Recently I have download Windows 10 VM from Microsoft’s site. Today, in c:\ drive I saw a folder named BGinfo which I know I had not created.
After opening it saw two files,
In openssh.ps1 file found URL,
After accessing URL, SSH setup executable file download. After searching URL in VirusTotal
result shows, 2 AV detected it as Malware out of 62.
During the investigation I found, there is a BGinfo program added in Startup program. (I disabled it later).
And SSH installed on the server and services running in task scheduler.
I ran procmon and netmon to analyze the behavior. I haven’t found any unusual activity/call/traffic from/to remote server and not found any process/executable running in background.
During the analysis I haven’t run this PowerShell script.
VirusTotal – [Link here]