Malicious File located in user machine 642226271.ico

Are you using Forticlient EMS? Because there is a current EMS vulnerability(https://www.fortiguard.com/psirt/FG-IR-24-007) that is affecting EMS versions: **7.0.1 through 7.0.10** & **7.2.0 through 7.2.2**. Please ensure your EMS is up-to-date (7.2.3+ or 7.0.11+). For EMS on premise please take a EMS VM snapshot before running the upgrade. If your EMS server is already up-to-date this message can be ignore.
Make sure that Forticlient is running on updated version.

This looks like a false positive alert, FCT will collect in this path the icons of the installed software in the system. I see that you have already created a ticket with TAC support; you will receive more details in the ticket.

Usually it's users downloading garbage, but if it's on startup, RTR in and check the Run and RunOnce reg entries (youll have to getsid and "reg query HKU\[SID]\path\to\Run). Key may be there and may give you an idea. Could Investigate the machine for Powershell commands and scheduled tasks, and check the users AppData (assuming it's running as a user, usually is these days). Hope that helps.