5e29a9bdb75648080f2cc563164c60a0ac1c76df1c3ffbd475066a89b6f92ccc
Author: Microsoft
Source: Wild
Summary
Autochk.exe is a version of chkdsk that runs only on NTFS disks and only before Windows Server starts. autochk cannot be run directly from the command-line.
EchoTrail Prevalence Score (EPS)
81.77
Rank Analysis
Host Prevalence
87.6%
Execution Rank
30,425th
Behavioral Analysis
Top Filenames
Top Paths
C:\Windows\System32
99.92 %
loading...
Top Network Ports
443
100.00 %
loading...
Ancestry Analysis
Top GrandParents
No results found.
Top Parents
Top Children
Security Analysis
Intel
Autochk.exe is a version of chkdsk that runs only on NTFS disks and only before Windows Server starts. autochk cannot be run directly from the command-line. (https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/autochk) Autochk should be a System32 executable signed by Microsoft; however you may run into other instances if you are hunting for unsigned executables in the System32 folder. One example is if you use Absolute software in your environment. In normal scenarios Absolute's autochk should spawn rpcnetp.exe and then be replaced by the normal Windows autochk. However in VDI environments this replacement might not happen and Absolute's version might still linger. To look for signs of that autochk being Absolute, look for network flows to 209[.]53[.]113[.]23 and search[.]namequery[.]com. (https://securelist.com/absolute-computrace-revisited/58278/) However, the APT Emissary Panda was also known to use an autochk rootkit. Full details can be found at https://repnz.github.io/posts/autochk-rootkit-analysis/ .