Forensics - Registry Furensics | Advent of Cyber 2025 - Day 16
This guide contains the answer and steps necessary to get to them for the Forensics - Registry Furensics room.
Table of contents
Investigate the Gifts Delivery Malfunctioning
-
What application was installed on the dispatch-srv01 before the abnormal activity started?
Looking at the provided table, this can most likely be found in the SOFTWARE hive. Lets load it in Registry Explorer (don't forget to add the logs).
The first path to look in is:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstallas it stores information on all installed programs.
Sorting the list by the install date makes things a bit easier. We are looking for something installed on or before the 21st of October 2025. Looks like there is a program that was installed just before or on the date when strange things started happening.
Click for answer
Dronemanager Updater -
What is the full path where the user launched the application (found in question 1) from?
For this we need to load the NTUSER.DAT hive as well. Then we can look into the
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssistkey for the previously found program.
Click for answer
C:\Users\dispatch.admin\Downloads\DroneManager_Setup.exe -
Which value was added by the application to maintain persistence on startup?
To look at values related to automatically run programs we should look into the
HKLM\Software\Microsoft\Windows\CurrentVersion\Runkey.
Here we see one entry that looks related to the previously found program. Lets look at the value that was added to this entry.
Click for answer
C:\Program Files\DroneManager\dronehelper.exe" --background -
If you enjoyed today's room, feel free to check out the Expediting Registry Analysis room.