File name:

Forza Horizon 6 Luna Version 1.3.4.exe

Full analysis: https://app.any.run/tasks/6193d0c3-f839-4882-b847-b9a6a1fdb098
Verdict: Malicious activity
Analysis date: May 28, 2026, 05:09:35
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows, 2 sections
MD5:

B38F66DE92D860CE12C09D22D7A3FC59

SHA1:

7DB9487FD1B2E7C3E3426AE9D1E598C17D8A65DD

SHA256:

F5CB7D3F94B9C5D9256D3C72D84E8F08E8A83F754E7805DAA7EA301C64339E71

SSDEEP:

49152:eFAwyy/hbRqn9pZMUawHf/EMb2i3dV3eiub5up7EV57Qs9UZmCrcX1A:MEy/Py9XM5bi3w7QYomCoX1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Proxy execution via Explorer

      • Forza Horizon 6 Luna Version 1.3.4.exe (PID: 7248)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • Forza Horizon 6 Luna Version 1.3.4.exe (PID: 7248)

    • The process executes files with name similar to system file names

      • Forza Horizon 6 Luna Version 1.3.4.exe (PID: 7248)

    • Creates file in the systems drive root

      • explorer.exe (PID: 5392)
      • explorer.exe (PID: 7912)

  • INFO

    • Reads the machine GUID from the registry

      • Forza Horizon 6 Luna Version 1.3.4.exe (PID: 7248)

    • Checks supported languages

      • Forza Horizon 6 Luna Version 1.3.4.exe (PID: 7248)

    • Reads security settings of Internet Explorer

      • Forza Horizon 6 Luna Version 1.3.4.exe (PID: 7248)
      • explorer.exe (PID: 5392)
      • explorer.exe (PID: 7912)

    • Reads the computer name

      • Forza Horizon 6 Luna Version 1.3.4.exe (PID: 7248)

    • Process checks computer location settings

      • Forza Horizon 6 Luna Version 1.3.4.exe (PID: 7248)

    • Create files in a temporary directory

      • Forza Horizon 6 Luna Version 1.3.4.exe (PID: 7248)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2026:05:26 22:04:14+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 11
CodeSize: 948224
InitializedDataSize: 101376
UninitializedDataSize: -
EntryPoint: 0x0000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.3.4.0
ProductVersionNumber: 1.3.4.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: Windows utility for applying live Forza Horizon 6 Luna workflows with a modern Fluent interface.
CompanyName: Forza Horizon 6 Luna Contributors
FileDescription: Forza Horizon 6 Luna
FileVersion: 1.3.4.0
InternalName: Forza Horizon 6 Luna.exe
LegalCopyright: Copyright (c) 2026 Contributors
OriginalFileName: Forza Horizon 6 Luna.exe
ProductName: Forza Horizon 6 Luna
ProductVersion: 1.3.4
AssemblyVersion: 1.3.4.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
159
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start forza horizon 6 luna version 1.3.4.exe explorer.exe no specs explorer.exe no specs explorer.exe no specs explorer.exe no specs forza horizon 6 luna version 1.3.4.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
5392C:\WINDOWS\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
6672"C:\Windows\explorer.exe" C:\Users\admin\AppData\Local\TempC:\Windows\explorer.exeForza Horizon 6 Luna Version 1.3.4.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Explorer
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
7248"C:\Users\admin\AppData\Local\Temp\Forza Horizon 6 Luna Version 1.3.4.exe" C:\Users\admin\AppData\Local\Temp\Forza Horizon 6 Luna Version 1.3.4.exe
explorer.exe
User:
admin
Company:
Forza Horizon 6 Luna Contributors
Integrity Level:
HIGH
Description:
Forza Horizon 6 Luna
Version:
1.3.4.0
Modules
Images
c:\users\admin\appdata\local\temp\forza horizon 6 luna version 1.3.4.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
7912C:\WINDOWS\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
8416"C:\Users\admin\AppData\Local\Temp\Forza Horizon 6 Luna Version 1.3.4.exe" C:\Users\admin\AppData\Local\Temp\Forza Horizon 6 Luna Version 1.3.4.exeexplorer.exe
User:
admin
Company:
Forza Horizon 6 Luna Contributors
Integrity Level:
MEDIUM
Description:
Forza Horizon 6 Luna
Exit code:
3221226540
Version:
1.3.4.0
Modules
Images
c:\users\admin\appdata\local\temp\forza horizon 6 luna version 1.3.4.exe
c:\windows\system32\ntdll.dll
9124"C:\Windows\explorer.exe" C:\Users\admin\AppData\Local\TempC:\Windows\explorer.exeForza Horizon 6 Luna Version 1.3.4.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Explorer
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
Total events
11 677
Read events
11 642
Write events
35
Delete events
0

Modification events

(PID) Process:(5392) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\0
Operation:writeName:MRUListEx
Value:
0400000005000000010000000600000008000000020000000C0000000B0000000A00000009000000070000000000000003000000FFFFFFFF
(PID) Process:(5392) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\0\4\0\0\0
Operation:writeName:MRUListEx
Value:
000000000400000005000000030000000200000001000000FFFFFFFF
(PID) Process:(5392) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(5392) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
04000000030000000000000012000000110000000E000000100000000F0000000C0000000D0000000B000000050000000A000000090000000800000001000000070000000600000002000000FFFFFFFF
(PID) Process:(5392) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar
Operation:writeName:Locked
Value:
1
(PID) Process:(5392) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Ribbon
Operation:writeName:MinimizedStateTabletModeOff
Value:
0
(PID) Process:(5392) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Ribbon
Operation:writeName:QatItems
Value:
3C7369713A637573746F6D554920786D6C6E733A7369713D22687474703A2F2F736368656D61732E6D6963726F736F66742E636F6D2F77696E646F77732F323030392F726962626F6E2F716174223E3C7369713A726962626F6E206D696E696D697A65643D2266616C7365223E3C7369713A71617420706F736974696F6E3D2230223E3C7369713A736861726564436F6E74726F6C733E3C7369713A636F6E74726F6C206964513D227369713A3136313238222076697369626C653D2266616C73652220617267756D656E743D223022202F3E3C7369713A636F6E74726F6C206964513D227369713A3136313239222076697369626C653D2266616C73652220617267756D656E743D223022202F3E3C7369713A636F6E74726F6C206964513D227369713A3132333532222076697369626C653D2266616C73652220617267756D656E743D223022202F3E3C7369713A636F6E74726F6C206964513D227369713A3132333834222076697369626C653D22747275652220617267756D656E743D223022202F3E3C7369713A636F6E74726F6C206964513D227369713A3132333336222076697369626C653D22747275652220617267756D656E743D223022202F3E3C7369713A636F6E74726F6C206964513D227369713A3132333537222076697369626C653D2266616C73652220617267756D656E743D223022202F3E3C2F7369713A736861726564436F6E74726F6C733E3C2F7369713A7161743E3C2F7369713A726962626F6E3E3C2F7369713A637573746F6D55493E
(PID) Process:(5392) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Operation:writeName:ITBar7Layout
Value:
13000000000000000000000020000000100000000000000001000000010700005E01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5392) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\39\Shell
Operation:writeName:SniffedFolderType
Value:
Generic
(PID) Process:(5392) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:GlobalAssocChangedCounter
Value:
141
Executable files
0
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
7248Forza Horizon 6 Luna Version 1.3.4.exeC:\Users\admin\AppData\Local\Temp\reports\sql_reference.sqltext
MD5:A4E0E7E190C51F92046DE9F56AFF016E
SHA256:85AA00EA45440CEA057851C797C7F9C498781BC82C62E5DD7702F9F0F2639B78
7248Forza Horizon 6 Luna Version 1.3.4.exeC:\Users\admin\AppData\Local\Temp\ForzaHorizon6_Luna.logtext
MD5:A41DA8AEA3BB6CBAE84D38A43C76FC04
SHA256:B1C754E92950F4736D161A8AAD1DD73F1FA1D6C7EEFA7C8FAA4BC4AA6D3267BD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
45
TCP/UDP connections
20
DNS requests
13
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
204.79.197.203:80
http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ3L3%2F%2Fa6ADK8NraY2GXzVaYrHG4AQUb6t%2B2v%2BXQ3LsO2d33oJhNYhHQoUCEzMAAAAFUWohyJgUzPcAAAAAAAU%3D
US
binary
960 b
whitelisted
9108
svchost.exe
POST
400
40.126.31.129:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
204 b
whitelisted
9108
svchost.exe
POST
400
40.126.31.129:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
204 b
whitelisted
9108
svchost.exe
GET
200
23.11.40.157:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D
NL
binary
471 b
whitelisted
9108
svchost.exe
POST
400
40.126.31.129:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
204 b
whitelisted
9108
svchost.exe
POST
400
40.126.31.129:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
204 b
whitelisted
1728
svchost.exe
GET
200
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
1728
svchost.exe
GET
200
48.209.138.189:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaaSAssessment?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=10.0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=WaaSAssessment&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&ServicingBranch=CB&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&HonorWUfBDeferrals=1&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
US
text
5.84 Kb
whitelisted
1728
svchost.exe
GET
200
23.52.181.212:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
9108
svchost.exe
POST
400
40.126.31.129:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
204 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1728
svchost.exe
48.209.138.168:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
5276
MoUsoCoreWorker.exe
48.209.138.168:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
48.192.1.64:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5532
SearchApp.exe
92.123.104.49:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
23.11.40.157:80
ocsp.digicert.com
AKAMAI-AMS
NL
whitelisted
204.79.197.203:80
oneocsp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
3428
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
9108
svchost.exe
40.126.31.129:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 48.209.138.168
  • 48.209.138.189
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.64
whitelisted
www.bing.com
  • 92.123.104.49
  • 92.123.104.29
  • 92.123.104.30
  • 92.123.104.31
  • 92.123.104.46
  • 92.123.104.37
  • 92.123.104.32
  • 92.123.104.36
  • 92.123.104.41
whitelisted
ocsp.digicert.com
  • 23.11.40.157
whitelisted
oneocsp.microsoft.com
  • 204.79.197.203
whitelisted
google.com
  • 192.178.183.101
  • 192.178.183.138
  • 192.178.183.139
  • 192.178.183.113
  • 192.178.183.100
  • 192.178.183.102
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 40.126.31.129
  • 20.190.159.128
  • 40.126.31.67
  • 40.126.31.71
  • 20.190.159.64
  • 20.190.159.71
  • 40.126.31.130
  • 20.190.159.131
whitelisted
crl.microsoft.com
  • 2.16.164.9
  • 2.16.164.72
whitelisted
www.microsoft.com
  • 23.52.181.212
whitelisted

Threats

PID
Process
Class
Message
1728
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Forza Horizon 6 Luna Version 1.3.4.exe