convert.exe
- File Path:
C:\Windows\SysWOW64\convert.exe - Description: File System Conversion Utility
Hashes
| Type | Hash |
|---|---|
| MD5 | 90FE6B0994E8BDE133A650963EDBD6C2 |
| SHA1 | 3D77A83C69C603A4D09DB0EF5D183484EB62E38B |
| SHA256 | D280FF3983AF2B77EEEA7C5D1F021CCCD254444C30F65700DF097328B6E3AD2F |
| SHA384 | F5D0C798B5C26AE8E6181C582C7665CF226BC99618AFEBF0217398F1D6E6D037E56CCBEDE2CC33BCCC2FFAFC3B5C787A |
| SHA512 | E7E1A719F012A1DFF49B58FB68BEB76A8DB310E3914D0E72906E774704C2CFF935482CB8126C2E0A77F38D7CAB4E7B66B6AF3544E112324DB0C31D1387A04628 |
| SSDEEP | 384:5UXz59OBNRiActWgMgcMXKXHXZTac+7xNzW9qWl:5vPRxctWPJpx6xYZ |
| IMP | 67458FAEC238A61DD838DD54CA17F2A9 |
| PESHA1 | 244861C1EEEC55557C8D08F57214FB1A5594FC23 |
| PE256 | 63DB4CA601E6DDEEFC611E17D708AAB9311E453DA6F9381F70ECBABCE31CB01B |
Runtime Data
Usage (stdout):
Converts a FAT volume to NTFS.
CONVERT volume /FS:NTFS [/V] [/CvtArea:filename] [/NoSecurity] [/X]
volume Specifies the drive letter (followed by a colon),
mount point, or volume name.
/FS:NTFS Specifies that the volume will be converted to NTFS.
/V Specifies that Convert will be run in verbose mode.
/CvtArea:filename
Specifies a contiguous file in the root directory
that will be the place holder for NTFS system files.
/NoSecurity Specifies that the security settings on the converted
files and directories allow access by all users.
/X Forces the volume to dismount first if necessary.
All open handles to the volume will not be valid.
Usage (stderr):
Invalid drive specification.
Loaded Modules:
| Path |
|---|
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\System32\wow64.dll |
| C:\Windows\System32\wow64cpu.dll |
| C:\Windows\System32\wow64win.dll |
| C:\Windows\SysWOW64\convert.exe |
Signature
- Status: Signature verified.
- Serial:
3300000266BD1580EFA75CD6D3000000000266 - Thumbprint:
A4341B9FD50FB9964283220A36A1EF6F6FAA7840 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: CONVERT.EXE
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.17763.1 (WinBuild.160101.0800)
- Product Version: 10.0.17763.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 32-bit
File Scan
- VirusTotal Detections: 0/69
- VirusTotal Link: https://www.virustotal.com/gui/file/d280ff3983af2b77eeea7c5d1f021cccd254444c30f65700df097328b6e3ad2f/detection/
Possible Misuse
The following table contains possible examples of convert.exe being misused. While convert.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | apt_silence_eda.yml | - '[Convert]::ToString($SYNOptions, 16)' |
DRL 1.0 |
| sigma | powershell_suspicious_invocation_specific.yml | - '[Convert]::FromBase64String' |
DRL 1.0 |
| sigma | posh_pm_suspicious_invocation_specific.yml | - '[Convert]::FromBase64String' |
DRL 1.0 |
| sigma | posh_ps_powerview_malicious_commandlets.yml | - Convert-NameToSid |
DRL 1.0 |
| sigma | posh_ps_powerview_malicious_commandlets.yml | - Convert-ADName |
DRL 1.0 |
| sigma | posh_ps_suspicious_invocation_specific.yml | - '[Convert]::FromBase64String' |
DRL 1.0 |
| sigma | proc_creation_win_mimikatz_command_line.yml | - 'function Convert-GuidToCompressedGuid' |
DRL 1.0 |
| sigma | proc_creation_win_ransom_blackbyte.yml | - 'powershell -command "$x =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(' |
DRL 1.0 |
| sigma | proc_creation_win_susp_sharpview.yml | - Convert-ADName |
DRL 1.0 |
| sigma | proc_creation_win_susp_sharpview.yml | - Convert-SidToName |
DRL 1.0 |
| atomic-red-team | T1027.md | $EncodedCommand =[Convert]::ToBase64String($Bytes) | MIT License. © 2018 Red Canary |
| atomic-red-team | T1027.md | powershell.exe -Command “IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp #{registry_key_storage} #{registry_entry_storage}).#{registry_entry_storage})))” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1053.005.md | schtasks.exe /Create /F /TN “ATOMIC-T1053.005” /TR “cmd /c start /min "" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\SOFTWARE\ATOMIC-T1053.005).test)))” /sc daily /st #{time} | MIT License. © 2018 Red Canary |
| atomic-red-team | T1059.001.md | iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp ‘HKCU:\Software\Classes\AtomicRedTeam’).ART))) | MIT License. © 2018 Red Canary |
| atomic-red-team | T1098.001.md | $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData()) | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.009.md | $Content = [System.Convert]::FromBase64String($key) | MIT License. © 2018 Red Canary |
| signature-base | apt_aus_parl_compromise.yar | $x1 = “Request.Item[System.Text.Encoding.UTF8.GetString(Convert.FromBase64String("[password]"))];” ascii | CC BY-NC 4.0 |
| signature-base | apt_aus_parl_compromise.yar | $x2 = “eval(arguments,System.Text.Encoding.UTF8.GetString(Convert.FromBase64String("” ascii | CC BY-NC 4.0 |
| signature-base | apt_aus_parl_compromise.yar | $s1 = “<%@ Page Language="Jscript" validateRequest="false"%><%try{eval(System.Text.Encoding.UTF8.GetString(Convert.FromBase64String” ascii | CC BY-NC 4.0 |
| signature-base | apt_aus_parl_compromise.yar | $s2 = “{return System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(“ ascii | CC BY-NC 4.0 |
| signature-base | apt_aus_parl_compromise.yar | $a1 = “function DEC(d){return System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(d));}” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_aus_parl_compromise.yar | $a2 = “function ENC(d){return Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(d));}” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_eqgrp.yar | $x2 = “convert an XML file generated by the BLATSTING sniffer module into a pcap capture file.” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_eqgrp_apr17.yar | $s6 = “* Failed to convert destination address into sockaddr_storage values” fullword wide | CC BY-NC 4.0 |
| signature-base | apt_hafnium.yar | $s2 = “System.Text.Encoding.Default.GetString(Convert.FromBase64String(StrTr(Request.Headers.Get” | CC BY-NC 4.0 |
| signature-base | apt_muddywater.yar | /* iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( */ | CC BY-NC 4.0 |
| signature-base | apt_oilrig.yar | $s2 = “$fdn=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(‘” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_oilrig_oct17.yar | $s3 = “$DATA = [System.Convert]::FromBase64String([IO.File]::ReadAllText(‘%Base%’));[io.file]::WriteAllBytes(“ ascii | CC BY-NC 4.0 |
| signature-base | apt_op_wocao.yar | $encfile = “New-Object IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String($encfile)” | CC BY-NC 4.0 |
| signature-base | apt_project_sauron_extras.yar | $s2 = “Convert mode: Read log from file and convert to text” | CC BY-NC 4.0 |
| signature-base | apt_tophat.yar | $s1 = “= New-Object IO.MemoryStream(,[Convert]::FromBase64String("” ascii | CC BY-NC 4.0 |
| signature-base | apt_turla_neuron.yar | $ = “Convert.FromBase64String(temp[1])” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_unc2447_sombrat.yar | $x1 = “powershell.exe -c "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String([IO.File]::” ascii | CC BY-NC 4.0 |
| signature-base | expl_proxyshell.yar | $s01 = “.LoadXml(System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(Request[” ascii wide | CC BY-NC 4.0 |
| signature-base | gen_cn_webshells.yar | $s2 = “$sCmd = "convert ".$sFile." -flip -quality 80 ".$sFileOut;” fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_empire.yar | $s1 = “$Base64Decoded = [Convert]::FromBase64String($Cpassword)” fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_empire.yar | $s2 = “$NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes)” fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_invoke_thehash.yar | $s3 = “$NTLM_hash_bytes = $NTLM_hash_bytes.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}” fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_metasploit_payloads.yar | $s10 = “= [System.Convert]::FromBase64String("/” ascii | CC BY-NC 4.0 |
| signature-base | gen_metasploit_payloads.yar | $s5 = “= [System.Convert]::FromBase64String(“ ascii | CC BY-NC 4.0 |
| signature-base | gen_powershell_empire.yar | $s3 = “[Byte[]]$DllBytes = [Byte[]][Convert]::FromBase64String($DllBytes32)” fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_powershell_susp.yar | $p3 = “[System.Convert]::FromBase64String(“ ascii | CC BY-NC 4.0 |
| signature-base | gen_powershell_toolkit.yar | $s3 = “if ($Env:PROCESSOR_ARCHITECTURE -eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String(‘QQBNAEQANgA0AA==’)))) {“ fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_powershell_toolkit.yar | $s5 = “-eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String(‘MAAxADQAQwA=’))))” ascii | CC BY-NC 4.0 |
| signature-base | gen_powershell_toolkit.yar | $s1 = “if($MyConString -like $([Text.Encoding]::Unicode.GetString([Convert]::” ascii | CC BY-NC 4.0 |
| signature-base | thor-hacktools.yar | $s2 = “WSocketResolveHost: Cannot convert host address ‘%s’” | CC BY-NC 4.0 |
| signature-base | thor-hacktools.yar | $s2 = “System.Convert.FromBase64String(“ ascii | CC BY-NC 4.0 |
| signature-base | webshell_xsl_transform.yar | $x2 = “.LoadXml(System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(“ | CC BY-NC 4.0 |
| stockpile | 0582dc26-e0cf-4645-88cf-f37a02279976.yml | (Powershell) [Convert]::FromBase64String($(Get-Content b64.txt)) \| set-content archive.extension -encoding byte ---- |
Apache-2.0 |
| stockpile | 0582dc26-e0cf-4645-88cf-f37a02279976.yml | $EncodedToken = [System.Convert]::ToBase64String([char[]]$Token); |
Apache-2.0 |
| stockpile | 0582dc26-e0cf-4645-88cf-f37a02279976.yml | $FileContent = [Convert]::ToBase64String([IO.File]::ReadAllBytes($File)); |
Apache-2.0 |
| stockpile | 4a1120a5-971c-457f-bb07-60641b4723fd.yml | $basetoken = [System.Convert]::ToBase64String([char[]]$token); |
Apache-2.0 |
| stockpile | 4a1120a5-971c-457f-bb07-60641b4723fd.yml | $Base64EncodedFileBytes = [System.Convert]::ToBase64String($FileBytes); |
Apache-2.0 |
| stockpile | a201bec2-a193-4b58-bf0e-57fa621da474.yml | $basetoken = [System.Convert]::ToBase64String([char[]]$token); |
Apache-2.0 |
| stockpile | a201bec2-a193-4b58-bf0e-57fa621da474.yml | $Base64EncodedFileBytes = [System.Convert]::ToBase64String($FileBytes); |
Apache-2.0 |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
convert
Converts a disk from one disk type to another.
Syntax
convert basic
convert dynamic
convert gpt
convert mbr
Parameters
| Parameter | Description |
|---|---|
| convert basic command | Converts an empty dynamic disk into a basic disk. |
| convert dynamic command | Converts a basic disk into a dynamic disk. |
| convert gpt command | Converts an empty basic disk with the master boot record (MBR) partition style into a basic disk with the GUID partition table (GPT) partition style. |
| convert mbr command | Converts an empty basic disk with the GUID Partition Table (GPT) partition style into a basic disk with the master boot record (MBR) partition style. |
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.