What is wxmon.exe? Should I remove it?
Wxmon.exe – a malicious executable file related to Scarab ransomware
Wxmon.exe is an executable file,[1] which functions as a Scarab ransomware carrier. Detected in the second half of March 2018 by malware researchers, it has been revealed circulating on the Internet disguised under rogue software downloads and malicious email attachments. Responsible for Scarab-Please ransomware unraveling, this file features a high danger level and is detected as a Trojan Win32/Suloc.A by 69% of AV engines on the market.[2]
Typically, the wxmon.exe file disguises in AppData\Roaming\Microsoft\ folder and one of the primary ransomware launch tool. The Hybrid Analysis revealed that this ransomware-related executable is capable of:
- Creating new Registry entries;
- Reading terminal service and RDP related keys;
- Connecting to remote servers and transmit required data;
- Reading the active PC's name;
- Opening the MountPointManager used to do the exploitation of vulnerabilities.
In other words, the wxmon.exe acts like a worm in a way. It roots deeply into the Windows OS by protecting itself with malicious Registry entries, and the accumulates PC-related information needed for a successful system's attack.
Name | Wxmon.exe |
---|---|
Type | Executable file |
Danger level | High. It's closely related to Scarab ransomware. Initiates malicious activities |
AV-detection | Trojan Win32/Suloc.A |
Location | AppData\Roaming\Microsoft\ (can vary) |
Removal | Manual Wxmon.exe removal is not possible. Run a scan with FortectIntego to root out all ransomware-related files. |
The file can affect any version of Windows OS, including XP, 7, 8, 8.1, 10 and others. It does not have a visible window due to anti-detection traits. However, it is capable of starting a bunch of additional processes, as well as importing suspicious APIs.[3]
Wxmon.exe file can also modify Proxy settings and corrupt sensitive IE security settings, which may result in web browser's hijack, infiltration of malicious extensions or unauthorized remote connections.
The most alarming aspect regarding wxmon.exe virus is related to its ability to mark files for deletion, as well as dispose of data with deletion access rights. It means that this file is extremely malicious and poses a high-risk or data loss.
In fact, the presence of the wxmon.exe on your PC is a clear sign that your PC is currently under encryption.
Ransomware has already attacked it. If you don't see your files encrypted by .please file extension or HOW TO RECOVER ENCRYPTED FILES.TXT ransom note on your desktop, most probably it's only a matter of time when you'll see those signs.
To prevent your files from being encrypted by Scarab ransomware virus, dieviren.de[4] team recommend you to scan your PC with FortectIntego, SpyHunter 5Combo Cleaner, Malwarebytes or another powerful anti-malware tool to remove the wxmon.exe file from your PC asap.
If you cannot terminate wxmon.exe virus on Task Manager, as well as eliminate it automatically, we would strongly recommend you to restart your PC into Safe Mode with Networking as explained below and try to launch anti-virus right there.
Malicious files may be disguised anywhere
It's not difficult for criminals to hide malicious files under software downloads, ads, hacked websites, and other means. The reason why they don't hide malicious components anywhere they want is the security measures that are taken by reputable software vendors, website owners, and content creators.
Various security scanners are applied to detect and immunize malicious .exe files like this one and most of them successfully work. Sadly, but spam email messages remain the number one ransomware and malware disseminator since malicious .exe files are either not scanned or not recognized as malicious.
According to malware researchers, this particular file may be disguised under fake scanned documents in the 7Zip archive, which is infected with VBS script.
Apart from spam, people should be aware of fake Java or Adobe Flash Player updates, rogue software downloads, as well as malicious ads on illegal websites.
Wxmon.exe removal guide
We do not recommend you to remove wxmon.exe file individually. There are two scenarios what could happen if you try to do so, i.e., the file can either delete a part of your data alongside or merely protect itself from removal.
To ensure a successful wxmon.exe removal, we recommend using FortectIntego, SpyHunter 5Combo Cleaner or SpyHunter 5Combo Cleaner anti-virus programs. In case Scarab ransomware managed to encrypt your files, you can find a guide on how to recover them here.
- ^ Dieviren. Dieviren. German cybersecurity news site.
- ^ Tim Fisher. List of Executable File Extensions. Lifewire. Practical advice on how to live better with technology.
- ^ _wtmp001.exe analysis. Hybrid Analysis. A free malware analysis service.
- ^ About API Keys. KB MailChimp. Knowledge Base.