascii CC BY-NC 4.0
signature-base gen_empire.yar $s1 = “$Base64Decoded = [Convert]::FromBase64String($Cpassword)” fullword ascii CC BY-NC 4.0
signature-base gen_empire.yar $s2 = “$NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes)” fullword ascii CC BY-NC 4.0
signature-base gen_invoke_thehash.yar $s3 = “$NTLM_hash_bytes = $NTLM_hash_bytes.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}” fullword ascii CC BY-NC 4.0
signature-base gen_metasploit_payloads.yar $s10 = “= [System.Convert]::FromBase64String("/” ascii CC BY-NC 4.0
signature-base gen_metasploit_payloads.yar $s5 = “= [System.Convert]::FromBase64String(“ ascii CC BY-NC 4.0
signature-base gen_powershell_empire.yar $s3 = “[Byte[]]$DllBytes = [Byte[]][Convert]::FromBase64String($DllBytes32)” fullword ascii CC BY-NC 4.0
signature-base gen_powershell_susp.yar $p3 = “[System.Convert]::FromBase64String(“ ascii CC BY-NC 4.0
signature-base gen_powershell_toolkit.yar $s3 = “if ($Env:PROCESSOR_ARCHITECTURE -eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String(‘QQBNAEQANgA0AA==’)))) {“ fullword ascii CC BY-NC 4.0
signature-base gen_powershell_toolkit.yar $s5 = “-eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String(‘MAAxADQAQwA=’))))” ascii CC BY-NC 4.0
signature-base gen_powershell_toolkit.yar $s1 = “if($MyConString -like $([Text.Encoding]::Unicode.GetString([Convert]::” ascii CC BY-NC 4.0
signature-base thor-hacktools.yar $s2 = “WSocketResolveHost: Cannot convert host address ‘%s’” CC BY-NC 4.0
signature-base thor-hacktools.yar $s2 = “System.Convert.FromBase64String(“ ascii CC BY-NC 4.0
signature-base webshell_xsl_transform.yar $x2 = “.LoadXml(System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(“ CC BY-NC 4.0
stockpile 0582dc26-e0cf-4645-88cf-f37a02279976.yml (Powershell) [Convert]::FromBase64String($(Get-Content b64.txt)) \| set-content archive.extension -encoding byte ---- Apache-2.0
stockpile 0582dc26-e0cf-4645-88cf-f37a02279976.yml $EncodedToken = [System.Convert]::ToBase64String([char[]]$Token); Apache-2.0
stockpile 0582dc26-e0cf-4645-88cf-f37a02279976.yml $FileContent = [Convert]::ToBase64String([IO.File]::ReadAllBytes($File)); Apache-2.0
stockpile 4a1120a5-971c-457f-bb07-60641b4723fd.yml $basetoken = [System.Convert]::ToBase64String([char[]]$token); Apache-2.0
stockpile 4a1120a5-971c-457f-bb07-60641b4723fd.yml $Base64EncodedFileBytes = [System.Convert]::ToBase64String($FileBytes); Apache-2.0
stockpile a201bec2-a193-4b58-bf0e-57fa621da474.yml $basetoken = [System.Convert]::ToBase64String([char[]]$token); Apache-2.0
stockpile a201bec2-a193-4b58-bf0e-57fa621da474.yml $Base64EncodedFileBytes = [System.Convert]::ToBase64String($FileBytes); Apache-2.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


convert

Converts a disk from one disk type to another.

Syntax

convert basic
convert dynamic
convert gpt
convert mbr

Parameters

Parameter Description
convert basic command Converts an empty dynamic disk into a basic disk.
convert dynamic command Converts a basic disk into a dynamic disk.
convert gpt command Converts an empty basic disk with the master boot record (MBR) partition style into a basic disk with the GUID partition table (GPT) partition style.
convert mbr command Converts an empty basic disk with the GUID Partition Table (GPT) partition style into a basic disk with the master boot record (MBR) partition style.

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.