Running dir /a on a given directory on one of our servers produces a list of unexpected files that look like malware:
C:\Users\<username>dir /a c:\Users\Public\Downloads\ Volume in drive C has no label. Volume Serial Number is 9999-9999 Directory of c:\Users\Public\Downloads09/15/2018 12:19 AM <DIR> .09/15/2018 12:19 AM <DIR> ..07/09/2023 09:28 PM 20,000 ZZZZZ2852017353.doc07/21/2023 10:10 PM 50,240 !!!!!2729304900.doc07/21/2023 09:34 PM 3,000,000 XORXOR2654977376.doc07/21/2023 09:53 PM 1,024 smTlX4069337007.txt07/09/2023 09:22 PM 2,024 ZZZZZ2452917832.docx07/17/2023 08:59 PM 4,048 !!!!!910538317.pem06/27/2023 08:58 PM 10,000 XORXOR2801197100.jpg07/21/2023 08:27 PM 20,000 smTlX1631532574.png07/21/2023 08:42 PM 25,000 ZZZZZ2426080075.bmp07/21/2023 08:44 PM 30,000 !!!!!503919568.eml07/09/2023 08:58 PM 100,000 XORXOR2564426092.xls06/27/2023 08:53 PM 150,000 smTlX2350243133.xlsx07/17/2023 09:41 PM 175,000 ZZZZZ3070700973.mdb07/21/2023 09:53 PM 200,000 !!!!!533403438.ppt07/21/2023 09:04 PM 225,000 XORXOR395504056.pps07/09/2023 08:50 PM 250,000 smTlX634944309.pptx07/09/2023 09:13 PM 275,000 ZZZZZ2775334046.pdf06/27/2023 08:26 PM 300,000 !!!!!3608986092.avi06/27/2023 08:56 PM 350,000 XORXOR189161240.db06/27/2023 09:53 PM 350,000 smTlX416169661.pst06/27/2023 09:54 PM 400,000 ZZZZZ2740091908.sql07/21/2023 10:12 PM <DIR> !!!!!130024511309/15/2018 12:16 AM 174 desktop.ini07/09/2023 09:28 PM 20,000 ZZZZZ3219714798.doc07/21/2023 10:10 PM 50,240 !!!!!4004685157.doc07/21/2023 09:34 PM 3,000,000 XORXOR3352709303.doc07/21/2023 09:53 PM 1,024 smTlX3205606753.txt07/09/2023 09:22 PM 2,024 ZZZZZ331100468.docx07/17/2023 08:59 PM 4,048 !!!!!1274788081.pem06/27/2023 08:58 PM 10,000 XORXOR647044953.jpg07/21/2023 08:27 PM 20,000 smTlX1871256990.png07/21/2023 08:42 PM 25,000 ZZZZZ638203430.bmp07/21/2023 08:44 PM 30,000 !!!!!4241961912.eml07/09/2023 08:58 PM 100,000 XORXOR1411632423.xls06/27/2023 08:53 PM 150,000 smTlX743786790.xlsx07/17/2023 09:41 PM 175,000 ZZZZZ4216568629.mdb07/21/2023 09:53 PM 200,000 !!!!!2025383911.ppt07/21/2023 09:04 PM 225,000 XORXOR1743807666.pps07/09/2023 08:50 PM 250,000 smTlX229377095.pptx07/09/2023 09:13 PM 275,000 ZZZZZ191670683.pdf06/27/2023 08:26 PM 300,000 !!!!!1941248879.avi06/27/2023 08:56 PM 350,000 XORXOR1946193784.db06/27/2023 09:53 PM 350,000 smTlX2089358877.pst06/27/2023 09:54 PM 400,000 ZZZZZ249794861.sql07/21/2023 10:12 PM <DIR> !!!!!157789779 43 File(s) 11,874,846 bytes 4 Dir(s) 82,072,215,552 bytes freeWhether I run Command Prompt"as administrator" or not - does not matter, the result is the same.
While the malware itself is a separate issue, I'd like to produce a similar list in Powershell so I could try to to automate scanning for these and similar files across multiple machines.
Yet when I run Get-ChildItem -Path "C:\Users\Public\Downloads\" -Force on the same server (as suggested elsewhere on SO e.g. in "How to list all files in a folder (do cmd's dir /A) in PowerShell?"), I get this:
PS C:\Users\<username>> Get-ChildItem -Path "C:\Users\Public\Downloads\" -Force Directory: C:\Users\Public\DownloadsMode LastWriteTime Length Name---- ------------- ------ -----a-hs- 9/15/2018 12:16 AM 174 desktop.iniRunning the above "as administrator" - same result.
... which begs the title question:
What is the Powershell equivalent of "dir /a"?
P.S.
- I can't get the files in question to display in File Explorer - even after I enable hidden and system files
- It's Windows Server 2019. Its
C:\drive is growing linearly at about ~95GB a month. The total disk space used (320GB) doesn't seem to add up when checking all root directories' sizes individually (100-150GB). I have a feeling these files may be the culprit.