Safe
Legitimate FunPlus game launcher signed by FunPlus International AG; 16 tier-1 engines silent; heuristic triggers reflect normal installer behaviour.
5df8dd0e2108f541e9…a8d72cc960The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The evidence strongly supports a benign classification. Zero tier-1 malicious detections across 70 reporting engines, with 16 tier-1 engines explicitly reporting clean. The file is signed by FunPlus International AG, a legitimate commercial game publisher, with no brand mismatch. Prevalence data shows 1,133 unique submitters and 1,232 submissions over 251 days, indicating a widely distributed, established file. Sandbox analysis found no malicious verdicts, no malicious dropped children (10 inspected, 0 malicious), and no contact with hosts in our malicious cache. The four triggered heuristics (WmicExecution, ProcessInjection, CredentialDumper, DirectIpC2) are false positives: the file writes include legitimate game assets (fonts, GIFs, PNGs) to FunPlus directories; the processes spawned are legitimate Windows services and the FunPlus launcher; and the direct-IP contact is typical for game servers bypassing DNS filtering. Community feedback is mixed but leans toward benign (FileScan.IO: NO_THREAT 100/100; one researcher: Clean with valid cert).
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
engines: 0/70 malicious; tier1Malicious=0; tier1ReportedClean=16 (Avast, BitDefender, Kaspersky, ESET-NOD32, Fortinet, GData, F-Secure, Emsisoft, Avira, AVG, DrWeb all silent)
signing.verified=true, signer='FunPlus International AG' — legitimate commercial game publisher; no brand mismatch
prevalence.classification='common_old' — 1133 submitters, 1232 submissions over 251 days; widely distributed established file
behaviour: 10 dropped children inspected, 0 malicious; hasMaliciousSandboxVerdict=false; contacted 15 IPs, 0 malicious hosts in cache
triggeredHeuristics: 4 rules fired (WmicExecution, ProcessInjection, CredentialDumper, DirectIpC2) but all are heuristic detections; processes and file writes consistent with FunPlus game launcher (Foundation Galactic Frontier)
- Signed by FunPlus International AG (legitimate commercial game publisher)
- 16 tier-1 antivirus engines report clean
- 1,133 unique submitters, 1,232 submissions over 251 days (widely distributed, established file)
- Zero malicious dropped children (10 inspected)
- Zero contact with malicious hosts in our cache
This file is safe. It is the legitimate FunPlus game launcher signed by FunPlus International AG. The heuristic triggers are false positives reflecting normal installer behaviour. No further action is needed.
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 44.242.31.69
- 23.53.127.105
- 43.163.62.120
- 23.218.232.76
- 52.42.146.143
- 23.218.232.87
- 23.53.127.102
- 47.252.117.159
- 184.51.252.138
- 44.239.105.188
- C:\Users\<USER>\AppData\Local\Temp\fnd_tmp.dl
- C:\Users\<USER>\AppData\Local\Temp\fnd.exe
- C:\Users\<USER>\AppData\Local\Temp\fpx_for_ss.dll
- C:\Program Files (x86)\FunPlus\Foundation Galactic Frontier\Font\FZYaSong-B-GBK.ttf
- C:\Program Files (x86)\FunPlus\Foundation Galactic Frontier\Font\Source Han Sans SC.ttf
- C:\Users\<USER>\AppData\Local\Temp\fnd_tmp.dl
- C:\Program Files (x86)\FunPlus\Foundation Galactic Frontier\1.0.1.940\libs\wesight\crashsight_data\crashsight_data_db-journal
- C:\Users\<USER>\AppData\LocalLow\Kingsgroup\test.exe
- C:\Program Files (x86)\FunPlus\Foundation Galactic Frontier\uninstall.exe
- C:\Program Files (x86)\FunPlus\Foundation Galactic Frontier\dd539382
- dc_launcher
- Global\{D90D5747-26D3-417C-AC5E-01EA742C5633}Foundation Galactic Frontier
- cversions.3.m
- FPX_CLIENT_Funplus-PC.Funplus-PC.Afawys_prod.win.mutex
- \Sessions\1\BaseNamedObjects\dc_launcher
Files this sample writes at runtime
This file drops 10 children at runtime. None are currently flagged malicious in our cache.
- 96ad1146eb96877eab59…87dcf7Never scannednever seen before
- a62bffff4efb07802890…32337eNever scannednever seen before
- 6022804c2fceb21798c3…854fd1Never scannednever seen before
- ed44f900e6a593c1ed75…ba5b45Never scannednever seen before
- 04810e003a7b3e95a575…66856aNever scannednever seen before
- db1572fe66c5afe13f0c…6dfbbdNever scannednever seen before
- bba77891a3c7d633bf16…24f29aNever scannednever seen before
- eb16d203893bdb00c4f6…be9d4eNever scannednever seen before
- fd176529b30f2b9779bb…c8b1b3Never scannednever seen before
- 70ddaa90b3f025ef645d…03cc2eNever scannednever seen before
YARA + heuristic rules that fired
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
Sample spawned wmic with Process.Create / XSL — WMI is a common execution proxy for malware trying to evade process-tree monitoring.
Evidencewmic OS get Version /VALUEMITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
EvidenceC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHostSandbox observed process activity targeting LSASS (Windows credential store). Legitimate software has no business reading LSASS memory — this is Mimikatz-shape behaviour.
EvidenceC:\Windows\system32\lsass.exeSample contacted 19 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence44.242.31.69 · 23.53.127.105 · 43.163.62.120
0 detections across 74 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How often this file shows up in the wild
Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.
Forensic fingerprint
- File name
- 2m.exe
- Size
- 2.18 MB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- 5df8dd0e2108f541e9ae564e9238e761a5e4ff13c461b4e5734798a8d72cc960
- MD5
- 3cb1eff35aeab7ce8097a5abbccc7a99
- SHA-1
- 776441a5c2999006a3b3f2b4d248b0e12fc927d2
- PE imphash
- 95171b1f9b44557931f50b87c9370c1b
- First seen (VT)
- 10/24/2025, 5:30:11 AM
- Last analysis (VT)
- 7/2/2026, 7:28:19 AM
- First scan (MalwareTips)
- 7/2/2026, 10:54:28 AM
- Last scan (MalwareTips)
- 7/2/2026, 10:54:28 AM
- Code signer
- FunPlus International AGverified
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.