Adware Reports malware removal guides and threat research Updated security instructions for Windows users
Home/Ransom
Threat report

Ransom.MaktubLocker.1 removal instruction

Published Apr 11, 2024 Ransom category 3 min read
Report context

What to verify before removal

Ransom.MaktubLocker.1 removal instruction should be handled as a recovery-sensitive report, not as a routine deletion task. Before removing files, isolate the affected system and compare the detection with the notes below so encrypted data, restore points, and backups are not damaged.

Start by comparing the local file name with E5622C9C18AC68C5A7C7.mlw, then review the behavior notes for file-encryption activity, ransom notes, renamed documents, and unexpected recovery blockers. This helps separate a matching detection from a different file that only shares a similar alert name.

Observed file
E5622C9C18AC68C5A7C7.mlw
  • Compare the suspicious file name with E5622C9C18AC68C5A7C7.mlw.
  • Confirm the detection name matches Ransom.MaktubLocker.1 removal instruction before removing related files.
  • Review the report for file-encryption activity, ransom notes, renamed documents, and unexpected recovery blockers so the cleanup is based on observed behavior, not only the label.
  • Disconnect the machine from the network before recovery work and avoid deleting encrypted samples until backups are checked.

The Ransom.MaktubLocker.1 is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

What Ransom.MaktubLocker.1 virus can do?

  • Behavioural detection: Executable code extraction – unpacking
  • Unconventionial binary language: Chinese (Simplified)
  • Unconventionial language used in binary resources: Chinese (Simplified)
  • The binary contains an unknown PE section name indicative of packing
  • The binary likely contains encrypted or compressed data.
  • The executable is likely packed with VMProtect
  • Authenticode signature is invalid
  • Binary file triggered YARA rule
  • Yara detections observed in process dumps, payloads or dropped files

How to determine Ransom.MaktubLocker.1?



File Info:

name: E5622C9C18AC68C5A7C7.mlw
path: /opt/CAPEv2/storage/binaries/7ee163c78b1bd59b88182c6161263b33ddf52cb5b3dc4b2faa50a66919dd41e0
crc32: 0088B8BD
md5: e5622c9c18ac68c5a7c707cc4e0c4071
sha1: 0b72dcf8255f5f51f606569f384ef69aec945365
sha256: 7ee163c78b1bd59b88182c6161263b33ddf52cb5b3dc4b2faa50a66919dd41e0
sha512: 80b10ef6f8bd89dbb3db03d99115a2e0894a2dfeb1eebcb4cfdb22b90d298a9f7b4ed44bb1cabf9237c603d175515b837325ab3dfe2d8d65cb569fd8a3f0c5a2
ssdeep: 24576:e5cVz/xeiVIwgRqoAz9M7nxK0AjZ4gGI3V3JP:eWx5VIY6xVAF4p
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T1F31523A0F7C749FBC15CD676E646DD986F129C6835A95B87B20833AC5293D330E183B2
sha3_384: 887ced44f5c37b84a34e5d9ea22d8151b23adac025bf31e7233a656a08e081b6aafa06c6cacac75315460669015704d5
ep_bytes: 684966b778e8dc150500684366cd5ce8
timestamp: 2009-03-31 12:50:52


Version Info:

Comments: 
CompanyName: 
FileDescription: Willar Programmer
FileVersion: 2, 2, 0, 2560
InternalName: WLPRO
LegalCopyright: Copyright (C) 2007
LegalTrademarks: 
OriginalFilename: WLPRO.EXE
PrivateBuild: 
ProductName: Willar Programmer
ProductVersion: 2, 2, 0, 2560
SpecialBuild: 
Translation: 0x0804 0x04b0

Ransom.MaktubLocker.1 also known as:

Bkav W32.AIDetectMalware
MicroWorld-eScan Gen:Variant.Ransom.MaktubLocker.1
FireEye Generic.mg.e5622c9c18ac68c5
CrowdStrike win/malicious_confidence_60% (W)
BitDefenderTheta Gen:NN.ZexaF.36802.5C0@a4ud50bj
APEX Malicious
Cynet Malicious (score: 100)
BitDefender Gen:Variant.Ransom.MaktubLocker.1
Emsisoft Gen:Variant.Ransom.MaktubLocker.1 (B)
VIPRE Gen:Variant.Ransom.MaktubLocker.1
Trapmine malicious.moderate.ml.score
Sophos Generic ML PUA (PUA)
SentinelOne Static AI – Suspicious PE
Arcabit Trojan.Ransom.MaktubLocker.1
GData Gen:Variant.Ransom.MaktubLocker.1
ALYac Gen:Variant.Ransom.MaktubLocker.1
Cylance unsafe
TrendMicro-HouseCall TROJ_GEN.R002H09D224
Rising Trojan.Generic@AI.89 (RDML:u9b6sDjA4nEBNqjYlIpVJA)
MaxSecure Trojan.Malware.1380195.susgen
DeepInstinct MALICIOUS

How to remove Ransom.MaktubLocker.1?

Recommended second-opinion scan

Verify the infection before changing system settings

Use GridinSoft Anti-Malware to run a full scan, review detected persistence entries, and quarantine confirmed threats before restarting Windows.

Download GridinSoft Anti-Malware
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.