advent-of-cyber-2025

Room Link:
https://tryhackme.com/room/registry-forensics-aoc2025-h6k9j2l5p8

▶️ cyb3rvalkyrie – Day 16 Video Walkthrough

Official walkthrough for quick onboarding:

🔗 YouTube Link:
https://youtu.be/wQaa8Fj52EA?si=dqXPVygVDEamBwFh

🎄 Advent of Cyber 2025 — Day 16 Write-Up

🧩 Forensics — Registry Furensics

✅ Challenge Answers

🗂️ Loading Registry Hives

registry start system hive software hive ntuser hive

Load the SYSTEM, SOFTWARE, and NTUSER.DAT hives using the same process.

1️⃣ What application was installed on dispatch-srv01 before abnormal activity began?

installed app installed app details

DroneManager Updater

2️⃣ What is the full path from which the user launched the application?

launch path launch path details

C:\Users\dispatch.admin\Downloads\DroneManager_Setup.exe

3️⃣ Which registry value was added by the application to maintain persistence at startup?

persistence registry key persistence value

"C:\Program Files\DroneManager\dronehelper.exe" --background