c1e8d7b2c9c434376359172b10d5162a54e937da359fb41e76f84c68dede9473

Author: Microsoft

Source: Wild

Summary

Autochk.exe is a version of chkdsk that runs only on NTFS disks and only before Windows Server starts. autochk cannot be run directly from the command-line.

EchoTrail Prevalence Score (EPS)

80.84

Rank Analysis

Host Prevalence

87.6%

Execution Rank

33,661st

Behavioral Analysis

Top Filenames

autochk.exe

100.00 %

Top Paths

C:\Windows\System32

99.92 %

Top Network Ports

443

100.00 %

Ancestry Analysis

Top GrandParents

No results found.

Top Parents

Top Children

Security Analysis

Intel

Autochk.exe is a version of chkdsk that runs only on NTFS disks and only before Windows Server starts. autochk cannot be run directly from the command-line. (https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/autochk) Autochk should be a System32 executable signed by Microsoft; however you may run into other instances if you are hunting for unsigned executables in the System32 folder. One example is if you use Absolute software in your environment. In normal scenarios Absolute's autochk should spawn rpcnetp.exe and then be replaced by the normal Windows autochk. However in VDI environments this replacement might not happen and Absolute's version might still linger. To look for signs of that autochk being Absolute, look for network flows to 209[.]53[.]113[.]23 and search[.]namequery[.]com. (https://securelist.com/absolute-computrace-revisited/58278/) However, the APT Emissary Panda was also known to use an autochk rootkit. Full details can be found at https://repnz.github.io/posts/autochk-rootkit-analysis/ .