File name:

Fortect.exe

Full analysis: https://app.any.run/tasks/533d7be9-270d-45e6-9789-7da069024b0a
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: February 14, 2025, 16:02:50
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
pua
adware
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

06973CD452BFD255A42DB3081722E0D2

SHA1:

D742F584DA1F3B2ED212125A61415133A0384398

SHA256:

B50D674FE3873196EE5FF2BC24CA30C28054A01532943D969273A5562B0B5EF0

SSDEEP:

24576:GJ8mNKKeiKjRBWFhWK893mkYyslfL3u4VqBnr4EcYOjfZT:GJ8mleiKjRBWFhWK893XYyslfL3uCqBQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • Fortect.exe (PID: 6420)

    • Reads security settings of Internet Explorer

      • Fortect.exe (PID: 6420)

    • Executable content was dropped or overwritten

      • Fortect.exe (PID: 6420)
      • Fortect.exe (PID: 6640)

    • Application launched itself

      • Fortect.exe (PID: 6420)

    • There is functionality for taking screenshot (YARA)

      • Fortect.exe (PID: 6640)
      • Fortect.exe (PID: 6420)

  • INFO

    • The sample compiled with english language support

      • Fortect.exe (PID: 6420)
      • Fortect.exe (PID: 6640)

    • Create files in a temporary directory

      • Fortect.exe (PID: 6420)
      • Fortect.exe (PID: 6640)

    • Checks supported languages

      • Fortect.exe (PID: 6420)

    • Reads the computer name

      • Fortect.exe (PID: 6420)

    • Reads the software policy settings

      • Fortect.exe (PID: 6640)

    • Checks proxy server information

      • Fortect.exe (PID: 6640)

    • Process checks computer location settings

      • Fortect.exe (PID: 6420)

    • Creates files or folders in the user directory

      • Fortect.exe (PID: 6640)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:09:25 21:56:47+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 141824
UninitializedDataSize: 2048
EntryPoint: 0x3640
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 7.2.1.6
ProductVersionNumber: 7.2.1.6
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Fortect
FileDescription: Fortect Setup
FileVersion: 7.2.1.6
InternalName: Fortect.exe
LegalCopyright: © Fortect
LegalTrademarks: © Fortect
OriginalFileName: Fortect.exe
ProductName: Fortect
ProductVersion: 7.2.1.6
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
2
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start fortect.exe fortect.exe

Process information

PID
CMD
Path
Indicators
Parent process
6420"C:\Users\admin\AppData\Local\Temp\Fortect.exe" C:\Users\admin\AppData\Local\Temp\Fortect.exe
explorer.exe
User:
admin
Company:
Fortect
Integrity Level:
MEDIUM
Description:
Fortect Setup
Version:
7.2.1.6
Modules
Images
c:\users\admin\appdata\local\temp\fortect.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6640"C:\Users\admin\AppData\Local\Temp\Fortect.exe" /UAC=newC:\Users\admin\AppData\Local\Temp\Fortect.exe
Fortect.exe
User:
admin
Company:
Fortect
Integrity Level:
HIGH
Description:
Fortect Setup
Version:
7.2.1.6
Modules
Images
c:\windows\syswow64\cryptnet.dll
c:\windows\syswow64\dhcpcsvc6.dll
c:\windows\syswow64\dhcpcsvc.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\ncrypt.dll
c:\windows\syswow64\ncryptsslp.dll
c:\users\admin\appdata\local\temp\fortect\plugins\banner.dll
c:\windows\syswow64\textinputframework.dll
c:\windows\syswow64\coreuicomponents.dll
c:\windows\syswow64\wintypes.dll
Total events
382
Read events
379
Write events
3
Delete events
0

Modification events

(PID) Process:(6640) Fortect.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6640) Fortect.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6640) Fortect.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
8
Suspicious files
4
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
6420Fortect.exeC:\Users\admin\AppData\Local\Temp\Fortect\plugins\UserInfo.dllexecutable
MD5:7C12B2DDE3D65C1D4DE5456C2F92AA9D
SHA256:D6360E692B8EDC5CEDA976E9027A917D379B5C62C958227130DD68DE2F5BE3A6
6640Fortect.exeC:\Users\admin\AppData\Local\Temp\Fortect\plugins\fUtil.dllexecutable
MD5:1297CA8428913A757F0783075445E763
SHA256:434D85E0EF451962D2F33B53FB0738B371A699FDD11691FBF6E09C6BD7D4994A
6640Fortect.exeC:\Users\admin\AppData\Local\Temp\Fortect\plugins\INetC.dllexecutable
MD5:A6674D9F6E0C1E30AFA8007B9E4F211B
SHA256:DBBC53126213C325D209C242FBB6C097E86906A77F8A98896200492CDE19B0B8
6640Fortect.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:971C514F84BBA0785F80AA1C23EDFD79
SHA256:F157ED17FCAF8837FA82F8B69973848C9B10A02636848F995698212A08F31895
6640Fortect.exeC:\Users\admin\AppData\Local\Temp\Fortect\plugins\Banner.dllexecutable
MD5:297E0EB8AC76B69B873C26A8532A6AAC
SHA256:64BA1AFEBFD0CA81D294D6001A358711E8E8992C08E40181050A3D465ACB4030
6640Fortect.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:BA9E9E379A721EAF37D5C0D049F0DB3F
SHA256:286568F69A65175F04F8161FCF9D4A2F18491C993C449BF45F8D888852D9F453
6640Fortect.exeC:\Users\admin\AppData\Local\Temp\Fortect\plugins\fortect-side.bmpimage
MD5:3B4EE5451899C2B00555C573A389AEB8
SHA256:8FBD59EE64AF8A702F7A57657AB1766030885E28090E63E966E31B0358AE11F3
6640Fortect.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:03B49586BE2357413C4C7841D49308C1
SHA256:CD427044C9846B3DB49822AF119BBFC713F472F3CEB5B7D4DEB4E57E8BD3DCDA
6640Fortect.exeC:\Users\admin\AppData\Local\Temp\Fortect\plugins\nsProcess.dllexecutable
MD5:35C8EF832F608E8C8852E920127B81A6
SHA256:7652DACE2737A5F431EC3CABC149BA1152B74F1100A4F2F843FDCB43D15758F5
6640Fortect.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:C9BE626E9715952E9B70F92F912B9787
SHA256:C13E8D22800C200915F87F71C31185053E4E60CA25DE2E41E160E09CD2D815D4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
28
DNS requests
14
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6640
Fortect.exe
GET
200
216.58.206.67:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5496
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6776
backgroundTaskHost.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6640
Fortect.exe
GET
200
216.58.206.67:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
5496
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
23.54.109.203:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:137
whitelisted
3884
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1520
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3976
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:138
whitelisted
104.26.2.16:443
app.fortect.com
CLOUDFLARENET
US
unknown
1176
svchost.exe
20.190.160.4:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6640
Fortect.exe
216.58.206.67:80
c.pki.goog
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
ocsp.digicert.com
  • 23.54.109.203
whitelisted
app.fortect.com
  • 104.26.2.16
  • 104.26.3.16
  • 172.67.75.40
unknown
login.live.com
  • 20.190.160.4
  • 40.126.32.74
  • 40.126.32.140
  • 20.190.160.22
  • 40.126.32.136
  • 20.190.160.5
  • 20.190.160.67
  • 20.190.160.64
whitelisted
c.pki.goog
  • 216.58.206.67
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
arc.msn.com
  • 20.31.169.57
whitelisted
fd.api.iris.microsoft.com
  • 20.103.156.88
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

PID
Process
Class
Message
Possibly Unwanted Program Detected
ET ADWARE_PUP Observed PC Optimizer Software Domain (fortect .com in TLS SNI)
Possibly Unwanted Program Detected
ET ADWARE_PUP Observed DNS Query to PC Optimizer Software Domain (fortect .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Fortect.exe