Event Viewer needs to be opened first, then mentioned evtx. opened as “Open Saved Logs”, proper event ID mentioned here filtered out and there will be only single occurrence with, .exe name starts with “W”.
2 Likes
Pls bro I’m still finding it hard to get through with this chainsaw tool what’s the command to use pls I have done the renaming part just the right word to use after ./chainsaw hunt pls
Pls what’s the event id to search pls its 1 or 10 or 12, am also stuck with this one below 
By examining the logs located in the “C:\Logs\Dump” directory, determine the process that performed an LSASS dump. Enter the process name as your answer. Answer format: _.exe
Pls have anyone solve this question and if yes which event can one filter to get the info just the event
Hi CipherCHi1, I don’t remember now, proper Event ID was mentioned durign the couse (in this or previous modules) or in this thread.
1 Like
Thanks I figure it out it’s in event 8
1 Like
I found the way to solve it. Maybe you already did.
But i read a lot of lsass dump, until i found that the usual extension is .dmp
Then i filtered looking for dmp, and found the answer 