What is wxmon.exe? Should I remove it?

Wxmon.exe – a malicious executable file related to Scarab ransomware

Wxmon.exe is an executable file,[1] which functions as a Scarab ransomware carrier. Detected in the second half of March 2018 by malware researchers, it has been revealed circulating on the Internet disguised under rogue software downloads and malicious email attachments. Responsible for Scarab-Please ransomware unraveling, this file features a high danger level and is detected as a Trojan Win32/Suloc.A by 69% of AV engines on the market.[2] 

Typically, the wxmon.exe file disguises in AppData\Roaming\Microsoft\ folder and one of the primary ransomware launch tool. The Hybrid Analysis revealed that this ransomware-related executable is capable of:

  • Creating new Registry entries;
  • Reading terminal service and RDP related keys;
  • Connecting to remote servers and transmit required data;
  • Reading the active PC's name;
  • Opening the MountPointManager used to do the exploitation of vulnerabilities.

In other words, the wxmon.exe acts like a worm in a way. It roots deeply into the Windows OS by protecting itself with malicious Registry entries, and the accumulates PC-related information needed for a successful system's attack.

Name Wxmon.exe
Type Executable file
Danger level High. It's closely related to Scarab ransomware. Initiates malicious activities
AV-detection Trojan Win32/Suloc.A
Location AppData\Roaming\Microsoft\ (can vary)
Removal Manual Wxmon.exe removal is not possible. Run a scan with FortectIntego to root out all ransomware-related files.


The file can affect any version of Windows OS, including XP, 7, 8, 8.1, 10 and others. It does not have a visible window due to anti-detection traits. However, it is capable of starting a bunch of additional processes, as well as importing suspicious APIs.[3] 

Wxmon.exe file can also modify Proxy settings and corrupt sensitive IE security settings, which may result in web browser's hijack, infiltration of malicious extensions or unauthorized remote connections.

The most alarming aspect regarding wxmon.exe virus is related to its ability to mark files for deletion, as well as dispose of data with deletion access rights. It means that this file is extremely malicious and poses a high-risk or data loss.
In fact, the presence of the wxmon.exe on your PC is a clear sign that your PC is currently under encryption.

Ransomware has already attacked it. If you don't see your files encrypted by .please file extension or HOW TO RECOVER ENCRYPTED FILES.TXT ransom note on your desktop, most probably it's only a matter of time when you'll see those signs.

To prevent your files from being encrypted by Scarab ransomware virus, dieviren.de[4] team recommend you to scan your PC with FortectIntego, SpyHunter 5Combo Cleaner, Malwarebytes or another powerful anti-malware tool to remove the wxmon.exe file from your PC asap.

If you cannot terminate wxmon.exe virus on Task Manager, as well as eliminate it automatically, we would strongly recommend you to restart your PC into Safe Mode with Networking as explained below and try to launch anti-virus right there.

Malicious files may be disguised anywhere

It's not difficult for criminals to hide malicious files under software downloads, ads, hacked websites, and other means. The reason why they don't hide malicious components anywhere they want is the security measures that are taken by reputable software vendors, website owners, and content creators.

Various security scanners are applied to detect and immunize malicious .exe files like this one and most of them successfully work. Sadly, but spam email messages remain the number one ransomware and malware disseminator since malicious .exe files are either not scanned or not recognized as malicious.

According to malware researchers, this particular file may be disguised under fake scanned documents in the 7Zip archive, which is infected with VBS script.

Apart from spam, people should be aware of fake Java or Adobe Flash Player updates, rogue software downloads, as well as malicious ads on illegal websites.

Wxmon.exe removal guide

We do not recommend you to remove wxmon.exe file individually. There are two scenarios what could happen if you try to do so, i.e., the file can either delete a part of your data alongside or merely protect itself from removal.

To ensure a successful wxmon.exe removal, we recommend using FortectIntego, SpyHunter 5Combo Cleaner or SpyHunter 5Combo Cleaner anti-virus programs. In case Scarab ransomware managed to encrypt your files, you can find a guide on how to recover them here.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.
About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions