w3wp.exe

  • File Path: C:\Windows\SysWOW64\inetsrv\w3wp.exe
  • Description: IIS Worker Process

Hashes

Type Hash
MD5 A93EC9C3999C4F798B270A4B5C5300A1
SHA1 F39A39456B8D962A553BFC759CF420979F7D3FAB
SHA256 3BD48EECD731F843B4416C46C254D2EFB78A5F77105C341FC8FD888956F1FB64
SHA384 08BABA95B8E85E997088A2603E3481E281D1A29BF44925EA6C4245A09FCA75567D0A3E33CEE28930B19A2E4E8A93E1FC
SHA512 B582C92561A79C769F0DEC2B91A50B73128588A93F67D539131AAC59354A9BB3487AF4974E4BFAA89C41761BF79C237C5E7037C02ECDDF28DF2995AFCB981862
SSDEEP 384:JI3JPj561Qknfpw2Xw78QZgp9IbnUiSkHFqWSuYN:JAJPEmuhwH8+eAUiSklY

Runtime Data

Usage (stdout):

Usage: C:\Windows\SysWOW64\inetsrv\w3wp.exe -s <site id> | -h [application host file]  
                           -w <optional root web.config file>  
                           -in <optional instance name>  
 
	-debug 
		 This option launches a worker process using the default 
		 application host config file.  By default, it will use 
		 site id 1. 
 
	-s <site id> 
		 Optional parameter to use a siteinformation from the provided 
		 site id. 
 
	or 
 
	-h [Application host config filename] 
		 Launches a worker process using the specified application host 
		 config file. 
 
	-in <Instance Name> 
		 Optional instance name to use.  Defaults to 'HWC-<PID>' 
 
	-w <Root web config filename> 
		 Optional root web config file to use. 

Signature

  • Status: Signature verified.
  • Serial: 33000000BCE120FDD27CC8EE930000000000BC
  • Thumbprint: E85459B23C232DB3CB94C7A56D47678F58E8E51E
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: w3wp.exe.mui
  • Product Name: Internet Information Services
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.0 (rs1_release.160715-1616)
  • Product Version: 10.0.14393.0
  • Language: Language Neutral
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of w3wp.exe being misused. While w3wp.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma godmode_sigma_rule.yml - '\w3wp.exe' DRL 1.0
sigma sysmon_suspicious_remote_thread.yml - '\w3wp.exe' DRL 1.0
sigma pipe_created_alternate_powershell_hosts_pipe.yml - 'c:\windows\system32\inetsrv\w3wp.exe' # this is sad :,( but it triggers FPs on Exchange servers DRL 1.0
sigma proc_creation_win_susp_csc_folder.yml - '\w3wp.exe' # https://twitter.com/gabriele_pippi/status/1206907900268072962 DRL 1.0
sigma proc_creation_win_susp_powershell_parent_process.yml - '\w3wp.exe' DRL 1.0
sigma proc_creation_win_webshell_detection.yml - '\w3wp.exe' DRL 1.0
sigma proc_creation_win_webshell_recon_detection.yml - '\w3wp.exe' DRL 1.0
sigma proc_creation_win_webshell_spawn.yml - '\w3wp.exe' DRL 1.0
signature-base apt_hafnium.yar $s1 = “AppPath=c:\windows\system32\inetsrv\w3wp.exe” wide fullword CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.