9fbd742e9206eb0da979c1c980f665c2520e0797170ab713583349b51046ba2e
Source: Wild
Summary
microsoftedge.exe launches the Microsoft Edge Web Browser.
EchoTrail Prevalence Score (EPS)
65.18
Rank Analysis
Host Prevalence
68.5%
Execution Rank
42,233rd
Behavioral Analysis
Top Filenames
Top Paths
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe
99.79 %
loading...
Top Network Ports
49709
26.47 %
loading...
Ancestry Analysis
Top GrandParents
Top Parents
Top Children
Security Analysis
Intel
A typical detection hypothesis for behaviorally finding malicious activities stemming from a web browser is to look for shells (cmd.exe, powershell.exe, etc) being launched as a child process of the web browser. While this merits some attention sometimes, it is not abnormal enough to warrant a worthwhile high priority detection. This hypothesis is rather a decent second order indicator to prioritize another detection method or within a correlation rule. However, some APT style attacks will abuse common applications, such as web browsers, to take advantage of DLL load orders. In those scenarios, a legitimately-named-but-actually-malicious DLL will have been written in the same directory as the core web browser binary, thereby causing it to be loaded when the web browser is called. One method for detecting such an attack methodology would be to look for scheduled tasks launching web browsers, especially those where the task was scheduled remotely.