Windows comes with a tool called the Windows Management Instrumentation, or WMI, that can be used by system administrators to receive information and notifications from Windows. The WMI can also be used to launch VBScript or PowerShell scripts when a particular event occurs, such as when a file is created or some other system event has occurred. This hijacker infects a victim’s browser shortcuts by adding http://yeabests.cc as an argument to the executable. When executed, it will infect your browser’s shortcuts.
Source: https://www.bleepingcomputer.com/news/security/yeabests-cc-a-fileless-infection-using-wmi-to-hijack-your-browser/