ff11877d711f9de40be231cbadb31453a1896bb2e79d7ea5ff89d9980254ceb4

Source: Wild

Summary

w3wp.exe is an IIS (Internet Information Services) worker process, launched by the svchost.exe. It typically launches to service a connection to the web server by a client.

EchoTrail Prevalence Score (EPS)

34.6

Rank Analysis

Host Prevalence

7.1%

Execution Rank

1,221st

Behavioral Analysis

Top Filenames

w3wp.exe

100.00 %

Top Paths

C:\Windows\System32\inetsrv

85.52 %

Top Network Ports

66.67 %

Ancestry Analysis

Top GrandParents

Top Parents

Top Children

Security Analysis

Intel

w3wp.exe should only run on a windows computer that acts as a web server. One indication of a compromised web server is when w3wp.exe is seen launching a shell, like cmd.exe or powershell.exe. This is common in a webshell attack where an attacker has compromised the web server such that it will remotely run any command provided by the attacker. It typically achieves this by launching a shell to execute the attacker’s command.