// question

On a Windows system, a non-standard image downloader was used to fetch a remote file by passing a URL to a lockscreen utility. Identify the executable responsible for launching that activity.

Reference KQL answer and model-by-model comparison.

afb5e09e-e385-4dee-9a94-6ee60979d114
question id
2/23
models correct
1
valid answer
9%
success rate
// reference answer

Human-validated correct answer for this question.

desktopimgdownldr.exe
// model comparison
ModelAnswerKQL queryStatusTriesTimeCost
gemini-2.5-flash-preview-04-17
no answer
no query generatedfail50.00s0.0538
gpt-35-turbo
no answer
no query generatedfail50.00s0.0110
gpt-4-turbo-2024-04-09
no answer
no query generatedfail50.00s0.2372
gpt-4.1
no answer
no query generatedfail50.00s0.0443
gpt-4.1-finetuned
no answer
no query generatedfail50.00s0.0508
gpt-4.1-mini
powershell.exe
DeviceProcessEvents
| where ProcessCommandLine contains "http" and (FileName contains "lockscreen" or ProcessCommandLine contains "lockscreen")
| project TimeGenerated, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine
| summarize count() by InitiatingProcessFileName, DeviceName
| order by count_ desc
fail123.91s0.0022
gpt-4.1-nano
no answer
no query generatedfail50.00s0.0012
gpt-4o
no answer
no query generatedfail50.00s0.0471
gpt-5-high
no answer
no query generatedfail50.00s0.2617
gpt-5-mini-high
no answer
no query generatedfail50.00s0.0403
gpt-5-mini-low
no answer
no query generatedfail50.00s0.0178
gpt-5-mini-medium
no answer
no query generatedfail50.00s0.0193
gpt-5-nano-high
no answer
no query generatedfail50.00s0.0122
gpt-5-nano-medium
powershell.exe
let StartTime = ago(1d);
let EndTime = now();

let DownloaderLaunchers = DeviceProcessEvents
| where TimeGenerated between (StartTime .. EndTime)
| where isnotempty(InitiatingProcessFileName)
| where isnotempty(ProcessCommandLine)
| where ProcessCommandLine has_any("http://","https://") or InitiatingProcessCommandLine has_any("http://","https://")
| project TimeGenerated, DownloaderProcess = FileName, DownloaderCmdLine = ProcessCommandLine, DownloaderProcessId = ProcessId, LauncherProcess = InitiatingProcessFileName, LauncherCmdLine = InitiatingProcessCommandLine, LauncherProcessId = InitiatingProcessId;

let NetworkEvents = DeviceNetworkEvents
| where TimeGenerated between (StartTime .. EndTime)
| where RemoteUrl has_any("http://","https://")
| project NetTime = TimeGenerated, NetRemoteUrl = RemoteUrl, NetInitiatingProcessId = InitiatingProcessId;

DownloaderLaunchers
| join kind=inner (NetworkEvents) on $left.DownloaderProcessId == $right.NetInitiatingProcessId
| project NetTime, NetRemoteUrl, LauncherProcess, LauncherCmdLine, LauncherProcessId, DownloaderProcess, DownloaderCmdLine, DownloaderProcessId
| sort by NetTime desc
fail395.79s0.0061
grok-3-beta
no answer
no query generatedfail50.00s0.0942
grok-3-mini-beta
powershell.exe
DeviceNetworkEvents
| where isnotempty(RemoteUrl)
| summarize arg_max(TimeGenerated, *) by InitiatingProcessFileName
| project InitiatingProcessFileName, RemoteUrl, TimeGenerated, InitiatingProcessCommandLine
fail226.15s0.0031
o1-high
no answer
no query generatedfail50.00s1.0098
o1-low
no answer
no query generatedfail50.00s1.1161
o3-high
desktopimgdownldr.exe
// 1. Look for the lock-screen image download utility being abused
DeviceProcessEvents
| where FileName =~ "desktopimgdownldr.exe"          // Lock-screen image downloader
| where ProcessCommandLine has_any ("http://", "https://") // Must have been passed a URL
// 2. Bring back the process that actually launched the utility
| project
    TimeGenerated,
    DeviceId,
    DeviceName,
    DownloaderCommandLine = ProcessCommandLine,
    DownloaderFolder     = FolderPath,
    ParentExecutable     = InitiatingProcessFileName,
    ParentCommandLine    = InitiatingProcessCommandLine,
    ParentFolder         = InitiatingProcessFolderPath,
    ParentSHA256         = InitiatingProcessSHA256,
    ParentIntegrity      = InitiatingProcessIntegrityLevel
// 3. Return distinct launchers – the executables responsible for the activity
| summarize Events = count(), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by 
          DeviceId,
          DeviceName,
          ParentExecutable,
          ParentCommandLine,
          ParentFolder,
          ParentSHA256,
          ParentIntegrity
| sort by LastSeen desc
pass136.81s0.0254
o3-mini-high
desktopimgdownldr.exe
union DeviceProcessEvents, DeviceImageLoadEvents
| where tolower(InitiatingProcessCommandLine) contains "http://" or tolower(InitiatingProcessCommandLine) contains "https://"
| where tolower(InitiatingProcessCommandLine) contains "lockscreen" or tolower(ProcessCommandLine) contains "lockscreen"
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine, InitiatingProcessParentFileName, FolderPath
| order by TimeGenerated desc
pass343.43s0.0302
o3-mini-low
no answer
no query generatedfail50.00s0.0600
o4-mini-high
no answer
no query generatedfail50.00s0.0503
o4-mini-low
no answer
no query generatedfail50.00s0.0539