none
Sudden background/lock scren change RRS feed

  • Question

  • Hi community!

    I am currently analyzing anomalous behavior related to the sudden change of a bakcground/lock screen on a Windows 10 operating system. The user (not admin) does not remember having performed any action or knowing the brand of the image of the new configured wallpaper (it is the logo of another company), although at the level of commands and logs (via EDR) I can see that the following was executed:

    - C:\Windows\system32\desktopimgdownldr.exe /deskimgurl:https://WWW.DOMAIN.COM/Wallpaper2022V2.jpg /eventName:DesktopImageDownloadCancelEvent

    - C:\Windows\system32\desktopimgdownldr.exe /lockscreenurl:https://WWW.DOMAIN.COM/LockScreen2022V2.jpg /eventName:LockScreenImageDownloadCancelEvent

    The flow of processes would be given by a tree from major to minor as follows:
    1.   wininit.exe
    2.   services.exe
    3.   svchost.exe
    4.   omadmclient.exe
    5.   desktopimgdownldr.exe

    I have been looking for information and although it could be related to some type of LOLBAS attack, it does not seem to be the case since the use and the services executed seem to correspond to those of Windows and would be legitimate. Has anyone experienced a similar case? How could I confirm if it is a security incident or an accident? Could you carry out a proof of concept through the omadmclient.exe process that could confirm for me how to do it? Could you have made that change?

    Thank you very much in advance!
    Thursday, January 19, 2023 6:31 PM

All replies

  • Hi,

    Have you tried troubleshooting for your PC or laptop. Might be there could be chance any software malfunction.

    Friday, January 20, 2023 5:30 AM
  • I have the same problem, I haven't found a solution yet :(
    Saturday, January 21, 2023 2:21 PM
  • I also face this issue on 21 Jan, I haven't found a solution yet :(
    Sunday, January 22, 2023 6:53 PM
  • Hi!

    Nope, nothing strange!

    Monday, January 23, 2023 5:29 PM
  • Someone else gets the message: *Some of these are hidden or managed by your organization. when you try to change it back?
    Monday, January 23, 2023 5:34 PM
  • I suggest further investigation and analysis of the system, including reviewing user activity and network traffic. It may also be helpful to check for any recent software updates or changes made to the system. Additionally, consulting with a cybersecurity expert would be beneficial in determining if this is a security incident or an accident.
    17 hours 53 minutes ago