// question
On a Windows system, a non-standard image downloader was used to fetch a remote file by passing a URL to a lockscreen utility. Identify the executable responsible for launching that activity.
Reference KQL answer and model-by-model comparison.
afb5e09e-e385-4dee-9a94-6ee60979d114
question id
2/23
models correct
1
valid answer
9%
success rate
// reference answer
Human-validated correct answer for this question.
desktopimgdownldr.exe
// model comparison
| Model | Answer | KQL query | Status | Tries | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | no answer | no query generated | fail | 5 | 0.00s | 0.0538 |
| gpt-35-turbo | no answer | no query generated | fail | 5 | 0.00s | 0.0110 |
| gpt-4-turbo-2024-04-09 | no answer | no query generated | fail | 5 | 0.00s | 0.2372 |
| gpt-4.1 | no answer | no query generated | fail | 5 | 0.00s | 0.0443 |
| gpt-4.1-finetuned | no answer | no query generated | fail | 5 | 0.00s | 0.0508 |
| gpt-4.1-mini | powershell.exe | DeviceProcessEvents | where ProcessCommandLine contains "http" and (FileName contains "lockscreen" or ProcessCommandLine contains "lockscreen") | project TimeGenerated, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine | summarize count() by InitiatingProcessFileName, DeviceName | order by count_ desc | fail | 1 | 23.91s | 0.0022 |
| gpt-4.1-nano | no answer | no query generated | fail | 5 | 0.00s | 0.0012 |
| gpt-4o | no answer | no query generated | fail | 5 | 0.00s | 0.0471 |
| gpt-5-high | no answer | no query generated | fail | 5 | 0.00s | 0.2617 |
| gpt-5-mini-high | no answer | no query generated | fail | 5 | 0.00s | 0.0403 |
| gpt-5-mini-low | no answer | no query generated | fail | 5 | 0.00s | 0.0178 |
| gpt-5-mini-medium | no answer | no query generated | fail | 5 | 0.00s | 0.0193 |
| gpt-5-nano-high | no answer | no query generated | fail | 5 | 0.00s | 0.0122 |
| gpt-5-nano-medium | powershell.exe | let StartTime = ago(1d);
let EndTime = now();
let DownloaderLaunchers = DeviceProcessEvents
| where TimeGenerated between (StartTime .. EndTime)
| where isnotempty(InitiatingProcessFileName)
| where isnotempty(ProcessCommandLine)
| where ProcessCommandLine has_any("http://","https://") or InitiatingProcessCommandLine has_any("http://","https://")
| project TimeGenerated, DownloaderProcess = FileName, DownloaderCmdLine = ProcessCommandLine, DownloaderProcessId = ProcessId, LauncherProcess = InitiatingProcessFileName, LauncherCmdLine = InitiatingProcessCommandLine, LauncherProcessId = InitiatingProcessId;
let NetworkEvents = DeviceNetworkEvents
| where TimeGenerated between (StartTime .. EndTime)
| where RemoteUrl has_any("http://","https://")
| project NetTime = TimeGenerated, NetRemoteUrl = RemoteUrl, NetInitiatingProcessId = InitiatingProcessId;
DownloaderLaunchers
| join kind=inner (NetworkEvents) on $left.DownloaderProcessId == $right.NetInitiatingProcessId
| project NetTime, NetRemoteUrl, LauncherProcess, LauncherCmdLine, LauncherProcessId, DownloaderProcess, DownloaderCmdLine, DownloaderProcessId
| sort by NetTime desc | fail | 3 | 95.79s | 0.0061 |
| grok-3-beta | no answer | no query generated | fail | 5 | 0.00s | 0.0942 |
| grok-3-mini-beta | powershell.exe | DeviceNetworkEvents | where isnotempty(RemoteUrl) | summarize arg_max(TimeGenerated, *) by InitiatingProcessFileName | project InitiatingProcessFileName, RemoteUrl, TimeGenerated, InitiatingProcessCommandLine | fail | 2 | 26.15s | 0.0031 |
| o1-high | no answer | no query generated | fail | 5 | 0.00s | 1.0098 |
| o1-low | no answer | no query generated | fail | 5 | 0.00s | 1.1161 |
| o3-high | desktopimgdownldr.exe | // 1. Look for the lock-screen image download utility being abused
DeviceProcessEvents
| where FileName =~ "desktopimgdownldr.exe" // Lock-screen image downloader
| where ProcessCommandLine has_any ("http://", "https://") // Must have been passed a URL
// 2. Bring back the process that actually launched the utility
| project
TimeGenerated,
DeviceId,
DeviceName,
DownloaderCommandLine = ProcessCommandLine,
DownloaderFolder = FolderPath,
ParentExecutable = InitiatingProcessFileName,
ParentCommandLine = InitiatingProcessCommandLine,
ParentFolder = InitiatingProcessFolderPath,
ParentSHA256 = InitiatingProcessSHA256,
ParentIntegrity = InitiatingProcessIntegrityLevel
// 3. Return distinct launchers – the executables responsible for the activity
| summarize Events = count(), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by
DeviceId,
DeviceName,
ParentExecutable,
ParentCommandLine,
ParentFolder,
ParentSHA256,
ParentIntegrity
| sort by LastSeen desc | pass | 1 | 36.81s | 0.0254 |
| o3-mini-high | desktopimgdownldr.exe | union DeviceProcessEvents, DeviceImageLoadEvents | where tolower(InitiatingProcessCommandLine) contains "http://" or tolower(InitiatingProcessCommandLine) contains "https://" | where tolower(InitiatingProcessCommandLine) contains "lockscreen" or tolower(ProcessCommandLine) contains "lockscreen" | project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine, InitiatingProcessParentFileName, FolderPath | order by TimeGenerated desc | pass | 3 | 43.43s | 0.0302 |
| o3-mini-low | no answer | no query generated | fail | 5 | 0.00s | 0.0600 |
| o4-mini-high | no answer | no query generated | fail | 5 | 0.00s | 0.0503 |
| o4-mini-low | no answer | no query generated | fail | 5 | 0.00s | 0.0539 |