wuauclt.exe

• File Path: C:\Windows\system32\wuauclt.exe
• Description: Windows Update

Hashes

Type	Hash
MD5	7582BF723A39B56BCCEF2C170E330BD7
SHA1	6A16C96B91A36893712A7EC1D505BB0777D5C122
SHA256	69E3A2D3A61FEC056B012F73C943E078168454F4D2D3FECA2896A5E25D370739
SHA384	977AA78AE012E13F95C5E3CB4847C0DD4059EFD428E37486BC94A3801F043E06585EF03F5CC5FBA524139DF49CDC1DD4
SHA512	2166CD60B1461A5AF982D49D1CC926826A3768285FDAE38C31867EF825B13E76738F95610C5EE404DF8F5B8BDDB4E3949169AA9AA7468A19103C2CEC0D59648C
SSDEEP	384:UNICX8nBL7pDLFlqVMnSSj27gK/2rWEIWOKD1IDBRJdq7ZYKLlmlm:qcR8SSSq7FcDI1PE1qm

Signature

• Status: Signature verified.
• Serial: 3300000266BD1580EFA75CD6D3000000000266
• Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
• Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
• Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

• Original Filename: wuauclt.exe
• Product Name: Microsoft Windows Operating System
• Company Name: Microsoft Corporation
• File Version: 10.0.14393.3659 (rs1_release_1.200410-1813)
• Product Version: 10.0.14393.3659
• Language: Language Neutral
• Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File	Score
C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe	33
C:\Windows\system32\69fe178f-26e7-43a9-aa7d-2b616b672dde_eventlogservice.dll	33
C:\Windows\system32\AppVClientPS.dll	27
C:\Windows\system32\AppVSentinel.dll	30
C:\Windows\system32\AppVTerminator.dll	29
C:\Windows\system32\avrt.dll	33
C:\Windows\system32\backgroundTaskHost.exe	27
C:\Windows\system32\bootstr.dll	32
C:\Windows\system32\BOOTVID.DLL	32
C:\Windows\system32\computelibeventlog.dll	25
C:\Windows\system32\DefaultDeviceManager.dll	33
C:\Windows\system32\DeviceCensus.exe	27
C:\WINDOWS\system32\DeviceCensus.exe	27
C:\Windows\system32\dllhost.exe	32
C:\Windows\system32\downlevel\api-ms-win-base-util-l1-1-0.dll	30
C:\Windows\system32\downlevel\api-ms-win-core-com-l1-1-0.dll	35
C:\Windows\system32\downlevel\api-ms-win-core-comm-l1-1-0.dll	32
C:\Windows\system32\downlevel\api-ms-win-core-console-l1-1-0.dll	33
C:\Windows\system32\downlevel\api-ms-win-core-datetime-l1-1-0.dll	33
C:\Windows\system32\downlevel\api-ms-win-core-datetime-l1-1-1.dll	27
C:\Windows\system32\downlevel\api-ms-win-core-debug-l1-1-0.dll	29
C:\Windows\system32\downlevel\api-ms-win-core-debug-l1-1-1.dll	33
C:\Windows\system32\downlevel\api-ms-win-core-delayload-l1-1-0.dll	32
C:\Windows\system32\downlevel\api-ms-win-core-errorhandling-l1-1-0.dll	29
C:\Windows\system32\downlevel\api-ms-win-core-errorhandling-l1-1-1.dll	32
C:\Windows\system32\downlevel\api-ms-win-core-fibers-l1-1-0.dll	32
C:\Windows\system32\downlevel\api-ms-win-core-fibers-l1-1-1.dll	29
C:\Windows\system32\downlevel\api-ms-win-core-file-l1-1-0.dll	35
C:\Windows\system32\downlevel\api-ms-win-core-file-l1-2-0.dll	29
C:\Windows\system32\downlevel\api-ms-win-core-file-l1-2-1.dll	30
C:\Windows\system32\downlevel\API-MS-Win-core-file-l2-1-0.dll	32
C:\Windows\system32\downlevel\API-MS-Win-core-file-l2-1-1.dll	30
C:\Windows\system32\downlevel\api-ms-win-core-handle-l1-1-0.dll	32
C:\Windows\system32\downlevel\api-ms-win-core-heap-l1-1-0.dll	35
C:\Windows\system32\downlevel\API-MS-Win-Core-Heap-Obsolete-L1-1-0.dll	32
C:\Windows\system32\downlevel\api-ms-win-core-interlocked-l1-1-0.dll	35
C:\Windows\system32\downlevel\api-ms-win-core-io-l1-1-0.dll	30
C:\Windows\system32\downlevel\api-ms-win-core-io-l1-1-1.dll	29
C:\Windows\system32\downlevel\api-ms-win-core-kernel32-legacy-l1-1-0.dll	30
C:\Windows\system32\downlevel\api-ms-win-core-kernel32-legacy-l1-1-1.dll	33
C:\Windows\system32\downlevel\API-MS-Win-Core-Kernel32-Private-L1-1-0.dll	29
C:\Windows\system32\downlevel\API-MS-Win-Core-Kernel32-Private-L1-1-1.dll	33
C:\Windows\system32\downlevel\api-ms-win-core-libraryloader-l1-1-0.dll	33
C:\Windows\system32\downlevel\api-ms-win-core-libraryloader-l1-1-1.dll	30
C:\Windows\system32\downlevel\api-ms-win-core-localization-l1-2-0.dll	29
C:\Windows\system32\downlevel\api-ms-win-core-localization-l1-2-1.dll	33
C:\Windows\system32\downlevel\API-MS-Win-core-localization-obsolete-l1-2-0.dll	35
C:\Windows\system32\downlevel\api-ms-win-core-memory-l1-1-0.dll	32
C:\Windows\system32\downlevel\api-ms-win-core-memory-l1-1-1.dll	32
C:\Windows\system32\downlevel\api-ms-win-core-memory-l1-1-2.dll	27
C:\Windows\system32\downlevel\api-ms-win-core-namedpipe-l1-1-0.dll	30
C:\Windows\system32\downlevel\api-ms-win-core-privateprofile-l1-1-0.dll	35
C:\Windows\system32\downlevel\api-ms-win-core-privateprofile-l1-1-1.dll	30
C:\Windows\system32\downlevel\api-ms-win-core-processenvironment-l1-1-0.dll	32
C:\Windows\system32\downlevel\api-ms-win-core-processenvironment-l1-2-0.dll	30
C:\Windows\system32\downlevel\api-ms-win-core-processthreads-l1-1-0.dll	32
C:\Windows\system32\downlevel\api-ms-win-core-processthreads-l1-1-1.dll	32
C:\Windows\system32\downlevel\api-ms-win-core-processthreads-l1-1-2.dll	29
C:\Windows\system32\downlevel\api-ms-win-core-processtopology-obsolete-l1-1-0.dll	32
C:\Windows\system32\downlevel\api-ms-win-core-profile-l1-1-0.dll	35
C:\Windows\system32\downlevel\api-ms-win-core-realtime-l1-1-0.dll	30
C:\Windows\system32\downlevel\api-ms-win-core-registry-l1-1-0.dll	32
C:\Windows\system32\downlevel\api-ms-win-core-registry-l2-1-0.dll	30
C:\Windows\system32\downlevel\api-ms-win-core-rtlsupport-l1-1-0.dll	29
C:\Windows\system32\downlevel\api-ms-win-core-shlwapi-legacy-l1-1-0.dll	38
C:\Windows\system32\downlevel\api-ms-win-core-shlwapi-obsolete-l1-1-0.dll	25
C:\Windows\system32\downlevel\api-ms-win-core-shutdown-l1-1-0.dll	25
C:\Windows\system32\downlevel\api-ms-win-core-stringansi-l1-1-0.dll	32
C:\Windows\system32\downlevel\api-ms-win-core-string-l1-1-0.dll	35
C:\Windows\system32\downlevel\API-MS-Win-core-string-l2-1-0.dll	35
C:\Windows\system32\downlevel\api-ms-win-core-stringloader-l1-1-1.dll	29
C:\Windows\system32\downlevel\API-MS-Win-core-string-obsolete-l1-1-0.dll	30
C:\Windows\system32\downlevel\api-ms-win-core-synch-l1-1-0.dll	32
C:\Windows\system32\downlevel\api-ms-win-core-synch-l1-2-0.dll	29
C:\Windows\system32\downlevel\api-ms-win-core-sysinfo-l1-1-0.dll	30
C:\Windows\system32\downlevel\api-ms-win-core-sysinfo-l1-2-0.dll	25
C:\Windows\system32\downlevel\api-ms-win-core-sysinfo-l1-2-1.dll	29
C:\Windows\system32\downlevel\api-ms-win-core-threadpool-l1-2-0.dll	30
C:\Windows\system32\downlevel\api-ms-win-core-threadpool-legacy-l1-1-0.dll	29
C:\Windows\system32\downlevel\api-ms-win-core-threadpool-private-l1-1-0.dll	30
C:\Windows\system32\downlevel\api-ms-win-core-timezone-l1-1-0.dll	29
C:\Windows\system32\downlevel\api-ms-win-core-url-l1-1-0.dll	27
C:\Windows\system32\downlevel\api-ms-win-core-util-l1-1-0.dll	29
C:\Windows\system32\downlevel\api-ms-win-core-version-l1-1-0.dll	33
C:\Windows\system32\downlevel\api-ms-win-core-wow64-l1-1-0.dll	32
C:\Windows\system32\downlevel\api-ms-win-core-xstate-l1-1-0.dll	30
C:\Windows\system32\downlevel\API-MS-Win-core-xstate-l2-1-0.dll	30
C:\Windows\system32\downlevel\api-ms-win-crt-conio-l1-1-0.dll	27
C:\Windows\system32\downlevel\api-ms-win-crt-convert-l1-1-0.dll	30
C:\Windows\system32\downlevel\api-ms-win-crt-environment-l1-1-0.dll	29
C:\Windows\system32\downlevel\api-ms-win-crt-filesystem-l1-1-0.dll	30
C:\Windows\system32\downlevel\api-ms-win-crt-heap-l1-1-0.dll	32
C:\Windows\system32\downlevel\api-ms-win-crt-locale-l1-1-0.dll	27
C:\Windows\system32\downlevel\api-ms-win-crt-math-l1-1-0.dll	30
C:\Windows\system32\downlevel\api-ms-win-crt-multibyte-l1-1-0.dll	33
C:\Windows\system32\downlevel\api-ms-win-crt-process-l1-1-0.dll	36
C:\Windows\system32\downlevel\api-ms-win-crt-runtime-l1-1-0.dll	33
C:\Windows\system32\downlevel\api-ms-win-crt-stdio-l1-1-0.dll	38
C:\Windows\system32\downlevel\api-ms-win-crt-string-l1-1-0.dll	30
C:\Windows\system32\downlevel\api-ms-win-crt-time-l1-1-0.dll	35
C:\Windows\system32\downlevel\api-ms-win-crt-utility-l1-1-0.dll	27
C:\Windows\system32\downlevel\API-MS-Win-devices-config-L1-1-0.dll	35
C:\Windows\system32\downlevel\API-MS-Win-devices-config-L1-1-1.dll	35
C:\Windows\system32\downlevel\API-MS-Win-Eventing-ClassicProvider-L1-1-0.dll	30
C:\Windows\system32\downlevel\api-ms-win-eventing-consumer-l1-1-0.dll	29
C:\Windows\system32\downlevel\API-MS-Win-Eventing-Controller-L1-1-0.dll	30
C:\Windows\system32\downlevel\API-MS-Win-Eventing-Legacy-L1-1-0.dll	29
C:\Windows\system32\downlevel\API-MS-Win-Eventing-Provider-L1-1-0.dll	32
C:\Windows\system32\downlevel\API-MS-Win-EventLog-Legacy-L1-1-0.dll	33
C:\Windows\system32\downlevel\api-ms-win-security-base-l1-1-0.dll	30
C:\Windows\system32\downlevel\api-ms-win-security-cryptoapi-l1-1-0.dll	29
C:\Windows\system32\downlevel\API-MS-Win-Security-Lsalookup-L2-1-0.dll	30
C:\Windows\system32\downlevel\API-MS-Win-Security-Lsalookup-L2-1-1.dll	30
C:\Windows\system32\downlevel\API-MS-Win-security-lsapolicy-l1-1-0.dll	27
C:\Windows\system32\downlevel\API-MS-Win-security-provider-L1-1-0.dll	27
C:\Windows\system32\downlevel\api-ms-win-security-sddl-l1-1-0.dll	30
C:\Windows\system32\downlevel\api-ms-win-service-core-l1-1-0.dll	36
C:\Windows\system32\downlevel\api-ms-win-service-core-l1-1-1.dll	32
C:\Windows\system32\downlevel\api-ms-win-service-management-l1-1-0.dll	32
C:\Windows\system32\downlevel\api-ms-win-service-management-l2-1-0.dll	32
C:\Windows\system32\downlevel\api-ms-win-service-private-l1-1-0.dll	33
C:\Windows\system32\downlevel\api-ms-win-service-private-l1-1-1.dll	32
C:\Windows\system32\downlevel\api-ms-win-service-winsvc-l1-1-0.dll	33
C:\Windows\system32\downlevel\api-ms-win-shcore-stream-l1-1-0.dll	29
C:\Windows\system32\drivers\UMDF\SDFLauncher.dll	29
C:\Windows\system32\DriverStore\FileRepository\sdflauncher.inf_amd64_1ea082c6cf8f6982\SDFLauncher.dll	29
C:\Windows\system32\dsrole.dll	30
C:\Windows\system32\IME\IMETC\IMTCTRLN.DLL	30
C:\Windows\system32\IME\SHARED\IMEDICAPICCPS.DLL	25
C:\Windows\system32\IME\SHARED\IMESEARCHPS.DLL	35
C:\Windows\system32\kd.dll	25
C:\Windows\system32\kd_02_1af4.dll	30
C:\Windows\system32\kd_07_1415.dll	29
C:\Windows\system32\kdnet_uart16550.dll	32
C:\Windows\system32\kdstub.dll	33
C:\Windows\system32\ksuser.dll	29
C:\Windows\system32\microsoft-windows-battery-events.dll	29
C:\Windows\system32\microsoft-windows-hal-events.dll	27
C:\Windows\system32\microsoft-windows-sleepstudy-events.dll	30
C:\Windows\system32\msdmo.dll	27
C:\Windows\system32\NDKPing.exe	33
C:\Windows\system32\oobe\FirstLogonAnim.exe	33
C:\Windows\system32\pcwum.dll	30
C:\Windows\system32\prproc.exe	33
C:\Windows\system32\psapi.dll	33
C:\Windows\system32\ResetEngine.exe	27
C:\WINDOWS\system32\ResetEngine.exe	33
C:\WINDOWS\system32\ScriptRunner.exe	32
C:\Windows\system32\setupetw.dll	30
C:\Windows\system32\sfc.dll	29
C:\Windows\system32\SlideToShutDown.exe	29
C:\Windows\system32\smphost.dll	29
C:\Windows\system32\spwizres.dll	32
C:\Windows\system32\streamci.dll	25
C:\Windows\system32\ttdloader.dll	30
C:\Windows\system32\UtilityVmSysprep.dll	29
C:\Windows\system32\uxlibres.dll	27
C:\Windows\system32\VmApplicationHealthMonitorProxy.dll	30
C:\Windows\system32\wbem\Microsoft.AppV.AppVClientWmi.dll	29
C:\Windows\system32\winnsi.dll	29
C:\Windows\system32\wshhyperv.dll	32
C:\Windows\system32\wshunix.dll	29
C:\Windows\SysWOW64\AppVClientPS.dll	40
C:\Windows\SysWOW64\AppVSentinel.dll	32
C:\Windows\SysWOW64\AppVTerminator.dll	33
C:\Windows\SysWOW64\avrt.dll	33
C:\Windows\SysWOW64\backgroundTaskHost.exe	35
C:\Windows\SysWOW64\BOOTVID.DLL	29
C:\Windows\SysWOW64\CameraSettingsUIHost.exe	30
C:\Windows\SysWOW64\DefaultDeviceManager.dll	35
C:\Windows\SysWOW64\dllhost.exe	36
C:\Windows\SysWOW64\downlevel\api-ms-win-base-util-l1-1-0.dll	29
C:\Windows\SysWOW64\downlevel\api-ms-win-core-com-l1-1-0.dll	32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-comm-l1-1-0.dll	30
C:\Windows\SysWOW64\downlevel\api-ms-win-core-console-l1-1-0.dll	29
C:\Windows\SysWOW64\downlevel\api-ms-win-core-datetime-l1-1-0.dll	27
C:\Windows\SysWOW64\downlevel\api-ms-win-core-datetime-l1-1-1.dll	30
C:\Windows\SysWOW64\downlevel\api-ms-win-core-debug-l1-1-0.dll	32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-debug-l1-1-1.dll	30
C:\Windows\SysWOW64\downlevel\api-ms-win-core-delayload-l1-1-0.dll	29
C:\Windows\SysWOW64\downlevel\api-ms-win-core-errorhandling-l1-1-0.dll	30
C:\Windows\SysWOW64\downlevel\api-ms-win-core-errorhandling-l1-1-1.dll	32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-fibers-l1-1-0.dll	27
C:\Windows\SysWOW64\downlevel\api-ms-win-core-fibers-l1-1-1.dll	27
C:\Windows\SysWOW64\downlevel\api-ms-win-core-file-l1-1-0.dll	35
C:\Windows\SysWOW64\downlevel\api-ms-win-core-file-l1-2-0.dll	33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-file-l1-2-1.dll	30
C:\Windows\SysWOW64\downlevel\API-MS-Win-core-file-l2-1-0.dll	33
C:\Windows\SysWOW64\downlevel\API-MS-Win-core-file-l2-1-1.dll	35
C:\Windows\SysWOW64\downlevel\api-ms-win-core-handle-l1-1-0.dll	32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-heap-l1-1-0.dll	29
C:\Windows\SysWOW64\downlevel\API-MS-Win-Core-Heap-Obsolete-L1-1-0.dll	30
C:\Windows\SysWOW64\downlevel\api-ms-win-core-interlocked-l1-1-0.dll	36
C:\Windows\SysWOW64\downlevel\api-ms-win-core-io-l1-1-0.dll	30
C:\Windows\SysWOW64\downlevel\api-ms-win-core-io-l1-1-1.dll	29
C:\Windows\SysWOW64\downlevel\api-ms-win-core-kernel32-legacy-l1-1-0.dll	33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-kernel32-legacy-l1-1-1.dll	32
C:\Windows\SysWOW64\downlevel\API-MS-Win-Core-Kernel32-Private-L1-1-0.dll	27
C:\Windows\SysWOW64\downlevel\API-MS-Win-Core-Kernel32-Private-L1-1-1.dll	29
C:\Windows\SysWOW64\downlevel\api-ms-win-core-libraryloader-l1-1-0.dll	36
C:\Windows\SysWOW64\downlevel\api-ms-win-core-libraryloader-l1-1-1.dll	30
C:\Windows\SysWOW64\downlevel\api-ms-win-core-localization-l1-2-0.dll	30
C:\Windows\SysWOW64\downlevel\api-ms-win-core-localization-l1-2-1.dll	29
C:\Windows\SysWOW64\downlevel\API-MS-Win-core-localization-obsolete-l1-2-0.dll	33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-memory-l1-1-0.dll	32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-memory-l1-1-1.dll	27
C:\Windows\SysWOW64\downlevel\api-ms-win-core-memory-l1-1-2.dll	36
C:\Windows\SysWOW64\downlevel\api-ms-win-core-namedpipe-l1-1-0.dll	30
C:\Windows\SysWOW64\downlevel\api-ms-win-core-privateprofile-l1-1-0.dll	32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-privateprofile-l1-1-1.dll	35
C:\Windows\SysWOW64\downlevel\api-ms-win-core-processenvironment-l1-1-0.dll	29
C:\Windows\SysWOW64\downlevel\api-ms-win-core-processenvironment-l1-2-0.dll	30
C:\Windows\SysWOW64\downlevel\api-ms-win-core-processthreads-l1-1-0.dll	33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-processthreads-l1-1-1.dll	30
C:\Windows\SysWOW64\downlevel\api-ms-win-core-processthreads-l1-1-2.dll	33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-processtopology-obsolete-l1-1-0.dll	30
C:\Windows\SysWOW64\downlevel\api-ms-win-core-profile-l1-1-0.dll	30
C:\Windows\SysWOW64\downlevel\api-ms-win-core-realtime-l1-1-0.dll	27
C:\Windows\SysWOW64\downlevel\api-ms-win-core-registry-l1-1-0.dll	33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-registry-l2-1-0.dll	32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-rtlsupport-l1-1-0.dll	30
C:\Windows\SysWOW64\downlevel\api-ms-win-core-shlwapi-legacy-l1-1-0.dll	33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-shlwapi-obsolete-l1-1-0.dll	30
C:\Windows\SysWOW64\downlevel\api-ms-win-core-shutdown-l1-1-0.dll	32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-stringansi-l1-1-0.dll	30
C:\Windows\SysWOW64\downlevel\api-ms-win-core-string-l1-1-0.dll	29
C:\Windows\SysWOW64\downlevel\API-MS-Win-core-string-l2-1-0.dll	33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-stringloader-l1-1-1.dll	27
C:\Windows\SysWOW64\downlevel\API-MS-Win-core-string-obsolete-l1-1-0.dll	32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-synch-l1-1-0.dll	30
C:\Windows\SysWOW64\downlevel\api-ms-win-core-synch-l1-2-0.dll	27
C:\Windows\SysWOW64\downlevel\api-ms-win-core-sysinfo-l1-1-0.dll	32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-sysinfo-l1-2-0.dll	30
C:\Windows\SysWOW64\downlevel\api-ms-win-core-sysinfo-l1-2-1.dll	27
C:\Windows\SysWOW64\downlevel\api-ms-win-core-threadpool-l1-2-0.dll	29
C:\Windows\SysWOW64\downlevel\api-ms-win-core-threadpool-legacy-l1-1-0.dll	29
C:\Windows\SysWOW64\downlevel\api-ms-win-core-threadpool-private-l1-1-0.dll	36
C:\Windows\SysWOW64\downlevel\api-ms-win-core-timezone-l1-1-0.dll	36
C:\Windows\SysWOW64\downlevel\api-ms-win-core-url-l1-1-0.dll	27
C:\Windows\SysWOW64\downlevel\api-ms-win-core-util-l1-1-0.dll	36
C:\Windows\SysWOW64\downlevel\api-ms-win-core-version-l1-1-0.dll	30
C:\Windows\SysWOW64\downlevel\api-ms-win-core-wow64-l1-1-0.dll	27
C:\Windows\SysWOW64\downlevel\api-ms-win-core-xstate-l1-1-0.dll	32
C:\Windows\SysWOW64\downlevel\API-MS-Win-core-xstate-l2-1-0.dll	25
C:\Windows\SysWOW64\downlevel\api-ms-win-crt-conio-l1-1-0.dll	35
C:\Windows\SysWOW64\downlevel\api-ms-win-crt-convert-l1-1-0.dll	32
C:\Windows\SysWOW64\downlevel\api-ms-win-crt-environment-l1-1-0.dll	35
C:\Windows\SysWOW64\downlevel\api-ms-win-crt-filesystem-l1-1-0.dll	29
C:\Windows\SysWOW64\downlevel\api-ms-win-crt-heap-l1-1-0.dll	36
C:\Windows\SysWOW64\downlevel\api-ms-win-crt-locale-l1-1-0.dll	33
C:\Windows\SysWOW64\downlevel\api-ms-win-crt-math-l1-1-0.dll	32
C:\Windows\SysWOW64\downlevel\api-ms-win-crt-multibyte-l1-1-0.dll	30
C:\Windows\SysWOW64\downlevel\api-ms-win-crt-process-l1-1-0.dll	29
C:\Windows\SysWOW64\downlevel\api-ms-win-crt-runtime-l1-1-0.dll	29
C:\Windows\SysWOW64\downlevel\api-ms-win-crt-stdio-l1-1-0.dll	32
C:\Windows\SysWOW64\downlevel\api-ms-win-crt-string-l1-1-0.dll	29
C:\Windows\SysWOW64\downlevel\api-ms-win-crt-time-l1-1-0.dll	30
C:\Windows\SysWOW64\downlevel\api-ms-win-crt-utility-l1-1-0.dll	29
C:\Windows\SysWOW64\downlevel\API-MS-Win-devices-config-L1-1-0.dll	35
C:\Windows\SysWOW64\downlevel\API-MS-Win-devices-config-L1-1-1.dll	35
C:\Windows\SysWOW64\downlevel\API-MS-Win-Eventing-ClassicProvider-L1-1-0.dll	35
C:\Windows\SysWOW64\downlevel\api-ms-win-eventing-consumer-l1-1-0.dll	30
C:\Windows\SysWOW64\downlevel\API-MS-Win-Eventing-Controller-L1-1-0.dll	35
C:\Windows\SysWOW64\downlevel\API-MS-Win-Eventing-Legacy-L1-1-0.dll	30
C:\Windows\SysWOW64\downlevel\API-MS-Win-Eventing-Provider-L1-1-0.dll	29
C:\Windows\SysWOW64\downlevel\API-MS-Win-EventLog-Legacy-L1-1-0.dll	30
C:\Windows\SysWOW64\downlevel\api-ms-win-security-base-l1-1-0.dll	30
C:\Windows\SysWOW64\downlevel\api-ms-win-security-cryptoapi-l1-1-0.dll	35
C:\Windows\SysWOW64\downlevel\API-MS-Win-Security-Lsalookup-L2-1-0.dll	32
C:\Windows\SysWOW64\downlevel\API-MS-Win-Security-Lsalookup-L2-1-1.dll	27
C:\Windows\SysWOW64\downlevel\API-MS-Win-security-lsapolicy-l1-1-0.dll	30
C:\Windows\SysWOW64\downlevel\API-MS-Win-security-provider-L1-1-0.dll	32
C:\Windows\SysWOW64\downlevel\api-ms-win-security-sddl-l1-1-0.dll	27
C:\Windows\SysWOW64\downlevel\api-ms-win-service-core-l1-1-0.dll	29
C:\Windows\SysWOW64\downlevel\api-ms-win-service-core-l1-1-1.dll	25
C:\Windows\SysWOW64\downlevel\api-ms-win-service-management-l1-1-0.dll	32
C:\Windows\SysWOW64\downlevel\api-ms-win-service-management-l2-1-0.dll	32
C:\Windows\SysWOW64\downlevel\api-ms-win-service-private-l1-1-0.dll	32
C:\Windows\SysWOW64\downlevel\api-ms-win-service-private-l1-1-1.dll	30
C:\Windows\SysWOW64\downlevel\api-ms-win-service-winsvc-l1-1-0.dll	35
C:\Windows\SysWOW64\downlevel\api-ms-win-shcore-stream-l1-1-0.dll	29
C:\Windows\SysWOW64\dsrole.dll	32
C:\Windows\SysWOW64\fltLib.dll	36
C:\Windows\SysWOW64\IME\IMETC\IMTCTRLN.DLL	32
C:\Windows\SysWOW64\IME\SHARED\imecfmps.dll	35
C:\Windows\SysWOW64\IME\SHARED\IMEDICAPICCPS.DLL	29
C:\Windows\SysWOW64\IME\SHARED\IMESEARCHPS.DLL	32
C:\Windows\SysWOW64\ksuser.dll	30
C:\Windows\SysWOW64\LocationFrameworkPS.dll	30
C:\Windows\SysWOW64\pcwum.dll	29
C:\Windows\SysWOW64\psapi.dll	29
C:\Windows\SysWOW64\sfc.dll	35
C:\Windows\SysWOW64\smphost.dll	27
C:\Windows\SysWOW64\ttdloader.dll	35
C:\Windows\SysWOW64\uxlibres.dll	29
C:\Windows\SysWOW64\wbem\Microsoft.AppV.AppVClientWmi.dll	27
C:\Windows\SysWOW64\winnsi.dll	30
C:\Windows\SysWOW64\wshhyperv.dll	29
C:\Windows\SysWOW64\wshunix.dll	33

Possible Misuse

The following table contains possible examples of wuauclt.exe being misused. While wuauclt.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	net_connection_win_wuauclt_network_connection.yml	title: Wuauclt Network Connection	DRL 1.0
sigma	net_connection_win_wuauclt_network_connection.yml	description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making a network connections. One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.	DRL 1.0
sigma	net_connection_win_wuauclt_network_connection.yml	- https://dtm.uk/wuauclt/	DRL 1.0
sigma	net_connection_win_wuauclt_network_connection.yml	Image\|contains: wuauclt	DRL 1.0
sigma	net_connection_win_wuauclt_network_connection.yml	- Legitimate use of wuauclt.exe over the network.	DRL 1.0
sigma	proc_creation_win_lolbas_execution_of_wuauclt.yml	title: Monitoring Wuauclt.exe For Lolbas Execution Of DLL	DRL 1.0
sigma	proc_creation_win_lolbas_execution_of_wuauclt.yml	description: Adversaries can abuse wuauclt.exe (Windows Update client) to run code execution by specifying an arbitrary DLL.	DRL 1.0
sigma	proc_creation_win_lolbas_execution_of_wuauclt.yml	- https://dtm.uk/wuauclt/	DRL 1.0
sigma	proc_creation_win_lolbas_execution_of_wuauclt.yml	CommandLine\|re: '(?i)wuauclt\.exe.*\/UpdateDeploymentProvider.*\/Runhandlercomserver'	DRL 1.0
sigma	proc_creation_win_proxy_execution_wuauclt.yml	title: Proxy Execution via Wuauclt	DRL 1.0
sigma	proc_creation_win_proxy_execution_wuauclt.yml	description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code.	DRL 1.0
sigma	proc_creation_win_proxy_execution_wuauclt.yml	- https://dtm.uk/wuauclt/	DRL 1.0
sigma	proc_creation_win_proxy_execution_wuauclt.yml	- Image\|contains: wuauclt	DRL 1.0
sigma	proc_creation_win_proxy_execution_wuauclt.yml	- OriginalFileName: wuauclt.exe	DRL 1.0
sigma	proc_creation_win_susp_spoolsv_child_processes.yml	- \wuauclt.exe	DRL 1.0
sigma	proc_creation_win_susp_wuauclt.yml	description: Detects code execution via the Windows Update client (wuauclt)	DRL 1.0
sigma	proc_creation_win_susp_wuauclt.yml	- https://dtm.uk/wuauclt/	DRL 1.0
sigma	proc_creation_win_susp_wuauclt.yml	- '\wuauclt.exe'	DRL 1.0
sigma	proc_creation_win_susp_wuauclt_cmdline.yml	description: Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags	DRL 1.0
sigma	proc_creation_win_susp_wuauclt_cmdline.yml	Image\|endswith: '\Wuauclt.exe'	DRL 1.0
sigma	proc_creation_win_susp_wuauclt_cmdline.yml	CommandLine\|endswith: '\Wuauclt.exe'	DRL 1.0
sigma	registry_event_persistence_search_order.yml	- C:\WINDOWS\system32\wuauclt.exe	DRL 1.0
LOLBAS	Wuauclt.yml	Name: wuauclt.exe
LOLBAS	Wuauclt.yml	- Command: wuauclt.exe /UpdateDeploymentProvider Full_Path_To_DLL /RunHandlerComServer
LOLBAS	Wuauclt.yml	- Path: C:\Windows\System32\wuauclt.exe
LOLBAS	Wuauclt.yml	- IOC: wuauclt run with a parameter of a DLL path
LOLBAS	Wuauclt.yml	- IOC: Suspicious wuauclt Internet/network connections
LOLBAS	Wuauclt.yml	- Link: https://dtm.uk/wuauclt/
signature-base	apt_putterpanda.yar	$x0 = “WUAUCLT.EXE” fullword wide /* PEStudio Blacklist: strings / / score: ‘20.01’ */	CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.