convert.exe
- File Path:
C:\WINDOWS\system32\convert.exe - Description: File System Conversion Utility
Hashes
| Type | Hash |
|---|---|
| MD5 | F7673909AA2B54C43E435F5AE1AE4A18 |
| SHA1 | CD27DA8D6CB00C9CC0ECCF90835868E201D86C09 |
| SHA256 | B2A41E4A4D2CC2B11D48601725B89350E04B747D85820AA0CF3FF8A1E66311AE |
| SHA384 | 1E5E659578C51B1A07A954EF18ACBF883A0B6B501F2C98B35796742A3CFAFF604D9D54504C341235AF09A7A34825567D |
| SHA512 | 6AC6CA5ED3F21A510198BDDC9AEFBE9ADA02B6168FD810B2A850D3020AEF99A94D998B564DF86613C6729360AEF8FFB0BA05852E66757738CB39D739C2E8040E |
| SSDEEP | 384:Sq9W9yYAKiqNh0+BjCJlvis3sSTq5w5Dd9oS2bwKh9NjWJqW:Sq9NYAE0+xCWs8PW5w/9c |
| IMP | FDAA0FB05267A94298DC4E75A02B82E4 |
| PESHA1 | 28CD3697A377540215EB8E71B95FC4C1887E1C0B |
| PE256 | 7AF6D176AFE0E15FADD36D0D04FD3879F857BA4B0C2E0300705E20755ACECE0F |
Runtime Data
Usage (stdout):
Converts a FAT volume to NTFS.
CONVERT volume /FS:NTFS [/V] [/CvtArea:filename] [/NoSecurity] [/X]
volume Specifies the drive letter (followed by a colon),
mount point, or volume name.
/FS:NTFS Specifies that the volume will be converted to NTFS.
/V Specifies that Convert will be run in verbose mode.
/CvtArea:filename
Specifies a contiguous file in the root directory
that will be the place holder for NTFS system files.
/NoSecurity Specifies that the security settings on the converted
files and directories allow access by all users.
/X Forces the volume to dismount first if necessary.
All open handles to the volume will not be valid.
Usage (stderr):
Invalid drive specification.
Loaded Modules:
| Path |
|---|
| C:\WINDOWS\system32\convert.exe |
| C:\WINDOWS\System32\KERNEL32.DLL |
| C:\WINDOWS\System32\KERNELBASE.dll |
| C:\WINDOWS\SYSTEM32\ntdll.dll |
Signature
- Status: Signature verified.
- Serial:
33000002ED2C45E4C145CF48440000000002ED - Thumbprint:
312860D2047EB81F8F58C29FF19ECDB4C634CF6A - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: CONVERT.EXE
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.22000.1 (WinBuild.160101.0800)
- Product Version: 10.0.22000.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/74
- VirusTotal Link: https://www.virustotal.com/gui/file/b2a41e4a4d2cc2b11d48601725b89350e04b747d85820aa0cf3ff8a1e66311ae/detection
Possible Misuse
The following table contains possible examples of convert.exe being misused. While convert.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | apt_silence_eda.yml | - '[Convert]::ToString($SYNOptions, 16)' |
DRL 1.0 |
| sigma | powershell_suspicious_invocation_specific.yml | - '[Convert]::FromBase64String' |
DRL 1.0 |
| sigma | posh_pm_suspicious_invocation_specific.yml | - '[Convert]::FromBase64String' |
DRL 1.0 |
| sigma | posh_ps_powerview_malicious_commandlets.yml | - Convert-NameToSid |
DRL 1.0 |
| sigma | posh_ps_powerview_malicious_commandlets.yml | - Convert-ADName |
DRL 1.0 |
| sigma | posh_ps_suspicious_invocation_specific.yml | - '[Convert]::FromBase64String' |
DRL 1.0 |
| sigma | proc_creation_win_mimikatz_command_line.yml | - 'function Convert-GuidToCompressedGuid' |
DRL 1.0 |
| sigma | proc_creation_win_ransom_blackbyte.yml | - 'powershell -command "$x =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(' |
DRL 1.0 |
| sigma | proc_creation_win_susp_sharpview.yml | - Convert-ADName |
DRL 1.0 |
| sigma | proc_creation_win_susp_sharpview.yml | - Convert-SidToName |
DRL 1.0 |
| atomic-red-team | T1027.md | $EncodedCommand =[Convert]::ToBase64String($Bytes) | MIT License. © 2018 Red Canary |
| atomic-red-team | T1027.md | powershell.exe -Command “IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp #{registry_key_storage} #{registry_entry_storage}).#{registry_entry_storage})))” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1053.005.md | schtasks.exe /Create /F /TN “ATOMIC-T1053.005” /TR “cmd /c start /min "" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\SOFTWARE\ATOMIC-T1053.005).test)))” /sc daily /st #{time} | MIT License. © 2018 Red Canary |
| atomic-red-team | T1059.001.md | iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp ‘HKCU:\Software\Classes\AtomicRedTeam’).ART))) | MIT License. © 2018 Red Canary |
| atomic-red-team | T1098.001.md | $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData()) | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.009.md | $Content = [System.Convert]::FromBase64String($key) | MIT License. © 2018 Red Canary |
| signature-base | apt_aus_parl_compromise.yar | $x1 = “Request.Item[System.Text.Encoding.UTF8.GetString(Convert.FromBase64String("[password]"))];” ascii | CC BY-NC 4.0 |
| signature-base | apt_aus_parl_compromise.yar | $x2 = “eval(arguments,System.Text.Encoding.UTF8.GetString(Convert.FromBase64String("” ascii | CC BY-NC 4.0 |
| signature-base | apt_aus_parl_compromise.yar | $s1 = “<%@ Page Language="Jscript" validateRequest="false"%><%try{eval(System.Text.Encoding.UTF8.GetString(Convert.FromBase64String” ascii | CC BY-NC 4.0 |
| signature-base | apt_aus_parl_compromise.yar | $s2 = “{return System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(“ ascii | CC BY-NC 4.0 |
| signature-base | apt_aus_parl_compromise.yar | $a1 = “function DEC(d){return System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(d));}” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_aus_parl_compromise.yar | $a2 = “function ENC(d){return Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(d));}” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_eqgrp.yar | $x2 = “convert an XML file generated by the BLATSTING sniffer module into a pcap capture file.” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_eqgrp_apr17.yar | $s6 = “* Failed to convert destination address into sockaddr_storage values” fullword wide | CC BY-NC 4.0 |
| signature-base | apt_hafnium.yar | $s2 = “System.Text.Encoding.Default.GetString(Convert.FromBase64String(StrTr(Request.Headers.Get” | CC BY-NC 4.0 |
| signature-base | apt_muddywater.yar | /* iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( */ | CC BY-NC 4.0 |
| signature-base | apt_oilrig.yar | $s2 = “$fdn=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(‘” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_oilrig_oct17.yar | $s3 = “$DATA = [System.Convert]::FromBase64String([IO.File]::ReadAllText(‘%Base%’));[io.file]::WriteAllBytes(“ ascii | CC BY-NC 4.0 |
| signature-base | apt_op_wocao.yar | $encfile = “New-Object IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String($encfile)” | CC BY-NC 4.0 |
| signature-base | apt_project_sauron_extras.yar | $s2 = “Convert mode: Read log from file and convert to text” | CC BY-NC 4.0 |
| signature-base | apt_tophat.yar | $s1 = “= New-Object IO.MemoryStream(,[Convert]::FromBase64String("” ascii | CC BY-NC 4.0 |
| signature-base | apt_turla_neuron.yar | $ = “Convert.FromBase64String(temp[1])” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_unc2447_sombrat.yar | $x1 = “powershell.exe -c "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String([IO.File]::” ascii | CC BY-NC 4.0 |
| signature-base | expl_proxyshell.yar | $s01 = “.LoadXml(System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(Request[” ascii wide | CC BY-NC 4.0 |
| signature-base | gen_cn_webshells.yar | $s2 = “$sCmd = "convert ".$sFile." -flip -quality 80 ".$sFileOut;” fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_empire.yar | $s1 = “$Base64Decoded = [Convert]::FromBase64String($Cpassword)” fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_empire.yar | $s2 = “$NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes)” fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_invoke_thehash.yar | $s3 = “$NTLM_hash_bytes = $NTLM_hash_bytes.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}” fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_metasploit_payloads.yar | $s10 = “= [System.Convert]::FromBase64String("/” ascii | CC BY-NC 4.0 |
| signature-base | gen_metasploit_payloads.yar | $s5 = “= [System.Convert]::FromBase64String(“ ascii | CC BY-NC 4.0 |
| signature-base | gen_powershell_empire.yar | $s3 = “[Byte[]]$DllBytes = [Byte[]][Convert]::FromBase64String($DllBytes32)” fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_powershell_susp.yar | $p3 = “[System.Convert]::FromBase64String(“ ascii | CC BY-NC 4.0 |
| signature-base | gen_powershell_toolkit.yar | $s3 = “if ($Env:PROCESSOR_ARCHITECTURE -eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String(‘QQBNAEQANgA0AA==’)))) {“ fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_powershell_toolkit.yar | $s5 = “-eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String(‘MAAxADQAQwA=’))))” ascii | CC BY-NC 4.0 |
| signature-base | gen_powershell_toolkit.yar | $s1 = “if($MyConString -like $([Text.Encoding]::Unicode.GetString([Convert]::” ascii | CC BY-NC 4.0 |
| signature-base | thor-hacktools.yar | $s2 = “WSocketResolveHost: Cannot convert host address ‘%s’” | CC BY-NC 4.0 |
| signature-base | thor-hacktools.yar | $s2 = “System.Convert.FromBase64String(“ ascii | CC BY-NC 4.0 |
| signature-base | webshell_xsl_transform.yar | $x2 = “.LoadXml(System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(“ | CC BY-NC 4.0 |
| stockpile | 0582dc26-e0cf-4645-88cf-f37a02279976.yml | (Powershell) [Convert]::FromBase64String($(Get-Content b64.txt)) \| set-content archive.extension -encoding byte ---- |
Apache-2.0 |
| stockpile | 0582dc26-e0cf-4645-88cf-f37a02279976.yml | $EncodedToken = [System.Convert]::ToBase64String([char[]]$Token); |
Apache-2.0 |
| stockpile | 0582dc26-e0cf-4645-88cf-f37a02279976.yml | $FileContent = [Convert]::ToBase64String([IO.File]::ReadAllBytes($File)); |
Apache-2.0 |
| stockpile | 4a1120a5-971c-457f-bb07-60641b4723fd.yml | $basetoken = [System.Convert]::ToBase64String([char[]]$token); |
Apache-2.0 |
| stockpile | 4a1120a5-971c-457f-bb07-60641b4723fd.yml | $Base64EncodedFileBytes = [System.Convert]::ToBase64String($FileBytes); |
Apache-2.0 |
| stockpile | a201bec2-a193-4b58-bf0e-57fa621da474.yml | $basetoken = [System.Convert]::ToBase64String([char[]]$token); |
Apache-2.0 |
| stockpile | a201bec2-a193-4b58-bf0e-57fa621da474.yml | $Base64EncodedFileBytes = [System.Convert]::ToBase64String($FileBytes); |
Apache-2.0 |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
convert
Converts a disk from one disk type to another.
Syntax
convert basic
convert dynamic
convert gpt
convert mbr
Parameters
| Parameter | Description |
|---|---|
| convert basic command | Converts an empty dynamic disk into a basic disk. |
| convert dynamic command | Converts a basic disk into a dynamic disk. |
| convert gpt command | Converts an empty basic disk with the master boot record (MBR) partition style into a basic disk with the GUID partition table (GPT) partition style. |
| convert mbr command | Converts an empty basic disk with the GUID Partition Table (GPT) partition style into a basic disk with the master boot record (MBR) partition style. |
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.