fcremove.exe is Fortinet’s official, command-line based cleanup tool. It is installed by default with FortiClient. Instead, it is distributed as part of the FortiClient installation package (located in the x64 or x86 subfolders of the installer resources) or available via Fortinet support.
The Exclusion That Wasn't
The attackers had found a zero-day. They realized that if they ran FCRemove.exe with a specific set of arguments—arguments meant for offline recovery environments—it would request an exclusive, uninterruptible handle to the antivirus’s kernel driver. The driver would comply. It was coded to trust its own uninstaller. forticlient fcremoveexe exclusive
She right-clicked FCRemove.exe and selected . fcremove
The "Exclusive" flag in FCRemove.exe (often used as /exclusive or /force in enterprise scripts) triggers a high-priority cleanup routine: fcremove.exe is Fortinet’s official