Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Spoofer.exe

PE32+ executable (console) x86-64, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (console) x86-64, for MS Windows
Entropy:	6.091844202650423
Filename:	Spoofer.exe
Filesize:	167912
MD5:	ffcd50b0755fa610e1ae01815431d1cb
SHA1:	feff8f1a2f9ce0ac4dc7b759d7bf9f2159eb8d92
SHA256:	a4c7cd980edcf99283128cfa36dbabcda06410b202c5c69c5c9db05bb9856d12
SHA512:	2c1da426c963abb145ce23a97a4de767c357f4cbc20ea4cb967a25fed217fb49e429ea51798b0d9b9b04cb8122ed61c93ccec322f6db9f006039b8fbf4b6c7d9
SSDEEP:	3072:nx6a306MCf9MWvUH2YGvRV2KnNShMhJSNouU24tBego:x43CfCdWVXfn59u+a
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........J...J...J...^...A...^...O...^...........o.......X.......C...^...A...J...1.......H.....K.K.......K...RichJ...........PE..d..

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Deletes shadow drive data (may be related to ransomware)	Spam, unwanted Advertisements and Ransom Demands
Infects the VBR (Volume Boot Record) of the hard disk	Persistence and Installation Behavior	Bootkit
Machine Learning detection for sample	AV Detection
Contains capabilities to detect virtual machines	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains functionality to call native functions	System Summary
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Deletes files inside the Windows folder	System Summary	File Deletion
Detected potential crypto function	System Summary	Process Discovery Archive Collected Data Encrypted Channel
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
Modifies existing windows services	Boot Survival	Windows Service
One or more processes crash	System Summary
PE file contains sections with non-standard names	Data Obfuscation	File Deletion
Queries the product ID of Windows	Language, Device and Operating System Detection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Checks the free space of harddrives	Malware Analysis System Evasion
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to enum processes or threads	System Summary	Process Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery System Information Discovery
Contains functionality to register its own exception handler	Anti Debugging
Enumerates the file system	Spreading, Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads ini files	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary	Security Software Discovery
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary

DOS/MBR boot sector, code offset 0x52+2, OEM-ID "NTFS ", sectors/cluster 8, Media descriptor 0xf8, sectors/track 63, heads 255, hidden sectors 239616, dos < 4.0 BootSector (0x80), FAT (1Y bit by descriptor); NTFS, sectors/track 63, sectors 103512102, $MFT start cluster 786432, $MFTMirror start cluster 2, bytes/RecordSegment 2^(-1*246), clusters/index block 1, serial number 0e6b81a761ae64d9a

dropped

Details

File:	C:
Category:	dropped
Dump:	C_.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\Spoofer.exe
Type:	DOS/MBR boot sector, code offset 0x52+2, OEM-ID "NTFS ", sectors/cluster 8, Media descriptor 0xf8, sectors/track 63, heads 255, hidden sectors 239616, dos < 4.0 BootSector (0x80), FAT (1Y bit by descriptor); NTFS, sectors/track 63, sectors 103512102, $MFT start cluster 786432, $MFTMirror start cluster 2, bytes/RecordSegment 2^(-1*246), clusters/index block 1, serial number 0e6b81a761ae64d9a
Entropy:	5.898304525321565
Encrypted:	false
Ssdeep:	12:vNwubma2Rzg3jDFp2rznDLtVOyOzrhYTRwpWmpIiX7SZ:vNwuCaAzs0FcyWtYm5miXuZ
Size:	512
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Infects the VBR (Volume Boot Record) of the hard disk	Persistence and Installation Behavior	Bootkit
Deletes files inside the Windows folder	System Summary	File Deletion
One or more processes crash	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Checks the free space of harddrives	Malware Analysis System Evasion	System Information Discovery
Creates temporary files	System Summary
Enumerates the file system	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Reads ini files	System Summary	File and Directory Discovery
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Spoofer.exe_5ed0293ca218faa8dff17315f2dedc23bf426c7_70ccc5ba_7ceef89b-93f1-4bd1-8702-65623f27d4c0\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Spoofer.exe_5ed0293ca218faa8dff17315f2dedc23bf426c7_70ccc5ba_7ceef89b-93f1-4bd1-8702-65623f27d4c0\Report.wer
Category:	dropped
Dump:	Report.wer.5.dr
ID:	dr_2
Target ID:	5
Process:	C:\Windows\System32\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.9200536783213388
Encrypted:	false
Ssdeep:	96:b5FnnyuvnsXhoSV7o/PS3QXIDcQNc6GcEdcw32P+HbHg/8BRTf3o8Fa9KENOyPmQ:t19nXxV0DCXCUjBPXezuiFe+74lO88
Size:	65536
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Deletes shadow drive data (may be related to ransomware)	Spam, unwanted Advertisements and Ransom Demands	File Deletion
Machine Learning detection for sample	AV Detection
PE file contains sections with non-standard names	Data Obfuscation
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F01.tmp.dmp

Mini DuMP crash report, 14 streams, Thu Oct 31 05:51:07 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F01.tmp.dmp
Category:	dropped
Dump:	WER3F01.tmp.dmp.5.dr
ID:	dr_4
Target ID:	5
Process:	C:\Windows\System32\WerFault.exe
Type:	Mini DuMP crash report, 14 streams, Thu Oct 31 05:51:07 2024, 0x1205a4 type
Entropy:	1.0514769824800567
Encrypted:	false
Ssdeep:	384:7aUov6WlRLeVAuhgHofe2brpThl/x3M8s9kSrAHnowJ:7aNCWlRVuh0CeSpTjx3M8sD4o
Size:	331606
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER41E0.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER41E0.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER41E0.tmp.WERInternalMetadata.xml.5.dr
ID:	dr_5
Target ID:	5
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.687726693683082
Encrypted:	false
Ssdeep:	192:R6l7vWeJsj7RQ26YEI01oPYgmfNGJpD089bvbCUf1Vjm:R6lL5JW7RQ26YEb1oPYgmfNGtvbZf36
Size:	8508
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4210.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER4210.tmp.xml
Category:	dropped
Dump:	WER4210.tmp.xml.5.dr
ID:	dr_6
Target ID:	5
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.414160429019628
Encrypted:	false
Ssdeep:	48:cvIwWl8zs7JgdY6I9EiCWpW8hvYm8M4JYp6FoWdEyq8v7pK1TGRd:uIjfV0YyiD7YJahWdEWtK1TGRd
Size:	4732
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.5.dr
ID:	dr_3
Target ID:	5
Process:	C:\Windows\System32\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.421643561520963
Encrypted:	false
Ssdeep:	6144:uSvfpi6ceLP/9skLmb0OT6WSPHaJG8nAgeMZMMhA2fX4WABlEnNL0uhiTw:NvloT6W+EZMM6DFyl03w
Size:	1835008
Whitelisted:	false
Reputation:	low

\Device\ConDrv

ISO-8859 text, with CRLF line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Spoofer.exe
Type:	ISO-8859 text, with CRLF line terminators
Entropy:	5.457717668315387
Encrypted:	false
Ssdeep:	384:MVDNlyNBmNo+ijDU6hlB5nRzpqUNSN9NU1lB/QwgG/KgNDNCNNN8N/NONJNYNhNP:wOWiNEnmC/OxknqVoLefTUFKaxhM7hVl
Size:	17556
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Spoofer.exe

"C:\Users\user\Desktop\Spoofer.exe"

Details

Is windows:	false
Is dropped:	false
PID:	1776
Target ID:	0
Parent PID:	1028
Name:	Spoofer.exe
Path:	C:\Users\user\Desktop\Spoofer.exe
Commandline:	"C:\Users\user\Desktop\Spoofer.exe"
Size:	167912
MD5:	FFCD50B0755FA610E1AE01815431D1CB
Time:	01:50:57
Date:	31/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff79fa30000
Modulesize:	188416
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Deletes shadow drive data (may be related to ransomware)	Spam, unwanted Advertisements and Ransom Demands	File Deletion
Machine Learning detection for sample	AV Detection
PE file contains sections with non-standard names	Data Obfuscation
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7132
Target ID:	1
Parent PID:	1776
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	01:50:57
Date:	31/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1776 -s 1284

Details

Is windows:	true
Is dropped:	false
PID:	5960
Target ID:	5
Parent PID:	1776
Name:	WerFault.exe
Path:	C:\Windows\System32\WerFault.exe
Commandline:	C:\Windows\system32\WerFault.exe -u -p 1776 -s 1284
Size:	570736
MD5:	FD27D9F6D02763BDE32511B5DF7FF7A0
Time:	01:51:07
Date:	31/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7a4e60000
Modulesize:	581632
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://upx.sf.net

unknown

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{c448340f-9fa7-aece-bb9e-5e111a13d127}

LastUse

HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{c448340f-9fa7-aece-bb9e-5e111a13d127}

SystemBiosVersion

HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{c448340f-9fa7-aece-bb9e-5e111a13d127}

EnclosureType

HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{c448340f-9fa7-aece-bb9e-5e111a13d127}

SystemManufacturer

HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{c448340f-9fa7-aece-bb9e-5e111a13d127}

SystemProductName

HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{c448340f-9fa7-aece-bb9e-5e111a13d127}

BIOSVendor

HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{c448340f-9fa7-aece-bb9e-5e111a13d127}

BIOSVersion

HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{c448340f-9fa7-aece-bb9e-5e111a13d127}

BIOSReleaseDate

HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{c448340f-9fa7-aece-bb9e-5e111a13d127}

SystemVersion

HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{c448340f-9fa7-aece-bb9e-5e111a13d127}

BootDriverFlags

HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{c448340f-9fa7-aece-bb9e-5e111a13d127}\ComputerIds

{afd0bde3-d6cc-5df7-a63f-f8fa5623e5ea}

HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{c448340f-9fa7-aece-bb9e-5e111a13d127}\ComputerIds

{6a457f46-f2df-581d-8118-af53ddb13c1d}

HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{c448340f-9fa7-aece-bb9e-5e111a13d127}\ComputerIds

{baeaa7f3-89b5-53f3-b93c-d75328c29650}

HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{c448340f-9fa7-aece-bb9e-5e111a13d127}\ComputerIds

{4a8a248d-9e6b-5216-b83e-6cdf9bde8d0d}

HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{c448340f-9fa7-aece-bb9e-5e111a13d127}\ComputerIds

{27ba637b-843e-58ac-8d78-3006feac89d3}

HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{c448340f-9fa7-aece-bb9e-5e111a13d127}\ComputerIds

{1aaa6118-f19d-50ee-b799-86dfb0bfaf55}

HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{c448340f-9fa7-aece-bb9e-5e111a13d127}\ProductIds

{afd0bde3-d6cc-5df7-a63f-f8fa5623e5ea}_amd64

HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{c448340f-9fa7-aece-bb9e-5e111a13d127}\ProductIds

{6a457f46-f2df-581d-8118-af53ddb13c1d}_amd64

HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{c448340f-9fa7-aece-bb9e-5e111a13d127}\ProductIds

{baeaa7f3-89b5-53f3-b93c-d75328c29650}_amd64

HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{c448340f-9fa7-aece-bb9e-5e111a13d127}\ProductIds

{4a8a248d-9e6b-5216-b83e-6cdf9bde8d0d}_amd64

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{1a4b1382-eeb5-4d59-b0fa-b93f83a518e1}

MaxCapacity

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{1a4b1382-eeb5-4d59-b0fa-b93f83a518e1}

NukeOnDelete

HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig

LastConfig

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TPM\WMI

WindowsAIKHash

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0

Identifier

HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0

Identifier

HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 3\Scsi Bus 0\Target Id 0\Logical Unit Id 0

Identifier

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography

MachineGuid

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\IDConfigDB\Hardware Profiles\0001

HwProfileGuid

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate

SusClientId

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate

SusClientIdValidation

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters

Dhcpv6DUID

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation

ComputerHardwareId

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation

ComputerHardwareIds

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration

IE Installed Date

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient

MachineId

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient

WinSqmFirstSessionStartTime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion

InstallTime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion

InstallDate

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion

DigitalProductId

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion

DigitalProductId4

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion

BuildGUID

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion

ProductId

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion

BuildLab

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion

BuildLabEx

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0000

NetworkInterfaceInstallTimestamp

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001

NetworkInterfaceInstallTimestamp

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0002

NetworkInterfaceInstallTimestamp

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0003

NetworkInterfaceInstallTimestamp

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0004

NetworkInterfaceInstallTimestamp

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0005

NetworkInterfaceInstallTimestamp

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0006

NetworkInterfaceInstallTimestamp

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0007

NetworkInterfaceInstallTimestamp

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0008

NetworkInterfaceInstallTimestamp

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0009

NetworkInterfaceInstallTimestamp

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager

LastEventlogWrittenTime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Activation

ProductActivationTime