I am currently analyzing anomalous behavior related to the sudden change of a bakcground/lock screen on a Windows 10 operating system. The user (not admin) does not remember having performed any action or knowing the brand of the image of the new configured
wallpaper (it is the logo of another company), although at the level of commands and logs (via EDR) I can see that the following was executed:
The flow of processes would be given by a tree from major to minor as follows:
1. wininit.exe
2. services.exe
3. svchost.exe
4. omadmclient.exe
5. desktopimgdownldr.exe
I have been looking for information and although it could be related to some type of LOLBAS attack, it does not seem to be the case since the use and the services executed seem to correspond to those of Windows and would be legitimate. Has anyone experienced
a similar case? How could I confirm if it is a security incident or an accident? Could you carry out a proof of concept through the omadmclient.exe process that could confirm for me how to do it? Could you have made that change?
I suggest further investigation and analysis of the system, including reviewing user activity and network traffic. It may also be helpful to check for any recent software updates or changes made to the system. Additionally, consulting with a cybersecurity
expert would be beneficial in determining if this is a security incident or an accident.
Go to Settings > Personalization > Lock screen. Under Background, select Picture or Slideshow to use your own picture(s) as the background for your lock screen.
You may start a full scan for viruses or malware with Microsoft Defender.
If it is not a security incident, you may change the background for your lock screen as Rachel said.
