convert.exe

  • File Path: C:\WINDOWS\system32\convert.exe
  • Description: File System Conversion Utility

Hashes

Type Hash
MD5 F7673909AA2B54C43E435F5AE1AE4A18
SHA1 CD27DA8D6CB00C9CC0ECCF90835868E201D86C09
SHA256 B2A41E4A4D2CC2B11D48601725B89350E04B747D85820AA0CF3FF8A1E66311AE
SHA384 1E5E659578C51B1A07A954EF18ACBF883A0B6B501F2C98B35796742A3CFAFF604D9D54504C341235AF09A7A34825567D
SHA512 6AC6CA5ED3F21A510198BDDC9AEFBE9ADA02B6168FD810B2A850D3020AEF99A94D998B564DF86613C6729360AEF8FFB0BA05852E66757738CB39D739C2E8040E
SSDEEP 384:Sq9W9yYAKiqNh0+BjCJlvis3sSTq5w5Dd9oS2bwKh9NjWJqW:Sq9NYAE0+xCWs8PW5w/9c
IMP FDAA0FB05267A94298DC4E75A02B82E4
PESHA1 28CD3697A377540215EB8E71B95FC4C1887E1C0B
PE256 7AF6D176AFE0E15FADD36D0D04FD3879F857BA4B0C2E0300705E20755ACECE0F

Runtime Data

Usage (stdout):

Converts a FAT volume to NTFS.

CONVERT volume /FS:NTFS [/V] [/CvtArea:filename] [/NoSecurity] [/X]


  volume      Specifies the drive letter (followed by a colon),
              mount point, or volume name.
  /FS:NTFS    Specifies that the volume will be converted to NTFS.
  /V          Specifies that Convert will be run in verbose mode.
  /CvtArea:filename
              Specifies a contiguous file in the root directory
              that will be the place holder for NTFS system files.
  /NoSecurity Specifies that the security settings on the converted
              files and directories allow access by all users.
  /X          Forces the volume to dismount first if necessary.
              All open handles to the volume will not be valid.

Usage (stderr):

Invalid drive specification.

Loaded Modules:

Path
C:\WINDOWS\system32\convert.exe
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\SYSTEM32\ntdll.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: CONVERT.EXE
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/74
  • VirusTotal Link: https://www.virustotal.com/gui/file/b2a41e4a4d2cc2b11d48601725b89350e04b747d85820aa0cf3ff8a1e66311ae/detection

Possible Misuse

The following table contains possible examples of convert.exe being misused. While convert.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma apt_silence_eda.yml - '[Convert]::ToString($SYNOptions, 16)' DRL 1.0
sigma powershell_suspicious_invocation_specific.yml - '[Convert]::FromBase64String' DRL 1.0
sigma posh_pm_suspicious_invocation_specific.yml - '[Convert]::FromBase64String' DRL 1.0
sigma posh_ps_powerview_malicious_commandlets.yml - Convert-NameToSid DRL 1.0
sigma posh_ps_powerview_malicious_commandlets.yml - Convert-ADName DRL 1.0
sigma posh_ps_suspicious_invocation_specific.yml - '[Convert]::FromBase64String' DRL 1.0
sigma proc_creation_win_mimikatz_command_line.yml - 'function Convert-GuidToCompressedGuid' DRL 1.0
sigma proc_creation_win_ransom_blackbyte.yml - 'powershell -command "$x =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(' DRL 1.0
sigma proc_creation_win_susp_sharpview.yml - Convert-ADName DRL 1.0
sigma proc_creation_win_susp_sharpview.yml - Convert-SidToName DRL 1.0
atomic-red-team T1027.md $EncodedCommand =[Convert]::ToBase64String($Bytes) MIT License. © 2018 Red Canary
atomic-red-team T1027.md powershell.exe -Command “IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp #{registry_key_storage} #{registry_entry_storage}).#{registry_entry_storage})))” MIT License. © 2018 Red Canary
atomic-red-team T1053.005.md schtasks.exe /Create /F /TN “ATOMIC-T1053.005” /TR “cmd /c start /min "" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\SOFTWARE\ATOMIC-T1053.005).test)))” /sc daily /st #{time} MIT License. © 2018 Red Canary
atomic-red-team T1059.001.md iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp ‘HKCU:\Software\Classes\AtomicRedTeam’).ART))) MIT License. © 2018 Red Canary
atomic-red-team T1098.001.md $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData()) MIT License. © 2018 Red Canary
atomic-red-team T1218.009.md $Content = [System.Convert]::FromBase64String($key) MIT License. © 2018 Red Canary
signature-base apt_aus_parl_compromise.yar $x1 = “Request.Item[System.Text.Encoding.UTF8.GetString(Convert.FromBase64String("[password]"))];” ascii CC BY-NC 4.0
signature-base apt_aus_parl_compromise.yar $x2 = “eval(arguments,System.Text.Encoding.UTF8.GetString(Convert.FromBase64String("” ascii CC BY-NC 4.0
signature-base apt_aus_parl_compromise.yar $s1 = “<%@ Page Language="Jscript" validateRequest="false"%><%try{eval(System.Text.Encoding.UTF8.GetString(Convert.FromBase64String” ascii CC BY-NC 4.0
signature-base apt_aus_parl_compromise.yar $s2 = “{return System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(“ ascii CC BY-NC 4.0
signature-base apt_aus_parl_compromise.yar $a1 = “function DEC(d){return System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(d));}” fullword ascii CC BY-NC 4.0
signature-base apt_aus_parl_compromise.yar $a2 = “function ENC(d){return Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(d));}” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp.yar $x2 = “convert an XML file generated by the BLATSTING sniffer module into a pcap capture file.” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp_apr17.yar $s6 = “* Failed to convert destination address into sockaddr_storage values” fullword wide CC BY-NC 4.0
signature-base apt_hafnium.yar $s2 = “System.Text.Encoding.Default.GetString(Convert.FromBase64String(StrTr(Request.Headers.Get” CC BY-NC 4.0
signature-base apt_muddywater.yar /* iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( */ CC BY-NC 4.0
signature-base apt_oilrig.yar $s2 = “$fdn=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(‘” fullword ascii CC BY-NC 4.0
signature-base apt_oilrig_oct17.yar $s3 = “$DATA = [System.Convert]::FromBase64String([IO.File]::ReadAllText(‘%Base%’));[io.file]::WriteAllBytes(“ ascii CC BY-NC 4.0
signature-base apt_op_wocao.yar $encfile = “New-Object IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String($encfile)” CC BY-NC 4.0
signature-base apt_project_sauron_extras.yar $s2 = “Convert mode: Read log from file and convert to text” CC BY-NC 4.0
signature-base apt_tophat.yar $s1 = “= New-Object IO.MemoryStream(,[Convert]::FromBase64String("” ascii CC BY-NC 4.0
signature-base apt_turla_neuron.yar $ = “Convert.FromBase64String(temp[1])” fullword ascii CC BY-NC 4.0
signature-base apt_unc2447_sombrat.yar $x1 = “powershell.exe -c "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String([IO.File]::” ascii CC BY-NC 4.0
signature-base expl_proxyshell.yar $s01 = “.LoadXml(System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(Request[” ascii wide CC BY-NC 4.0
signature-base gen_cn_webshells.yar $s2 = “$sCmd = "convert ".$sFile." -flip -quality 80 ".$sFileOut;” fullword ascii CC BY-NC 4.0
signature-base gen_empire.yar $s1 = “$Base64Decoded = [Convert]::FromBase64String($Cpassword)” fullword ascii CC BY-NC 4.0
signature-base gen_empire.yar $s2 = “$NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes)” fullword ascii CC BY-NC 4.0
signature-base gen_invoke_thehash.yar $s3 = “$NTLM_hash_bytes = $NTLM_hash_bytes.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}” fullword ascii CC BY-NC 4.0
signature-base gen_metasploit_payloads.yar $s10 = “= [System.Convert]::FromBase64String("/” ascii CC BY-NC 4.0
signature-base gen_metasploit_payloads.yar $s5 = “= [System.Convert]::FromBase64String(“ ascii CC BY-NC 4.0
signature-base gen_powershell_empire.yar $s3 = “[Byte[]]$DllBytes = [Byte[]][Convert]::FromBase64String($DllBytes32)” fullword ascii CC BY-NC 4.0
signature-base gen_powershell_susp.yar $p3 = “[System.Convert]::FromBase64String(“ ascii CC BY-NC 4.0
signature-base gen_powershell_toolkit.yar $s3 = “if ($Env:PROCESSOR_ARCHITECTURE -eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String(‘QQBNAEQANgA0AA==’)))) {“ fullword ascii CC BY-NC 4.0
signature-base gen_powershell_toolkit.yar $s5 = “-eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String(‘MAAxADQAQwA=’))))” ascii CC BY-NC 4.0
signature-base gen_powershell_toolkit.yar $s1 = “if($MyConString -like $([Text.Encoding]::Unicode.GetString([Convert]::” ascii CC BY-NC 4.0
signature-base thor-hacktools.yar $s2 = “WSocketResolveHost: Cannot convert host address ‘%s’” CC BY-NC 4.0
signature-base thor-hacktools.yar $s2 = “System.Convert.FromBase64String(“ ascii CC BY-NC 4.0
signature-base webshell_xsl_transform.yar $x2 = “.LoadXml(System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(“ CC BY-NC 4.0
stockpile 0582dc26-e0cf-4645-88cf-f37a02279976.yml (Powershell) [Convert]::FromBase64String($(Get-Content b64.txt)) \| set-content archive.extension -encoding byte ---- Apache-2.0
stockpile 0582dc26-e0cf-4645-88cf-f37a02279976.yml $EncodedToken = [System.Convert]::ToBase64String([char[]]$Token); Apache-2.0
stockpile 0582dc26-e0cf-4645-88cf-f37a02279976.yml $FileContent = [Convert]::ToBase64String([IO.File]::ReadAllBytes($File)); Apache-2.0
stockpile 4a1120a5-971c-457f-bb07-60641b4723fd.yml $basetoken = [System.Convert]::ToBase64String([char[]]$token); Apache-2.0
stockpile 4a1120a5-971c-457f-bb07-60641b4723fd.yml $Base64EncodedFileBytes = [System.Convert]::ToBase64String($FileBytes); Apache-2.0
stockpile a201bec2-a193-4b58-bf0e-57fa621da474.yml $basetoken = [System.Convert]::ToBase64String([char[]]$token); Apache-2.0
stockpile a201bec2-a193-4b58-bf0e-57fa621da474.yml $Base64EncodedFileBytes = [System.Convert]::ToBase64String($FileBytes); Apache-2.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


convert

Converts a disk from one disk type to another.

Syntax

convert basic
convert dynamic
convert gpt
convert mbr

Parameters

Parameter Description
convert basic command Converts an empty dynamic disk into a basic disk.
convert dynamic command Converts a basic disk into a dynamic disk.
convert gpt command Converts an empty basic disk with the master boot record (MBR) partition style into a basic disk with the GUID partition table (GPT) partition style.
convert mbr command Converts an empty basic disk with the GUID Partition Table (GPT) partition style into a basic disk with the master boot record (MBR) partition style.

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.