Back to DashboardBack to All Questions

Question Analysis

Windows registry events show that a new key under the Active Setup Installed Components branch was added to launch a payload immediately via runonce.exe. Which component name was created?

deff4586-0517-49c2-981d-bbea24d48d71
Question ID
6/23
Models Correct
1
Valid Answer
26%
Success Rate
Reference Answer

Human-validated correct answer for this question

atomic_test
Model Performance Comparison

See how different AI models performed on this question

ModelAnswerKQL QueryStatusAttemptsTimeCost
gemini-2.5-flash-preview-04-17
No answer provided
No query generated
Incorrect
5
0.00s
0.0431
gpt-35-turbo
No answer provided
No query generated
Incorrect
5
0.00s
0.0112
gpt-4-turbo-2024-04-09
No answer provided
No query generated
Incorrect
5
0.00s
0.2377
gpt-4.1
No answer provided
No query generated
Incorrect
5
0.00s
0.0407
gpt-4.1-finetuned
No answer provided
No query generated
Incorrect
5
0.00s
0.0460
gpt-4.1-mini
No answer provided
No query generated
Incorrect
5
0.00s
0.0064
gpt-4.1-nano
No answer provided
No query generated
Incorrect
5
0.00s
0.0015
gpt-4o
atomic_test
DeviceRegistryEvents | where ActionType == "RegistryValueSet" | where RegistryKey has @"\SOFTWARE\Microsoft\Active Setup\Installed Components" | project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName
Correct
1
4.80s
0.0163
gpt-5-high
atomic_test
let ActiveSetupEvents = DeviceRegistryEvents | where ActionType in ("RegistryKeyCreated","RegistryValueCreated","RegistryValueSet") | where RegistryKey has "\\Microsoft\\Active Setup\\Installed Components\\" | extend ComponentId = tostring(extract(@"(?i)\\active setup\\installed components\\([^\\]+)", 1, RegistryKey)) | where isnotempty(ComponentId); let KeyCreated = ActiveSetupEvents | where ActionType == "RegistryKeyCreated" | summarize KeyCreateTime=min(TimeGenerated), CreatedByProcess=any(InitiatingProcessFileName), CreatedByCommandLine=any(InitiatingProcessCommandLine) by DeviceId, DeviceName, ComponentId; let ValuePivot = ActiveSetupEvents | summarize StubPath=anyif(RegistryValueData, tolower(RegistryValueName) == "stubpath"), DisplayName=anyif(RegistryValueData, tolower(RegistryValueName) == "displayname"), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by DeviceId, DeviceName, ComponentId; let RunOnce = DeviceProcessEvents | where FileName =~ "runonce.exe" | project DeviceId, RunOnceTime=TimeGenerated, RunOnceCmd=ProcessCommandLine; KeyCreated | join kind=inner (RunOnce) on DeviceId | where KeyCreateTime between (RunOnceTime - 15m .. RunOnceTime + 30m) | join kind=leftouter (ValuePivot) on DeviceId, ComponentId | extend ComponentName = coalesce(DisplayName, ComponentId) | project TimeCreated=KeyCreateTime, DeviceName, ComponentName, ComponentId, StubPath, CreatedByProcess, CreatedByCommandLine, RunOnceTime, RunOnceCmd | order by TimeCreated desc
Correct
2
193.88s
0.1063
gpt-5-mini-high
atomic_test
DeviceRegistryEvents | where RegistryKey has_cs "Active Setup\\Installed Components" // Look for created keys or values that reference runonce.exe or RunOnce | where ActionType in ("RegistryKeyAdded", "RegistryValueSet", "ValueAdded", "SetValue") or RegistryValueData has_cs "runonce.exe" or RegistryValueData has_cs "RunOnce" | extend Component = extract(@"Installed Components\\([^\\]+)", 1, RegistryKey) | where isnotempty(Component) | project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData, Component, ActionType, InitiatingProcessId, ReportId | sort by TimeGenerated desc
Correct
1
8.90s
0.0030
gpt-5-mini-low
No answer provided
No query generated
Incorrect
5
0.00s
0.0084
gpt-5-mini-medium
No answer provided
No query generated
Incorrect
5
0.00s
0.0084
gpt-5-nano-high
No answer provided
No query generated
Incorrect
5
0.00s
0.0082
gpt-5-nano-medium
atomic_test
DeviceRegistryEvents | where RegistryKey has "Active Setup" and RegistryKey has "Installed Components" | where InitiatingProcessFileName endswith "runonce.exe" or InitiatingProcessCommandLine has "runonce.exe" | extend Parts = split(RegistryKey, "\\") | extend CreatedKey = tostring(Parts[array_length(Parts)-1]) | extend ComponentName = iff( RegistryValueName in ("ComponentName","DisplayName"), RegistryValueData, CreatedKey ) | where isnotempty(ComponentName) | project TimeGenerated, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine, ComponentName | distinct ComponentName
Correct
1
41.72s
0.0026
grok-3-beta
No answer provided
No query generated
Incorrect
5
0.00s
0.0897
grok-3-mini-beta
No answer provided
No query generated
Incorrect
5
0.00s
0.0073
o1-high
No answer provided
No query generated
Incorrect
5
0.00s
0.7047
o1-low
atomic_test
DeviceRegistryEvents | where ActionType in ("RegistryKeyCreated", "RegistryValueSet", "RegistryValueCreated") | where RegistryKey has_any ("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Active Setup\\Installed Components") | where RegistryValueData has "runonce.exe" or RegistryValueName =~ "StubPath" | extend ComponentName = extract(@"Installed Components\\([^\\]+)", 1, RegistryKey) | project TimeGenerated, DeviceName, ActionType, ComponentName, RegistryKey, RegistryValueName, RegistryValueData | order by TimeGenerated desc
Correct
4
78.66s
0.6046
o3-high
atomic_test
// New Active-Setup component keys created DeviceRegistryEvents | where ActionType == "RegistryKeyCreated" | where RegistryKey has "Active Setup\\Installed Components\\" // covers both HKLM and HKEY_LOCAL_MACHINE forms // Pull the component (sub-key) name that follows …Active Setup\Installed Components\ | extend ComponentName = extract(@"Active Setup\\Installed Components\\([^\\]+)", 1, RegistryKey) | where isnotempty(ComponentName) // Summarise the observation window for every component per device | summarize FirstObserved=min(TimeGenerated), LastObserved=max(TimeGenerated) by ComponentName, DeviceName, DeviceId | order by FirstObserved asc
Correct
2
50.66s
0.0314
o3-mini-high
No answer provided
No query generated
Incorrect
5
0.00s
0.0353
o3-mini-low
No answer provided
No query generated
Incorrect
5
0.00s
0.0358
o4-mini-high
No answer provided
No query generated
Incorrect
5
0.00s
0.0378
o4-mini-low
No answer provided
No query generated
Incorrect
5
0.00s
0.0426