home

minecraftinstaller.exe

Minecraft Client Demo

RICH MEDIA SYSTEMS INC.

The application minecraftinstaller.exe by RICH MEDIA SYSTEMS INC has been detected as a potentially unwanted program by 21 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The installer uses the OpenCandy monitzation platform which will donwload and install offers in the setup for potentially unwanted software including ad/search-supported toolbars. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from minecraft-client.1800download.com.
Publisher:
RICH MEDIA SYSTEMS INC.  (signed and verified)

Product:
Minecraft Client Demo

Version:
1.0.0.0

MD5:
6604fd5cf04435688795904c046de2e6

SHA-1:
837f85815a958a4c3a597df76a475e506acfcd21

SHA-256:
2fd17170240f9f07cc8c1c9e2dc868135c6e4e1c1c3e3dcd90c37aadc69c25d7

Scanner detections:
21 / 68

Status:
Potentially unwanted

Explanation:
Packages the OpenCandy software bundler that offers to install additional software and may include web browser add-ons and toolbars which display advertising (based on publisher settings and geo context).

Analysis date:
10/12/2025 3:27:49 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.Agent
7.1.1

AhnLab V3 Security
PUP/Win32.OpenCandy
2015.08.10

avast!
Win32:Malware-gen
2014.9-160122

AVG
OpenCandy
2017.0.2856

Baidu Antivirus
Adware.Win32.OpenCandy
4.0.3.16122

Bkav FE
W32.Clod8c5.Trojan
1.3.0.7062

Clam AntiVirus
Win.Trojan.Agent-855157
0.98/21511

Dr.Web
Adware.Downware.10304
9.0.1.022

ESET NOD32
Win32/OpenCandy.C potentially unsafe (variant)
10.12067

Fortinet FortiGate
Riskware/OpenCandy
1/22/2016

G Data
Win32.Application.OpenCandy
16.1.25

K7 AntiVirus
Trojan
13.207.16831

Malwarebytes
PUP.Optional.OpenCandy
v2016.01.22.12

McAfee
Artemis!8D8297671BEE
5600.6512

NANO AntiVirus
Riskware.Win32.Downloader.dqybkl
0.30.24.3079

Panda Antivirus
PUP/OpenCandy
16.01.22.12

Qihoo 360 Security
HEUR/QVM42.0.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.RICHMEDIASYSTEMS.Installer (M)
16.1.22.12

Sophos
OpenCandy (PUA)
4.98

Trend Micro House Call
Suspicious_GEN.F47V0401
7.2.22

VIPRE Antivirus
Sevas-S Installer
42736

File size:
415.7 KB (425,712 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\minecraftinstaller.exe

Digital Signature
Signed by:
RICH MEDIA SYSTEMS INC.

Authority:
Symantec Corporation

Valid from:
2/16/2015 10:00:00 PM

Valid to:
2/17/2016 9:59:59 PM

Subject:
CN=RICH MEDIA SYSTEMS INC., O=RICH MEDIA SYSTEMS INC., L=HENDERSON, S=Nevada, C=US

Issuer:
CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:
3F87144C25AF8BCF29F29C5A1FEEF4BA

File PE Metadata
Compilation timestamp:
5/19/2013 8:53:00 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:UiuB93q/bTmFLpVGP/n1l/+SbP4Ae04RSkqIvGZ:IW2FXC/1l/+CP4AezSkFvy

Entry address:
0x331C

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, 30, 92, 40, 00, 89, 6C, 24, 14, FF, 15, 34, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, BC, 70, 40, 00, 55, FF, 15, AC, 72, 40, 00, 6A, 08, A3, 98, 92, 42, 00, E8, A8, 2E, 00, 00, A3, E4, 91, 42, 00, 55, 8D, 44, 24, 34, 68, B4, 02, 00, 00, 50, 55, 68, 90, 06, 42, 00, FF, 15, 7C, 71, 40, 00, 68, 7C, 93, 40, 00, 68, E0, 81, 42, 00, E8, 13, 2B, 00, 00, FF, 15, 34, 71, 40, 00, BB, 00, 40, 43, 00, 50, 53, E8, 01, 2B, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
24 KB (24,576 bytes)

The file minecraftinstaller.exe has been seen being distributed by the following URL.

http://minecraft-client.1800download.com/get_azure_file/wUiS4WnYccXEwj /TeqjC1c0kw48PjylEBH6Z9Xat h152f0sCw22dBNJ0bterruNDC2w15KdDrYCeLkErM90btiwcOdBR6avCX7BlS34S tgLbbq9PKlmFDo5wiiBZIUny1XGEpwJZr7CC5UGCTUr1YytXqdD0FYqttbAoEcKXwXGg4IZCaeVxhnqqnGCUvasarhf8 V2O7ulGMlv5sDoDpKYHuMyAVmoPhD JnlRwT55qg1AatPegkwWi7UJMEu5n/UXKquZKaiHV5M6RIBo4/M20gs/.../xqYiZnlFwbTCV7i5tg5qXYS70EAPD3bIqewm9

Remove minecraftinstaller.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.