convert.exe

  • File Path: C:\WINDOWS\SysWOW64\convert.exe
  • Description: File System Conversion Utility

Hashes

Type Hash
MD5 AE0E28F0E7EB1073A4C68DFD214F5D36
SHA1 03B55758944D6FBCAE8119A8C5B27951B990FFEA
SHA256 89B294D1F29E4B10A0DCE0AD95EB6F48224BA1BC2E2E241F0BB8EF107D084A47
SHA384 F65CC332DAD0711835D341467AB995DA2ED9DD5A960944A651BC68A05A2F696637EDC7E95BA833CD72566B56E6792EAA
SHA512 DE102A4ACCA52373C951BA60C37C6114A87E44179207300D8F2F7F94028186786FC35BE0C71F3012367FF56DB3B684D1943FDF86076721F43580C6DE9CCDF67B
SSDEEP 384:usUAHU9b3aN3GgcFoosXaXHXZTa1+7xNTW3qW:lpu3O3GgM9pg6xO

Runtime Data

Usage (stdout):

Converts a FAT volume to NTFS.

CONVERT volume /FS:NTFS [/V] [/CvtArea:filename] [/NoSecurity] [/X]


  volume      Specifies the drive letter (followed by a colon),
              mount point, or volume name.
  /FS:NTFS    Specifies that the volume will be converted to NTFS.
  /V          Specifies that Convert will be run in verbose mode.
  /CvtArea:filename
              Specifies a contiguous file in the root directory
              that will be the place holder for NTFS system files.
  /NoSecurity Specifies that the security settings on the converted
              files and directories allow access by all users.
  /X          Forces the volume to dismount first if necessary.
              All open handles to the volume will not be valid.

Usage (stderr):

Invalid drive specification.

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: CONVERT.EXE
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of convert.exe being misused. While convert.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma apt_silence_eda.yml - '[Convert]::ToString($SYNOptions, 16)' DRL 1.0
sigma powershell_suspicious_invocation_specific.yml - '[Convert]::FromBase64String' DRL 1.0
sigma posh_pm_suspicious_invocation_specific.yml - '[Convert]::FromBase64String' DRL 1.0
sigma posh_ps_powerview_malicious_commandlets.yml - Convert-NameToSid DRL 1.0
sigma posh_ps_powerview_malicious_commandlets.yml - Convert-ADName DRL 1.0
sigma posh_ps_suspicious_invocation_specific.yml - '[Convert]::FromBase64String' DRL 1.0
sigma proc_creation_win_mimikatz_command_line.yml - 'function Convert-GuidToCompressedGuid' DRL 1.0
sigma proc_creation_win_ransom_blackbyte.yml - 'powershell -command "$x =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(' DRL 1.0
sigma proc_creation_win_susp_sharpview.yml - Convert-ADName DRL 1.0
sigma proc_creation_win_susp_sharpview.yml - Convert-SidToName DRL 1.0
atomic-red-team T1027.md $EncodedCommand =[Convert]::ToBase64String($Bytes) MIT License. © 2018 Red Canary
atomic-red-team T1027.md powershell.exe -Command “IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp #{registry_key_storage} #{registry_entry_storage}).#{registry_entry_storage})))” MIT License. © 2018 Red Canary
atomic-red-team T1053.005.md schtasks.exe /Create /F /TN “ATOMIC-T1053.005” /TR “cmd /c start /min "" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\SOFTWARE\ATOMIC-T1053.005).test)))” /sc daily /st #{time} MIT License. © 2018 Red Canary
atomic-red-team T1059.001.md iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp ‘HKCU:\Software\Classes\AtomicRedTeam’).ART))) MIT License. © 2018 Red Canary
atomic-red-team T1098.001.md $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData()) MIT License. © 2018 Red Canary
atomic-red-team T1218.009.md $Content = [System.Convert]::FromBase64String($key) MIT License. © 2018 Red Canary
signature-base apt_aus_parl_compromise.yar $x1 = “Request.Item[System.Text.Encoding.UTF8.GetString(Convert.FromBase64String("[password]"))];” ascii CC BY-NC 4.0
signature-base apt_aus_parl_compromise.yar $x2 = “eval(arguments,System.Text.Encoding.UTF8.GetString(Convert.FromBase64String("” ascii CC BY-NC 4.0
signature-base apt_aus_parl_compromise.yar $s1 = “<%@ Page Language="Jscript" validateRequest="false"%><%try{eval(System.Text.Encoding.UTF8.GetString(Convert.FromBase64String” ascii CC BY-NC 4.0
signature-base apt_aus_parl_compromise.yar $s2 = “{return System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(“ ascii CC BY-NC 4.0
signature-base apt_aus_parl_compromise.yar $a1 = “function DEC(d){return System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(d));}” fullword ascii CC BY-NC 4.0
signature-base apt_aus_parl_compromise.yar $a2 = “function ENC(d){return Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(d));}” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp.yar $x2 = “convert an XML file generated by the BLATSTING sniffer module into a pcap capture file.” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp_apr17.yar $s6 = “* Failed to convert destination address into sockaddr_storage values” fullword wide CC BY-NC 4.0
signature-base apt_hafnium.yar $s2 = “System.Text.Encoding.Default.GetString(Convert.FromBase64String(StrTr(Request.Headers.Get” CC BY-NC 4.0
signature-base apt_muddywater.yar /* iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( */ CC BY-NC 4.0
signature-base apt_oilrig.yar $s2 = “$fdn=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(‘” fullword ascii CC BY-NC 4.0
signature-base apt_oilrig_oct17.yar $s3 = “$DATA = [System.Convert]::FromBase64String([IO.File]::ReadAllText(‘%Base%’));[io.file]::WriteAllBytes(“ ascii CC BY-NC 4.0
signature-base apt_op_wocao.yar $encfile = “New-Object IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String($encfile)” CC BY-NC 4.0
signature-base apt_project_sauron_extras.yar $s2 = “Convert mode: Read log from file and convert to text” CC BY-NC 4.0
signature-base apt_tophat.yar $s1 = “= New-Object IO.MemoryStream(,[Convert]::FromBase64String("” ascii CC BY-NC 4.0
signature-base apt_turla_neuron.yar $ = “Convert.FromBase64String(temp[1])” fullword ascii CC BY-NC 4.0
signature-base apt_unc2447_sombrat.yar $x1 = “powershell.exe -c "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String([IO.File]::” ascii CC BY-NC 4.0
signature-base expl_proxyshell.yar $s01 = “.LoadXml(System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(Request[” ascii wide CC BY-NC 4.0
signature-base gen_cn_webshells.yar $s2 = “$sCmd = "convert ".$sFile." -flip -quality 80 ".$sFileOut;” fullword ascii CC BY-NC 4.0
signature-base gen_empire.yar $s1 = “$Base64Decoded = [Convert]::FromBase64String($Cpassword)” fullword ascii CC BY-NC 4.0
signature-base gen_empire.yar $s2 = “$NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes)” fullword ascii CC BY-NC 4.0
signature-base gen_invoke_thehash.yar $s3 = “$NTLM_hash_bytes = $NTLM_hash_bytes.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}” fullword ascii CC BY-NC 4.0
signature-base gen_metasploit_payloads.yar $s10 = “= [System.Convert]::FromBase64String("/” ascii CC BY-NC 4.0
signature-base gen_metasploit_payloads.yar $s5 = “= [System.Convert]::FromBase64String(“ ascii CC BY-NC 4.0
signature-base gen_powershell_empire.yar $s3 = “[Byte[]]$DllBytes = [Byte[]][Convert]::FromBase64String($DllBytes32)” fullword ascii CC BY-NC 4.0
signature-base gen_powershell_susp.yar $p3 = “[System.Convert]::FromBase64String(“ ascii CC BY-NC 4.0
signature-base gen_powershell_toolkit.yar $s3 = “if ($Env:PROCESSOR_ARCHITECTURE -eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String(‘QQBNAEQANgA0AA==’)))) {“ fullword ascii CC BY-NC 4.0
signature-base gen_powershell_toolkit.yar $s5 = “-eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String(‘MAAxADQAQwA=’))))” ascii CC BY-NC 4.0
signature-base gen_powershell_toolkit.yar $s1 = “if($MyConString -like $([Text.Encoding]::Unicode.GetString([Convert]::” ascii CC BY-NC 4.0
signature-base thor-hacktools.yar $s2 = “WSocketResolveHost: Cannot convert host address ‘%s’” CC BY-NC 4.0
signature-base thor-hacktools.yar $s2 = “System.Convert.FromBase64String(“ ascii CC BY-NC 4.0
signature-base webshell_xsl_transform.yar $x2 = “.LoadXml(System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(“ CC BY-NC 4.0
stockpile 0582dc26-e0cf-4645-88cf-f37a02279976.yml (Powershell) [Convert]::FromBase64String($(Get-Content b64.txt)) \| set-content archive.extension -encoding byte ---- Apache-2.0
stockpile 0582dc26-e0cf-4645-88cf-f37a02279976.yml $EncodedToken = [System.Convert]::ToBase64String([char[]]$Token); Apache-2.0
stockpile 0582dc26-e0cf-4645-88cf-f37a02279976.yml $FileContent = [Convert]::ToBase64String([IO.File]::ReadAllBytes($File)); Apache-2.0
stockpile 4a1120a5-971c-457f-bb07-60641b4723fd.yml $basetoken = [System.Convert]::ToBase64String([char[]]$token); Apache-2.0
stockpile 4a1120a5-971c-457f-bb07-60641b4723fd.yml $Base64EncodedFileBytes = [System.Convert]::ToBase64String($FileBytes); Apache-2.0
stockpile a201bec2-a193-4b58-bf0e-57fa621da474.yml $basetoken = [System.Convert]::ToBase64String([char[]]$token); Apache-2.0
stockpile a201bec2-a193-4b58-bf0e-57fa621da474.yml $Base64EncodedFileBytes = [System.Convert]::ToBase64String($FileBytes); Apache-2.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


convert

Converts a disk from one disk type to another.

Syntax

convert basic
convert dynamic
convert gpt
convert mbr

Parameters

Parameter Description
convert basic command Converts an empty dynamic disk into a basic disk.
convert dynamic command Converts a basic disk into a dynamic disk.
convert gpt command Converts an empty basic disk with the master boot record (MBR) partition style into a basic disk with the GUID partition table (GPT) partition style.
convert mbr command Converts an empty basic disk with the GUID Partition Table (GPT) partition style into a basic disk with the master boot record (MBR) partition style.

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.