Running dir /a
on a given directory on one of our servers produces a list of unexpected files that look like malware:
C:\Users\<username>dir /a c:\Users\Public\Downloads\
Volume in drive C has no label.
Volume Serial Number is 9999-9999
Directory of c:\Users\Public\Downloads
09/15/2018 12:19 AM <DIR> .
09/15/2018 12:19 AM <DIR> ..
07/09/2023 09:28 PM 20,000 ZZZZZ2852017353.doc
07/21/2023 10:10 PM 50,240 !!!!!2729304900.doc
07/21/2023 09:34 PM 3,000,000 XORXOR2654977376.doc
07/21/2023 09:53 PM 1,024 smTlX4069337007.txt
07/09/2023 09:22 PM 2,024 ZZZZZ2452917832.docx
07/17/2023 08:59 PM 4,048 !!!!!910538317.pem
06/27/2023 08:58 PM 10,000 XORXOR2801197100.jpg
07/21/2023 08:27 PM 20,000 smTlX1631532574.png
07/21/2023 08:42 PM 25,000 ZZZZZ2426080075.bmp
07/21/2023 08:44 PM 30,000 !!!!!503919568.eml
07/09/2023 08:58 PM 100,000 XORXOR2564426092.xls
06/27/2023 08:53 PM 150,000 smTlX2350243133.xlsx
07/17/2023 09:41 PM 175,000 ZZZZZ3070700973.mdb
07/21/2023 09:53 PM 200,000 !!!!!533403438.ppt
07/21/2023 09:04 PM 225,000 XORXOR395504056.pps
07/09/2023 08:50 PM 250,000 smTlX634944309.pptx
07/09/2023 09:13 PM 275,000 ZZZZZ2775334046.pdf
06/27/2023 08:26 PM 300,000 !!!!!3608986092.avi
06/27/2023 08:56 PM 350,000 XORXOR189161240.db
06/27/2023 09:53 PM 350,000 smTlX416169661.pst
06/27/2023 09:54 PM 400,000 ZZZZZ2740091908.sql
07/21/2023 10:12 PM <DIR> !!!!!1300245113
09/15/2018 12:16 AM 174 desktop.ini
07/09/2023 09:28 PM 20,000 ZZZZZ3219714798.doc
07/21/2023 10:10 PM 50,240 !!!!!4004685157.doc
07/21/2023 09:34 PM 3,000,000 XORXOR3352709303.doc
07/21/2023 09:53 PM 1,024 smTlX3205606753.txt
07/09/2023 09:22 PM 2,024 ZZZZZ331100468.docx
07/17/2023 08:59 PM 4,048 !!!!!1274788081.pem
06/27/2023 08:58 PM 10,000 XORXOR647044953.jpg
07/21/2023 08:27 PM 20,000 smTlX1871256990.png
07/21/2023 08:42 PM 25,000 ZZZZZ638203430.bmp
07/21/2023 08:44 PM 30,000 !!!!!4241961912.eml
07/09/2023 08:58 PM 100,000 XORXOR1411632423.xls
06/27/2023 08:53 PM 150,000 smTlX743786790.xlsx
07/17/2023 09:41 PM 175,000 ZZZZZ4216568629.mdb
07/21/2023 09:53 PM 200,000 !!!!!2025383911.ppt
07/21/2023 09:04 PM 225,000 XORXOR1743807666.pps
07/09/2023 08:50 PM 250,000 smTlX229377095.pptx
07/09/2023 09:13 PM 275,000 ZZZZZ191670683.pdf
06/27/2023 08:26 PM 300,000 !!!!!1941248879.avi
06/27/2023 08:56 PM 350,000 XORXOR1946193784.db
06/27/2023 09:53 PM 350,000 smTlX2089358877.pst
06/27/2023 09:54 PM 400,000 ZZZZZ249794861.sql
07/21/2023 10:12 PM <DIR> !!!!!157789779
43 File(s) 11,874,846 bytes
4 Dir(s) 82,072,215,552 bytes free
Whether I run Command Prompt
"as administrator" or not - does not matter, the result is the same.
While the malware itself is a separate issue, I'd like to produce a similar list in Powershell so I could try to to automate scanning for these and similar files across multiple machines.
Yet when I run Get-ChildItem -Path "C:\Users\Public\Downloads\" -Force
on the same server (as suggested elsewhere on SO e.g. in "How to list all files in a folder (do cmd's dir /A
) in PowerShell?"), I get this:
PS C:\Users\<username>> Get-ChildItem -Path "C:\Users\Public\Downloads\" -Force
Directory: C:\Users\Public\Downloads
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a-hs- 9/15/2018 12:16 AM 174 desktop.ini
Running the above "as administrator" - same result.
... which begs the title question:
What is the Powershell equivalent of "dir /a"?
P.S.
- I can't get the files in question to display in File Explorer - even after I enable hidden and system files
- It's Windows Server 2019. Its
C:\
drive is growing linearly at about ~95GB a month. The total disk space used (320GB) doesn't seem to add up when checking all root directories' sizes individually (100-150GB). I have a feeling these files may be the culprit.
cmd /c dir /a
from PowerShell.