Malware analysis Fortect.exe Malicious activity | ANY.RUN

Add for printing

File name:	Fortect.exe
Full analysis:	https://app.any.run/tasks/9960554e-1036-48bb-81d2-d63a60525a1b
Verdict:	Malicious activity
Threats:	Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. Malware Trends Tracker >>>
Analysis date:	July 31, 2024, 14:56:15
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	pua adware
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:	62375C21E6766944CD560A7F5AECF0CA
SHA1:	CCAF94B68F7D663F40D4D5D00604E8F90BCE8A2C
SHA256:	F54AE79FC6E93B6A316880D478DDE0821DB81185C5CA60C1183FBFD3356986EF
SSDEEP:	24576:wJ8TDOT3Vec50YqCSsXsjzd4sihi67oTZ3su:wJ8TST3Vec50YqCSsXsjzd4sihi67oT7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 240 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 180 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - Fortect.exe (PID: 6432)
- ADWARE has been detected (SURICATA)
  - Fortect.exe (PID: 6432)
  - svchost.exe (PID: 2256)
  - Fortect.exe (PID: 6940)
SUSPICIOUS
- The process creates files with name similar to system file names
  - Fortect.exe (PID: 6432)
  - Fortect.exe (PID: 6940)
- Reads security settings of Internet Explorer
  - Fortect.exe (PID: 6432)
  - Fortect.exe (PID: 6940)
- Executable content was dropped or overwritten
  - Fortect.exe (PID: 6432)
  - FortectMain.exe (PID: 188)
  - Fortect.exe (PID: 6940)
- Checks Windows Trust Settings
  - Fortect.exe (PID: 6432)
  - Fortect.exe (PID: 6940)
- Reads the date of Windows installation
  - Fortect.exe (PID: 6432)
- Access to an unwanted program domain was detected
  - Fortect.exe (PID: 6432)
  - svchost.exe (PID: 2256)
  - Fortect.exe (PID: 6940)
- Executes as Windows Service
  - MainService.exe (PID: 3900)
  - MainDaemon.exe (PID: 6776)
- Application launched itself
  - FortectMain.exe (PID: 188)
INFO
- Checks proxy server information
  - Fortect.exe (PID: 6432)
  - Fortect.exe (PID: 6940)
- Create files in a temporary directory
  - Fortect.exe (PID: 6432)
  - Fortect.exe (PID: 6940)
- Reads the machine GUID from the registry
  - Fortect.exe (PID: 6432)
  - Fortect.exe (PID: 6940)
- Checks supported languages
  - Fortect.exe (PID: 6432)
  - Fortect.exe (PID: 6940)
- Reads Environment values
  - Fortect.exe (PID: 6432)
  - Fortect.exe (PID: 6940)
- Reads the computer name
  - Fortect.exe (PID: 6432)
  - Fortect.exe (PID: 6940)
- Reads the software policy settings
  - Fortect.exe (PID: 6432)
  - Fortect.exe (PID: 6940)
- Creates files or folders in the user directory
  - Fortect.exe (PID: 6432)
  - Fortect.exe (PID: 6940)
- Process checks computer location settings
  - Fortect.exe (PID: 6432)
- Manual execution by a user
  - FortectMain.exe (PID: 188)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (67.4)
.dll	\|	Win32 Dynamic Link Library (generic) (14.2)
.exe	\|	Win32 Executable (generic) (9.7)
.exe	\|	Generic Win/DOS Executable (4.3)
.exe	\|	DOS Executable Generic (4.3)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2021:09:25 21:56:47+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	26624
InitializedDataSize:	141824
UninitializedDataSize:	2048
EntryPoint:	0x3640
OSVersion:	4
ImageVersion:	6
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	6.2.0.0
ProductVersionNumber:	6.2.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	Fortect
FileDescription:	Fortect Setup
FileVersion:	6.2.0.0
InternalName:	Fortect.exe
LegalCopyright:	© Fortect
LegalTrademarks:	© Fortect
OriginalFileName:	Fortect.exe
ProductName:	Fortect
ProductVersion:	6.2.0.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

150

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

188

"C:\Program Files\Fortect\FortectMain.exe" --lang=en --firstRun --runId=f0ed1bf7-f0d8-4f4f-889b-29491284a1ba

C:\Program Files\Fortect\FortectMain.exe

explorer.exe

User:

admin

Company:

Fortect LTD®

Integrity Level:

MEDIUM

Description:

Fortect Main

Version:

6.5.0.2

1184

"C:\Program Files\Fortect\FortectMain.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\admin\AppData\Roaming\Fortect" --mojo-platform-channel-handle=2224 --field-trial-handle=1868,i,14947332004039842141,11762826711872375030,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Program Files\Fortect\FortectMain.exe

—

FortectMain.exe

User:

admin

Company:

Fortect LTD®

Integrity Level:

MEDIUM

Description:

Fortect Main

Version:

6.5.0.2

2256

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

3900

"C:\Program Files\Fortect\MainService.exe"

C:\Program Files\Fortect\MainService.exe

—

services.exe

User:

SYSTEM

Company:

Fortect LTD.

Integrity Level:

SYSTEM

Description:

Fortect Service

Version:

6.5.0.2

4704

"C:\Program Files\Fortect\MainService.exe" --install

C:\Program Files\Fortect\MainService.exe

—

Fortect.exe

User:

admin

Company:

Fortect LTD.

Integrity Level:

HIGH

Description:

Fortect Service

Exit code:

Version:

6.5.0.2

5656

"C:\Program Files\Fortect\FortectMain.exe" --type=gpu-process --user-data-dir="C:\Users\admin\AppData\Roaming\Fortect" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1752 --field-trial-handle=1868,i,14947332004039842141,11762826711872375030,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Program Files\Fortect\FortectMain.exe

—

FortectMain.exe

User:

admin

Company:

Fortect LTD®

Integrity Level:

LOW

Description:

Fortect Main

Version:

6.5.0.2

6336

"C:\Program Files\Fortect\FortectMain.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.3636 --user-data-dir="C:\Users\admin\AppData\Roaming\Fortect" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=920 --field-trial-handle=1868,i,14947332004039842141,11762826711872375030,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Program Files\Fortect\FortectMain.exe

—

FortectMain.exe

User:

admin

Company:

Fortect LTD®

Integrity Level:

MEDIUM

Description:

Fortect Main

Exit code:

Version:

6.5.0.2

6344

"C:\Program Files\Fortect\bin\FortectTray.exe"

C:\Program Files\Fortect\bin\FortectTray.exe

—

Fortect.exe

User:

admin

Company:

Fortect Ltd.

Integrity Level:

HIGH

Description:

Fortect Tray App

Version:

6.5.0.2

6380

"C:\Users\admin\AppData\Local\Temp\Fortect.exe"

C:\Users\admin\AppData\Local\Temp\Fortect.exe

—

explorer.exe

User:

admin

Company:

Fortect

Integrity Level:

MEDIUM

Description:

Fortect Setup

Exit code:

3221226540

Version:

6.2.0.0

Modules

Images
c:\users\admin\appdata\local\temp\fortect.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

6432

"C:\Users\admin\AppData\Local\Temp\Fortect.exe"

C:\Users\admin\AppData\Local\Temp\Fortect.exe

explorer.exe

User:

admin

Company:

Fortect

Integrity Level:

HIGH

Description:

Fortect Setup

Exit code:

Version:

6.2.0.0

Modules

Images
c:\users\admin\appdata\local\temp\fortect.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

Add for printing

Total events

7 937

Read events

7 911

Write events

Delete events

Modification events


(PID) Process:	(6432) Fortect.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(6432) Fortect.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(6432) Fortect.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(6432) Fortect.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(6432) Fortect.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(6432) Fortect.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(6432) Fortect.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(6432) Fortect.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Fortect\Engine
Operation:	write	Name:	lang
Value: 1033
(PID) Process:	(6432) Fortect.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
Operation:	write	Name:	PendingFileRenameOperations
Value: \??\C:\Users\admin\AppData\Local\Temp\Fortect\plugins\nsProcess.dll
(PID) Process:	(6940) Fortect.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1

Add for printing

Executable files

Suspicious files

Text files

Unknown types

140

Dropped files

PID	Process	Filename		Type
6432	Fortect.exe	C:\Users\admin\AppData\Local\Temp\Fortect\plugins\INetC.dll		executable
		MD5:9F3C809A6F525A8EF0C981C84113560E	SHA256:4D7A2D9151E02B971F38D10FFE8937F34227AD5A2CE11E7879DF094482DECA72
6432	Fortect.exe	C:\Users\admin\AppData\Local\Temp\Fortect\plugins\UserInfo.dll		executable
		MD5:921AE5351F80D55CCE56054622F5ADD9	SHA256:EAEB1C53743C3540DBAACEEAB03A57A0F16D43BE593D87E16A5695298205AD04
6432	Fortect.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12		der
		MD5:7FB5FA1534DCF77F2125B2403B30A0EE	SHA256:33A39E9EC2133230533A686EC43760026E014A3828C703707ACBC150FE40FD6F
6432	Fortect.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\events[1].htm		text
		MD5:444BCB3A3FCF8389296C49467F27E1D6	SHA256:2689367B205C16CE32ED4200942B8B8B1E262DFC70D9BC9FBC77C49699A4F1DF
6432	Fortect.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8		binary
		MD5:6B3BD52E5EBBDB6B067727E709608452	SHA256:—
6432	Fortect.exe	C:\Users\admin\AppData\Local\Temp\Fortect\plugins\LogEx.dll		executable
		MD5:065130BD4BC3B4D769FFB0050A5464D0	SHA256:568871B5048CF3E9A9C200C6527938FC616139353E084C43D283F96BA16B4EBB
6432	Fortect.exe	C:\Users\admin\AppData\Local\Temp\Fortect\plugins\Banner.dll		executable
		MD5:F26199DD8E7CC2B8746F686B8546ACDE	SHA256:140A563D234E73FFEE1EE3C2C76AE03D4966F57B7E4363622C002709EB8495CE
6432	Fortect.exe	C:\Users\admin\AppData\Local\Temp\Fortect\plugins\System.dll		executable
		MD5:F64B9DFC805639380A2336BF2E803523	SHA256:69CAE8B431D364968BB4D77352718F7D862563EF3EFD1D3D18DA10B0C2813B2B
6432	Fortect.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12		binary
		MD5:C5AE87EF35B266C99F0EEAA2081CAB8F	SHA256:—
6432	Fortect.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8		der
		MD5:971C514F84BBA0785F80AA1C23EDFD79	SHA256:F157ED17FCAF8837FA82F8B69973848C9B10A02636848F995698212A08F31895

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6432	Fortect.exe	GET	200	172.217.18.99:80	http://c.pki.goog/r/r4.crl	unknown	—	—	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
6432	Fortect.exe	GET	200	172.217.18.99:80	http://c.pki.goog/r/gsr1.crl	unknown	—	—	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
—	—	GET	200	104.26.3.16:80	http://app.fortect.com/events/cloud-scan.php?param1=A1NEuwJ2xmtGqN20lUGiHN5sZaWwV9JxsogWs43qPk9TjrdQgwlkjzJ5Nr/oFcLAk/S09zfj0n2JjH0RrmO+uj2GuWBUJjbExm9KLo5JmnHusje1VGC0Tl0AYAmoIpuED+3jL4LpleQC8UAzcmdP2PhKhCqpEvWERsqU1UYZxD8eKpGStZfT8vcUqnfju4cIoJ5XHsC+xp0T7s6n7Auufnln4WRktQD2VI8JVacxp36QNo82OzU/XSzS95j4AVzmr2syecQoBYcHqM+vAQXXoA==	unknown	—	—	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
—	—	GET	200	104.26.3.16:80	http://app.fortect.com/events/cloud-scan.php?param1=A1NEuwJ2xmtGqN20lUGiHMkk5n2NLmMTluQHoYm63FHKWReWHeEDz6/nifdEzon2VdHBvkEOqAX7+e984Ti01Dg6hPG3BOK7gZD3bDBkvP5ZJf86D9yLThnHBJ1StS7W45Ta4H2S7dZFYA1r5qYmT0fzYrT+hXDiVuQ0TfmznvFx1eSotfBpCwrpBQINd1apZOr6G7uLcDCJaMpfiuEnNFYvgLiPjseCLKRBkPBN5kxTZIp8ukWZM1MqD4sANlN/t7hVnqlcp3ocJoPYXM6umA==	unknown	—	—	whitelisted
—	—	GET	200	104.26.3.16:80	http://app.fortect.com/events/cloud-scan.php?param1=A1NEuwJ2xmtGqN20lUGiHJClMojdV8HBtZNuJuXZLar4KvJvP4u5tPUULF0LYiu5z145hv2UpEDnBzLznmmGGJj3do4F4vdOZI9pVdXC7t380PMxWaTtyI1Ny6MyOAmMoz6/+CJojqVeHai2CAWyGUYA+cXtOL+7zw9+i/uvIuBIP4Z0M1c3do8V98FwMGqZyFzShw+H87bnXpIAxssFABKxc7IfYcIe663/g7/XoCP6OSkk6zPpmEA5wL/8ZWgE5DQCOGI4QjvecgROJSTe9Q==	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1420	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
4576	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
—	—	239.255.255.250:1900	—	—	—	unknown
4	System	192.168.100.255:138	—	—	—	unknown
6432	Fortect.exe	104.26.3.16:443	app.fortect.com	CLOUDFLARENET	US	unknown
6432	Fortect.exe	172.217.18.99:80	c.pki.goog	GOOGLE	US	unknown
4	System	192.168.100.255:137	—	—	—	unknown
1420	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
6940	Fortect.exe	104.26.3.16:443	app.fortect.com	CLOUDFLARENET	US	unknown

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 4.231.128.59 40.127.240.158	unknown
google.com	142.250.186.110	unknown
app.fortect.com	104.26.3.16 104.26.2.16 172.67.75.40	unknown
c.pki.goog	172.217.18.99	unknown
cloud.fortect.com	104.26.3.16 104.26.2.16 172.67.75.40	unknown
www.bing.com	95.100.146.33 95.100.146.17 95.100.146.27 95.100.146.26 95.100.146.19 95.100.146.35 95.100.146.34 95.100.146.25 95.100.146.40 95.100.146.32 95.100.146.9 95.100.146.16	unknown
ocsp.digicert.com	192.229.221.95	unknown
login.live.com	40.126.32.140 40.126.32.72 20.190.160.17 40.126.32.74 20.190.160.14 40.126.32.68 40.126.32.134 40.126.32.136	unknown
client.wns.windows.com	40.113.110.67 40.113.103.199	unknown
th.bing.com	2.23.209.131 2.23.209.185 2.23.209.189 2.23.209.136 2.23.209.130 2.23.209.133 2.23.209.182 2.23.209.187 2.23.209.135	unknown

Threats

PID	Process	Class	Message
—	—	Possibly Unwanted Program Detected	ET ADWARE_PUP Observed DNS Query to PC Optimizer Software Domain (fortect .com)
—	—	Possibly Unwanted Program Detected	ET ADWARE_PUP Observed PC Optimizer Software Domain (fortect .com in TLS SNI)
—	—	Possibly Unwanted Program Detected	ET ADWARE_PUP Observed DNS Query to PC Optimizer Software Domain (fortect .com)
—	—	Possibly Unwanted Program Detected	ET ADWARE_PUP Observed PC Optimizer Software Domain (fortect .com in TLS SNI)
—	—	Possibly Unwanted Program Detected	ET ADWARE_PUP Observed PC Optimizer Software Domain (fortect .com in TLS SNI)
—	—	Possibly Unwanted Program Detected	ET ADWARE_PUP Observed PC Optimizer Software Domain (fortect .com in TLS SNI)
—	—	Possibly Unwanted Program Detected	ET ADWARE_PUP Observed DNS Query to PC Optimizer Software Domain (fortect .com)
—	—	Possibly Unwanted Program Detected	ET ADWARE_PUP Observed PC Optimizer Software Domain (fortect .com in TLS SNI)
—	—	Possibly Unwanted Program Detected	ET ADWARE_PUP Observed PC Optimizer Software Domain (fortect .com in TLS SNI)
—	—	Possibly Unwanted Program Detected	ET ADWARE_PUP Observed PC Optimizer Software Domain (fortect .com in TLS SNI)

Add for printing

No debug info

General Info

Fortect.exe

62375C21E6766944CD560A7F5AECF0CA

CCAF94B68F7D663F40D4D5D00604E8F90BCE8A2C

F54AE79FC6E93B6A316880D478DDE0821DB81185C5CA60C1183FBFD3356986EF

24576:wJ8TDOT3Vec50YqCSsXsjzd4sihi67oTZ3su:wJ8TST3Vec50YqCSsXsjzd4sihi67oT7

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

ADWARE has been detected (SURICATA)

SUSPICIOUS

The process creates files with name similar to system file names

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Checks Windows Trust Settings

Reads the date of Windows installation

Access to an unwanted program domain was detected

Executes as Windows Service

Application launched itself

INFO

Checks proxy server information

Create files in a temporary directory

Reads the machine GUID from the registry

Checks supported languages

Reads Environment values

Reads the computer name

Reads the software policy settings

Creates files or folders in the user directory

Process checks computer location settings

Manual execution by a user

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Modules

Information

Information

Information

Information

Information

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings