// question
On a Windows host, an attacker leveraged COMSVCS.DLL via rundll32.exe to dump the memory of svchost.exe into a file under the Temp directory. Review the file creation logs to determine the exact name of the dump file that was generated.
Reference KQL answer and model-by-model comparison.
d400090a-d8ca-4be0-982e-c70598a23de9
question id
16/23
models correct
1
valid answer
70%
success rate
// reference answer
Human-validated correct answer for this question.
svchost-exe.dmp
// model comparison
| Model | Answer | KQL query | Status | Tries | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | svchost-exe.dmp | DeviceFileEvents | where ActionType == "FileCreated" | where InitiatingProcessFileName =~ "rundll32.exe" | where InitiatingProcessCommandLine has "comsvcs.dll" | where FolderPath has "Temp" | project Timestamp, DeviceName, InitiatingProcessCommandLine, FolderPath, FileName, SHA256 | pass | 1 | 9.84s | 0.0028 |
| gpt-35-turbo | no answer | no query generated | fail | 5 | 0.00s | 0.0115 |
| gpt-4-turbo-2024-04-09 | svchost-exe.dmp | DeviceFileEvents | where InitiatingProcessFileName == 'rundll32.exe' and InitiatingProcessCommandLine contains 'COMSVCS.DLL' and FolderPath contains 'Temp' | project FileName | pass | 1 | 10.35s | 0.0510 |
| gpt-4.1 | svchost-exe.dmp | DeviceFileEvents
| where ActionType == 'FileCreated'
| extend fileNameLower = tolower(FileName),
folderPathLower = tolower(FolderPath),
procFileNameLower = tolower(InitiatingProcessFileName),
procCmdLineLower = tolower(InitiatingProcessCommandLine)
| where procFileNameLower == 'rundll32.exe'
| where procCmdLineLower has 'comsvcs.dll' and procCmdLineLower has 'svchost'
| where folderPathLower has_any('\\temp', '/temp', '\temp', 'temp')
| project TimeGenerated, DeviceName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine | pass | 3 | 11.65s | 0.0268 |
| gpt-4.1-finetuned | C:\Users\wipro\AppData\Local\Temp\svchost-exe.dmp | DeviceFileEvents | where FolderPath contains "Temp" and InitiatingProcessCommandLine contains "comsvcs.dll" | extend DumpFile = FolderPath | summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp) by DumpFile, InitiatingProcessCommandLine, DeviceName | order by LastSeen desc | extend TimeGenerated = LastSeen | pass | 5 | 31.47s | 0.0294 |
| gpt-4.1-mini | svchost-exe.dmp | DeviceFileEvents | where ActionType == "FileCreated" | where InitiatingProcessFileName == "rundll32.exe" | where tostring(InitiatingProcessCommandLine) contains "COMSVCS.DLL" | where FolderPath contains "\\Temp" | project TimeGenerated, DeviceName, FolderPath, FileName | order by TimeGenerated desc | pass | 3 | 29.44s | 0.0040 |
| gpt-4.1-nano | no answer | no query generated | fail | 5 | 0.00s | 0.0012 |
| gpt-4o | svchost-exe.dmp | DeviceFileEvents | where FolderPath contains "Temp" and InitiatingProcessFileName == "rundll32.exe" and InitiatingProcessCommandLine contains "COMSVCS.DLL" | project TimeGenerated, FileName, FolderPath, InitiatingProcessCommandLine | pass | 1 | 22.42s | 0.0147 |
| gpt-5-high | svchost-exe.dmp | let TempRegex = @"\\Temp(\\|$)";
let rundll = DeviceProcessEvents
| where tolower(FileName) == "rundll32.exe"
| where ProcessCommandLine contains "comsvcs.dll" and ProcessCommandLine contains "MiniDump"
| project DeviceId, DeviceName, Rdl32PID=ProcessId, Rdl32Time=TimeGenerated, Rdl32Cmd=ProcessCommandLine;
union isfuzzy=true
(
DeviceFileEvents
| where ActionType in ("FileCreated", "FileCreated (Local)")
| where tolower(InitiatingProcessFileName) == "rundll32.exe"
| where InitiatingProcessCommandLine contains "comsvcs.dll" and InitiatingProcessCommandLine contains "MiniDump"
| where FolderPath matches regex TempRegex
| extend DumpFilePath = strcat(FolderPath, "\\", FileName)
| project TimeGenerated, DeviceName, DumpFileName = FileName, DumpFilePath, FileSize, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId
),
(
DeviceFileEvents
| where ActionType in ("FileCreated", "FileCreated (Local)")
| where FolderPath matches regex TempRegex
| join kind=innerunique rundll on DeviceId
| where InitiatingProcessId == Rdl32PID
| where TimeGenerated between (Rdl32Time .. Rdl32Time + 10m)
| extend DumpFilePath = strcat(FolderPath, "\\", FileName)
| project TimeGenerated, DeviceName, DumpFileName = FileName, DumpFilePath, FileSize, InitiatingProcessCommandLine = Rdl32Cmd, InitiatingProcessFolderPath = "", InitiatingProcessId = Rdl32PID
)
| order by TimeGenerated desc | pass | 4 | 375.06s | 0.2076 |
| gpt-5-mini-high | svchost-exe.dmp | // Find files created by rundll32.exe using COMSVCS.DLL that likely dumped svchost.exe memory into Temp union isfuzzy=true (DeviceFileEvents | where TimeGenerated between (startofday(ago(7d)) .. now()) | where InitiatingProcessFileName has_cs "rundll32.exe" or InitiatingProcessFileName has_cs "rundll32" | where InitiatingProcessCommandLine has_cs "COMSVCS.DLL" or InitiatingProcessCommandLine has_cs "comsvcs.dll" | where FolderPath has_cs "\\Temp" or FileName has_cs "tmp" or FileName has_cs ".dmp" or FileName has_cs ".tmp" | project TimeGenerated, DeviceName, FileName, FolderPath, FileSize, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessParentFileName, InitiatingProcessParentId, InitiatingProcessAccountName, AdditionalFields ) | union (DeviceEvents | where TimeGenerated between (startofday(ago(7d)) .. now()) | where ActionType has_cs "FileCreated" or ActionType has_cs "Created" or Type has_cs "File" or FileName != "" | where InitiatingProcessFileName has_cs "rundll32.exe" or InitiatingProcessCommandLine has_cs "COMSVCS.DLL" or ProcessCommandLine has_cs "COMSVCS.DLL" | where FolderPath has_cs "\\Temp" or FileName has_cs "tmp" or FileName has_cs ".dmp" or FileName has_cs ".tmp" | project TimeGenerated, DeviceName, FileName, FolderPath, FileSize, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessParentFileName, InitiatingProcessParentId, InitiatingProcessAccountName, AdditionalFields ) | where isnotempty(FileName) and (FileName endswith ".dmp" or FileName endswith ".tmp" or FolderPath has_cs "\\Temp") | extend FullPath = strcat(FolderPath, "\\", FileName) | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), Occurrences=count(), any_InitiatingProcessCommandLine=any(InitiatingProcessCommandLine), any_InitiatingProcessFileName=any(InitiatingProcessFileName) by DeviceName, FullPath, FileName, FolderPath, FileSize | where any_InitiatingProcessCommandLine has_cs "COMSVCS.DLL" or any_InitiatingProcessCommandLine has_cs "comsvcs.dll" | order by FirstSeen desc | take 50 | pass | 1 | 14.53s | 0.0036 |
| gpt-5-mini-low | no answer | no query generated | fail | 5 | 0.00s | 0.0143 |
| gpt-5-mini-medium | svchost-exe.dmp | // Locate dump file created by rundll32.exe leveraging COMSVCS.DLL against svchost
let initiators = dynamic(["rundll32","rundll32.exe"]);
union DeviceFileEvents, DeviceEvents
| where (tostring(InitiatingProcessFileName) has_any (initiators)
or (isnotempty(ProcessCommandLine) and ProcessCommandLine contains "rundll32")
or tostring(FileName) has_any (initiators))
// Ensure the command line / additional fields reference comsvcs.dll
| where (tolower(tostring(InitiatingProcessCommandLine)) contains "comsvcs.dll"
or (isnotempty(ProcessCommandLine) and tolower(ProcessCommandLine) contains "comsvcs.dll")
or tostring(AdditionalFields) contains "comsvcs.dll")
// Ensure the command line / additional fields reference svchost
| where (tolower(tostring(InitiatingProcessCommandLine)) contains "svchost"
or (isnotempty(ProcessCommandLine) and tolower(ProcessCommandLine) contains "svchost")
or tostring(AdditionalFields) contains "svchost")
// Normalize file/folder fields
| extend DumpFile = tostring(coalesce(FileName, PreviousFileName, "")), FolderPath = tostring(coalesce(FolderPath, ""))
| where isnotempty(DumpFile) or tolower(FolderPath) contains "temp"
// Look for Temp-like locations or common dump extensions
| where tolower(FolderPath) contains "temp"
or tolower(DumpFile) endswith ".dmp"
or tolower(DumpFile) endswith ".mdmp"
or tolower(DumpFile) endswith ".dump"
or tolower(DumpFile) endswith ".tmp"
or tolower(DumpFile) endswith ".bin"
// Keep most recent per device+file and show relevant context
| summarize arg_max(TimeGenerated, *) by DeviceId, DumpFile
| where isnotempty(DumpFile)
| project TimeGenerated, DeviceName, DeviceId, DumpFile, FolderPath, FileSize, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine, AdditionalFields
| order by TimeGenerated desc | pass | 5 | 77.81s | 0.0200 |
| gpt-5-nano-high | svchost-exe.dmp | DeviceFileEvents
| where InitiatingProcessFileName contains "rundll32.exe" or InitiatingProcessCommandLine contains "rundll32.exe"
| where InitiatingProcessCommandLine contains "COMSVCS.DLL" or InitiatingProcessFileName contains "COMSVCS.DLL"
| where ActionType in ("CreateFile","FileCreated")
| extend FileNameLower = tolower(FileName), FolderPathLower = tolower(FolderPath)
| where FileNameLower endswith ".dmp" and FolderPathLower contains "temp"
| extend FullPath = strcat(FolderPath, FileName)
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath, FileName, FullPath, FileSize, ReportId | pass | 1 | 35.54s | 0.0021 |
| gpt-5-nano-medium | no answer | no query generated | fail | 5 | 0.00s | 0.0088 |
| grok-3-beta | svchost-exe.dmp | DeviceFileEvents | where ActionType == "FileCreated" | where FolderPath contains "Temp" | where InitiatingProcessFileName == "rundll32.exe" | where InitiatingProcessCommandLine contains "COMSVCS" or InitiatingProcessCommandLine contains "svchost.exe" | project Timestamp, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, DeviceName | order by Timestamp desc | pass | 1 | 12.40s | 0.0226 |
| grok-3-mini-beta | svchost-exe.dmp | DeviceFileEvents | where InitiatingProcessFileName =~ 'rundll32.exe' | where InitiatingProcessCommandLine contains 'comsvcs.dll' and InitiatingProcessCommandLine contains 'MiniDump' | where FolderPath contains 'Temp' | project FileName | distinct FileName | pass | 2 | 26.17s | 0.0029 |
| o1-high | svchost-exe.dmp | DeviceFileEvents | where ActionType == "FileCreated" | where FolderPath contains "Temp" | where InitiatingProcessFileName == "rundll32.exe" | where InitiatingProcessCommandLine has "comsvcs.dll" | project TimeGenerated, DeviceName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine | order by TimeGenerated desc | pass | 1 | 20.19s | 0.1435 |
| o1-low | svchost-exe.dmp | DeviceFileEvents | where ActionType == "FileCreated" | where InitiatingProcessFileName =~ "rundll32.exe" | where InitiatingProcessCommandLine has "comsvcs.dll" | where FolderPath contains "Temp" | project TimeGenerated, DeviceName, FolderPath, FileName, InitiatingProcessCommandLine | order by TimeGenerated desc | pass | 1 | 25.63s | 0.1797 |
| o3-high | svchost-exe.dmp | DeviceFileEvents
| where ActionType startswith "FileCreated" // file creation events
| where tolower(InitiatingProcessFileName) == "rundll32.exe"
| where tolower(InitiatingProcessCommandLine) has "comsvcs.dll" // COMSVCS DLL memory dump
| where tolower(FolderPath) contains "\\temp\\" // written into a Temp directory
// optional: uncomment if you only care about .dmp files
// | where FileName endswith ".dmp"
| project TimeGenerated,
DeviceName,
DumpFilePath = strcat(FolderPath, "\\", FileName),
FileName,
FileSize,
SHA256,
InitiatingProcessCommandLine
| order by TimeGenerated desc
// If multiple entries exist and you only need the latest per host, replace the last line with:
// | summarize arg_max(TimeGenerated, *) by DeviceName | pass | 1 | 43.31s | 0.0226 |
| o3-mini-high | no answer | no query generated | fail | 5 | 0.00s | 0.0428 |
| o3-mini-low | no answer | no query generated | fail | 5 | 0.00s | 0.0490 |
| o4-mini-high | svchost-exe.dmp | DeviceFileEvents | where ActionType == "FileCreated" // Identify rundll32.exe loading COMSVCS.DLL | where InitiatingProcessFileName == "rundll32.exe" | where tolower(InitiatingProcessCommandLine) contains "comsvcs.dll" // Focus on Temp folder | where tolower(FolderPath) contains "\\temp\\" // Look only for dump files | where tolower(FileName) endswith ".dmp" // Return relevant details | project TimeGenerated, DeviceName, InitiatingProcessAccountName, FolderPath, FileName, InitiatingProcessCommandLine | distinct FileName, FolderPath, DeviceName, InitiatingProcessAccountName, TimeGenerated, InitiatingProcessCommandLine | pass | 1 | 29.37s | 0.0111 |
| o4-mini-low | no answer | no query generated | fail | 5 | 0.00s | 0.0260 |