File verdict·Decided by the MT AI Engine
Our call

Safe

Legitimate FunPlus game launcher signed by FunPlus International AG; 16 tier-1 engines silent; heuristic triggers reflect normal installer behaviour.

Verified · FunPlus International AG
Trust score88High trust
MT AI confidence · 92%
2m.exe
2.2 MB
5df8dd0e2108f541e9a8d72cc960
Antivirus engines
0 of 74 flagged
Code signing
Signed by FunPlus International AG
Age
First seen 8mo ago
MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

92%Confidence
Very high
Reasoning

The evidence strongly supports a benign classification. Zero tier-1 malicious detections across 70 reporting engines, with 16 tier-1 engines explicitly reporting clean. The file is signed by FunPlus International AG, a legitimate commercial game publisher, with no brand mismatch. Prevalence data shows 1,133 unique submitters and 1,232 submissions over 251 days, indicating a widely distributed, established file. Sandbox analysis found no malicious verdicts, no malicious dropped children (10 inspected, 0 malicious), and no contact with hosts in our malicious cache. The four triggered heuristics (WmicExecution, ProcessInjection, CredentialDumper, DirectIpC2) are false positives: the file writes include legitimate game assets (fonts, GIFs, PNGs) to FunPlus directories; the processes spawned are legitimate Windows services and the FunPlus launcher; and the direct-IP contact is typical for game servers bypassing DNS filtering. Community feedback is mixed but leans toward benign (FileScan.IO: NO_THREAT 100/100; one researcher: Clean with valid cert).

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

  1. engines: 0/70 malicious; tier1Malicious=0; tier1ReportedClean=16 (Avast, BitDefender, Kaspersky, ESET-NOD32, Fortinet, GData, F-Secure, Emsisoft, Avira, AVG, DrWeb all silent)

  2. signing.verified=true, signer='FunPlus International AG' — legitimate commercial game publisher; no brand mismatch

  3. prevalence.classification='common_old' — 1133 submitters, 1232 submissions over 251 days; widely distributed established file

  4. behaviour: 10 dropped children inspected, 0 malicious; hasMaliciousSandboxVerdict=false; contacted 15 IPs, 0 malicious hosts in cache

  5. triggeredHeuristics: 4 rules fired (WmicExecution, ProcessInjection, CredentialDumper, DirectIpC2) but all are heuristic detections; processes and file writes consistent with FunPlus game launcher (Foundation Galactic Frontier)

Points in its favour
  • Signed by FunPlus International AG (legitimate commercial game publisher)
  • 16 tier-1 antivirus engines report clean
  • 1,133 unique submitters, 1,232 submissions over 251 days (widely distributed, established file)
  • Zero malicious dropped children (10 inspected)
  • Zero contact with malicious hosts in our cache
What to do

This file is safe. It is the legitimate FunPlus game launcher signed by FunPlus International AG. The heuristic triggers are false positives reflecting normal installer behaviour. No further action is needed.

Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK
40

Adversary techniques mapped to the MITRE ATT&CK framework.

T1003T1005T1012T1016T1027T1027.002T1027.005T1036T1047T1055T1057T1059T1063T1064T1071T1082T1083T1106T1112T1129T1198T1202T1222T1485+16 more
Spawned processes
15
$(unnamed)
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
$(unnamed)
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p
$(unnamed)
"C:\Users\<USER>\Desktop\file.exe"
$(unnamed)
C:\Users\<USER>\AppData\Local\Temp\fnd.exe
$(unnamed)
C:\Windows\Explorer.EXE
$(unnamed)
"C:\Program Files (x86)\FunPlus\Foundation Galactic Frontier\Launcher.exe"
$(unnamed)
"C:\Program Files (x86)\FunPlus\Foundation Galactic Frontier\1.0.1.940\PC-Launcher.exe" --currentPath="C:\Program Files (x86)\FunPlus\Foundation Galactic Frontier" --configVersion=1.0.1.940 --launchExe="C:\Program Files (x86)\FunPlus\Founda…
$(unnamed)
C:\Windows\system32\services.exe
+7 more processes captured.
Network activity
20
IP addresses20
  • 44.242.31.69
  • 23.53.127.105
  • 43.163.62.120
  • 23.218.232.76
  • 52.42.146.143
  • 23.218.232.87
  • 23.53.127.102
  • 47.252.117.159
  • 184.51.252.138
  • 44.239.105.188
+10 more
Filesystem & mutexes
36
Files written15
  • C:\Users\<USER>\AppData\Local\Temp\fnd_tmp.dl
  • C:\Users\<USER>\AppData\Local\Temp\fnd.exe
  • C:\Users\<USER>\AppData\Local\Temp\fpx_for_ss.dll
  • C:\Program Files (x86)\FunPlus\Foundation Galactic Frontier\Font\FZYaSong-B-GBK.ttf
  • C:\Program Files (x86)\FunPlus\Foundation Galactic Frontier\Font\Source Han Sans SC.ttf
+10 more
Files deleted11
  • C:\Users\<USER>\AppData\Local\Temp\fnd_tmp.dl
  • C:\Program Files (x86)\FunPlus\Foundation Galactic Frontier\1.0.1.940\libs\wesight\crashsight_data\crashsight_data_db-journal
  • C:\Users\<USER>\AppData\LocalLow\Kingsgroup\test.exe
  • C:\Program Files (x86)\FunPlus\Foundation Galactic Frontier\uninstall.exe
  • C:\Program Files (x86)\FunPlus\Foundation Galactic Frontier\dd539382
+6 more
Mutexes created10
  • dc_launcher
  • Global\{D90D5747-26D3-417C-AC5E-01EA742C5633}Foundation Galactic Frontier
  • cversions.3.m
  • FPX_CLIENT_Funplus-PC.Funplus-PC.Afawys_prod.win.mutex
  • \Sessions\1\BaseNamedObjects\dc_launcher
+5 more
Dropped payload

Files this sample writes at runtime

This file drops 10 children at runtime. None are currently flagged malicious in our cache.

10 unseen
  • 96ad1146eb96877eab5987dcf7Never scanned
    never seen before
  • a62bffff4efb0780289032337eNever scanned
    never seen before
  • 6022804c2fceb21798c3854fd1Never scanned
    never seen before
  • ed44f900e6a593c1ed75ba5b45Never scanned
    never seen before
  • 04810e003a7b3e95a57566856aNever scanned
    never seen before
  • db1572fe66c5afe13f0c6dfbbdNever scanned
    never seen before
  • bba77891a3c7d633bf1624f29aNever scanned
    never seen before
  • eb16d203893bdb00c4f6be9d4eNever scanned
    never seen before
  • fd176529b30f2b9779bbc8b1b3Never scanned
    never seen before
  • 70ddaa90b3f025ef645d03cc2eNever scanned
    never seen before
No researcher-database hits
External threat-intel sources were not collected for this scan.
Signature matches

YARA + heuristic rules that fired

A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.

4 synthesis
MITRE ATT&CK profile
Execution× 1Defense evasion× 1Cred access× 1C2× 1
MalwareTips synthesis rules
Our heuristics on VT data + sandbox behaviour
  • WmicExecutionmedium

    Sample spawned wmic with Process.Create / XSL — WMI is a common execution proxy for malware trying to evade process-tree monitoring.

    Evidence
    wmic OS get Version /VALUE
  • ProcessInjectionhigh

    MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.

    Evidence
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
  • CredentialDumpermedium

    Sandbox observed process activity targeting LSASS (Windows credential store). Legitimate software has no business reading LSASS memory — this is Mimikatz-shape behaviour.

    Evidence
    C:\Windows\system32\lsass.exe
  • DirectIpC2medium

    Sample contacted 19 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.

    Evidence
    44.242.31.69 · 23.53.127.105 · 43.163.62.120
Antivirus engine breakdown

0 detections across 74 engines

0 malicious0 suspicious74 clean
Tier-117 engines
0flag
Top commercial AVs (low FP rate)
Tier-238 engines
0flag
Mainstream engines with mixed FP rates
Low-trust19 engines
0flag
Heuristic / generic-AI engines (high FP rate)
All 74 engines report this file as clean.
Hash 5df8dd0e2108… cross-referenced against 74 AV engines via our AV network.
PE forensics

Section entropy & packers

Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.

ent 7.64Unpacked
Section entropy5 sections
.text
6.65
.rdata
6.23
.data
4.06
.rsrc
7.96
.reloc
6.65
0.0Packed threshold 7.28.0
Prevalence

How often this file shows up in the wild

Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.

Common & old
Unique uploaders
1,133
Hundreds of people have uploaded this — common.
Total submissions
1,232
Includes repeat uploads by the same source.
First seen by VT
8mo ago
Oct 24, 2025
Prevalence quadrant
Rare · New
Targeted malware lives here
Common · New
Just-released software
Rare · Old
Niche or internal tooling
here
Common · Old
Trusted legitimate binaries
File identity

Forensic fingerprint

File biography
First seen (VT)
10/24/2025, 5:30:11 AM
First seen (MalwareBazaar)
Last analysis (VT)
7/2/2026, 7:28:19 AM
Scanned here
7/2/2026, 10:54:28 AM
File name
2m.exe
Size
2.18 MB
MIME type
(unknown)
Detected type
Win32 EXE
SHA-256
5df8dd0e2108f541e9ae564e9238e761a5e4ff13c461b4e5734798a8d72cc960
MD5
3cb1eff35aeab7ce8097a5abbccc7a99
SHA-1
776441a5c2999006a3b3f2b4d248b0e12fc927d2
PE imphash
95171b1f9b44557931f50b87c9370c1b
First seen (VT)
10/24/2025, 5:30:11 AM
Last analysis (VT)
7/2/2026, 7:28:19 AM
First scan (MalwareTips)
7/2/2026, 10:54:28 AM
Last scan (MalwareTips)
7/2/2026, 10:54:28 AM
Code signer
FunPlus International AGverified
Behavior tags
overlaypeexechecks-cpu-nameexecutes-dropped-filesigned
Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…
Loading reports…
Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.