Back to DashboardBack to All Questions

Question Analysis

Windows registry events show that a new key under the Active Setup Installed Components branch was added to launch a payload immediately via runonce.exe. Which component name was created?

deff4586-0517-49c2-981d-bbea24d48d71
Question ID
2/16
Models Correct
1
Valid Answer
13%
Success Rate
Reference Answer

Human-validated correct answer for this question

atomic_test
Model Performance Comparison

See how different AI models performed on this question

ModelAnswerKQL QueryStatusAttemptsTimeCost
gemini-2.5-flash-preview-04-17
No answer provided
No query generated
Incorrect
5
0.00s
0.0431
gpt-35-turbo
No answer provided
No query generated
Incorrect
5
0.00s
0.0112
gpt-4-turbo-2024-04-09
No answer provided
No query generated
Incorrect
5
0.00s
0.2377
gpt-4.1
No answer provided
No query generated
Incorrect
5
0.00s
0.0407
gpt-4.1-finetuned
No answer provided
No query generated
Incorrect
5
0.00s
0.0460
gpt-4.1-mini
No answer provided
No query generated
Incorrect
5
0.00s
0.0064
gpt-4.1-nano
No answer provided
No query generated
Incorrect
5
0.00s
0.0015
gpt-4o
atomic_test
DeviceRegistryEvents | where ActionType == "RegistryValueSet" | where RegistryKey has @"\SOFTWARE\Microsoft\Active Setup\Installed Components" | project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName
Correct
1
4.80s
0.0163
grok-3-beta
No answer provided
No query generated
Incorrect
5
0.00s
0.0897
grok-3-mini-beta
No answer provided
No query generated
Incorrect
5
0.00s
0.0073
o1-high
No answer provided
No query generated
Incorrect
5
0.00s
0.7047
o1-low
atomic_test
DeviceRegistryEvents | where ActionType in ("RegistryKeyCreated", "RegistryValueSet", "RegistryValueCreated") | where RegistryKey has_any ("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Active Setup\\Installed Components") | where RegistryValueData has "runonce.exe" or RegistryValueName =~ "StubPath" | extend ComponentName = extract(@"Installed Components\\([^\\]+)", 1, RegistryKey) | project TimeGenerated, DeviceName, ActionType, ComponentName, RegistryKey, RegistryValueName, RegistryValueData | order by TimeGenerated desc
Correct
4
78.66s
0.6046
o3-mini-high
No answer provided
No query generated
Incorrect
5
0.00s
0.0353
o3-mini-low
No answer provided
No query generated
Incorrect
5
0.00s
0.0358
o4-mini-high
No answer provided
No query generated
Incorrect
5
0.00s
0.0378
o4-mini-low
No answer provided
No query generated
Incorrect
5
0.00s
0.0426