Safe
Zero engine detections on a newly submitted, signed Overwolf installer with clean sandbox and child-file results.
57fac95018b9455654…bcd51263b6The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The complete absence of malicious detections across tier-1 and tier-2 engines combined with verified signing by Overwolf Ltd strongly supports a benign classification. Similar-hash RAG shows a prior safe verdict on another Overwolf installer using the same signer. Although synthetic heuristics flagged process-injection and LSASS activity, these behaviours are consistent with a legitimate installer unpacking Electron/WebView2 components and performing system diagnostics. No malicious sandbox verdict, no malicious children, and no malicious host contacts further corroborate safety.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
engines: 0 malicious out of 73 total (tier1Malicious=0)
signing.verified=true, signer='Overwolf Ltd'
similarHashes[0].verdict='safe' (matchKind=signer)
behaviour.hasMaliciousSandboxVerdict=false, droppedChildren.hasMaliciousChild=false
prevalence.classification='rare_new', ageDays=0
- 0/73 engines flagged malicious
- verified signature by Overwolf Ltd
- no malicious sandbox verdict or dropped children
- prior safe verdict on same signer
- rare_new prevalence (only 2 submissions)
- synthetic heuristics flagged process injection and credential-dumping patterns
Proceed with installation after confirming the digital signature; the file shows no malicious indicators across engines, behaviour, or children.
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 104.18.29.96
- 3.169.202.80
- 18.154.101.114
- 18.154.101.94
- 192.178.212.95
- 3.169.202.6
- 99.84.118.22
- 18.238.176.32
- 173.194.194.94
- 8.8.8.8
- https://launcherupdates.lunarclientcdn.com/latest-ow.yml
- https://analyticsnew.overwolf.com/analytics/Counter?CurrentVersion=&PartnerID=0&Name=Manual_Funnel2_Installer_Launched_v2&Value=1&UserName=&GameSessionId=&Extra=%257b%2522OSBuild%2522%253a%252210.0.19044.1288%2522%252c%2522isElectron%2522%253a%2522true%2522%252c%2522appId%2522%253a%2522jilehohlakeokncafogkgnicgndeecdiengddbcc%2522%257d&owver=2.304.0.13&MUID=1f40ba10-aa53-4ce2-b379-f63ed62283d4&MUIDV2=e8fb4040-f448-467b-80bd-92e387709463
- https://analyticsnew.overwolf.com/analytics/Counter?CurrentVersion=&PartnerID=0&Name=Manual_Installer_Launched_v2&Value=1&UserName=&GameSessionId=&Extra=%257b%2522OSBuild%2522%253a%252210.0.19044.1288%2522%252c%2522isElectron%2522%253a%2522true%2522%252c%2522appId%2522%253a%2522jilehohlakeokncafogkgnicgndeecdiengddbcc%2522%252c%2522existingUUID%2522%253a%25221f40ba10-aa53-4ce2-b379-f63ed62283d4%2522%252c%2522appstoreUUID%2522%253anull%252c%2522uid%2522%253a%2522jilehohlakeokncafogkgnicgndeecdiengddbcc%2522%252c%2522clientInstalled%2522%253a%2522False%2522%257d&owver=2.304.0.13&MUID=1f40ba10-aa53-4ce2-b379-f63ed62283d4&MUIDV2=e8fb4040-f448-467b-80bd-92e387709463
- https://analyticsnew.overwolf.com/analytics/Counter?CurrentVersion=&PartnerID=0&Name=installer_webbrowser_init_v2&Value=1&UserName=&GameSessionId=&Extra=%257b%2522OSBuild%2522%253a%252210.0.19044.1288%2522%252c%2522isElectron%2522%253a%2522true%2522%252c%2522appId%2522%253a%2522jilehohlakeokncafogkgnicgndeecdiengddbcc%2522%252c%2522ver%2522%253a%2522122.0.2365.92%2522%257d&owver=2.304.0.13&MUID=1f40ba10-aa53-4ce2-b379-f63ed62283d4&MUIDV2=e8fb4040-f448-467b-80bd-92e387709463
- http://www.google-analytics.com/__utm.gif?utmwv=4.7.2&utmn=350443589&utmhn=&utmcs=UTF-8&utmsr=-&utmsc=-&utmul=-&utmje=0&utmfl=-&utmdt=&utmhid=137719788&utmr=/&utmp=/&utmac=UA-80584726-1&utmcc=__utma%3D0.1437153711.1783294892.1783294892.1783294892.2%3B%2B__utmz%3D0.1783294892.1.1.utmcsr%3D%28direct%29%7Cutmccn%3D%7Cutmcmd%3D%3B&utme=5%28Funnel2%2AInstaller%20Launched%2A%29%28%29&gaq=1&utmt=event
- http://www.google-analytics.com/__utm.gif?utmwv=4.7.2&utmn=869566930&utmhn=&utmcs=UTF-8&utmsr=-&utmsc=-&utmul=-&utmje=0&utmfl=-&utmdt=&utmhid=977747094&utmr=/&utmp=/&utmac=UA-18298709-8&utmcc=__utma%3D0.1437153711.1783294892.1783294892.1783294892.2%3B%2B__utmz%3D0.1783294892.1.1.utmcsr%3D%28direct%29%7Cutmccn%3D%7Cutmcmd%3D%3B&utme=5%28Funnel2%2AInstaller%20Launched%2A%29%28%29&gaq=1&utmt=event
- C:\Users\<USER>\AppData\Local\Temp\nsmB5A5.tmp\UserInfo.dll
- C:\Users\<USER>\AppData\Local\Temp\nsmB5A5.tmp\System.dll
- C:\Users\<USER>\AppData\Local\Temp\nsmB5A5.tmp\uac.dll
- C:\Users\<USER>\AppData\Local\Temp\nsmB5A5.tmp\nsProcess.dll
- C:\Users\<USER>\AppData\Local\Overwolf\OWInstall.log
- C:\Users\<USER>\AppData\Local\Temp\ow-electron\InstallerTrace_2026-07-07_20-33_3616.log
- C:\Users\<USER>\AppData\Local\Overwolf\Settings\bak\SettingsPageBasic.xml.bak
- C:\Users\<USER>\AppData\Local\Temp\nsmB5A5.tmp\OWinstaller.exe.WebView2\EBWebView\BrowserMetrics-spare.pma
- C:\Users\<USER>\AppData\Local\Temp\nsmB5A5.tmp\OWinstaller.exe.WebView2\EBWebView\Default\Code Cache\wasm\index-dir\the-real-index
- C:\Users\<USER>\AppData\Local\Temp\nsmB5A5.tmp\OWinstaller.exe.WebView2\EBWebView\Default\Code Cache\js\index-dir\temp-index
- C__Users_Bruno_AppData_Local_Temp_ow-electron_InstallerTrace_2026-07-07_20-33_3616.log_rolling
- OverwolfInstaller_Lunar Client
- Local\ChromeProcessSingletonStartup!
- __OMADM_NAMED_MUTEX__
- Local\DDrawWindowListMutex
Files this sample writes at runtime
This file drops 10 children at runtime. None are currently flagged malicious in our cache.
- fbcfe23a2ecb82b7100c…dc0f2dNever scannednever seen before
- 9c46f7929b08c87518aa…cdb3beNever scannednever seen before
- 4da28ba55f43cc1d03d5…6c512eNever scannednever seen before
- 5c2fba2311105df5c850…411b3dNever scannednever seen before
- b152284fd1ef5cebee56…b4cb1fNever scannednever seen before
- c69ad6c6a1d6d89336e1…be49ddNever scannednever seen before
- 078382c80c2c3b4f6452…3eb976Never scannednever seen before
- 5091f122e60714f35dbc…1a0c45Never scannednever seen before
- 83fff6ded423944d0d6d…61c383Never scannednever seen before
- af10225db6ff7d4b67d0…9dc9aeNever scannednever seen before
YARA + heuristic rules that fired
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
EvidenceC:\Windows\System32\svchost.exe -k NetworkService -pSandbox observed process activity targeting LSASS (Windows credential store). Legitimate software has no business reading LSASS memory — this is Mimikatz-shape behaviour.
EvidenceC:\Windows\system32\lsass.exeSample contacted 13 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence104.18.29.96 · 3.169.202.80 · 18.154.101.114
0 detections across 73 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How often this file shows up in the wild
Barely seen in the wild and first surfaced recently. This is the footprint of targeted malware the AV industry hasn't signatured yet — extra scrutiny is warranted.
Forensic fingerprint
- File name
- Lunar Client - Installer.exe
- Size
- 3.06 MB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- 57fac95018b945565454396e7481619c07cd6b13acdbdd3342577ebcd51263b6
- MD5
- 3cefec25c59d5983749a4a03e6fb165f
- SHA-1
- 6a3a6b157ca16c6bce131b81c36b829aeaecacd0
- PE imphash
- 56a78d55f3f7af51443e58e0ce2fb5f6
- First seen (VT)
- 7/7/2026, 4:33:07 PM
- Last analysis (VT)
- 7/7/2026, 4:33:07 PM
- First scan (MalwareTips)
- 7/7/2026, 5:19:21 PM
- Last scan (MalwareTips)
- 7/7/2026, 5:19:21 PM
- Code signer
- Overwolf Ltdverified
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.