» rkinstall.exe
Overview
Analysis
File Details
Network (1)

rkinstall.exe

TMRG, Inc.

The component is part of the TMRG platform which will track various behaviors of web browsing habits including tracking sites and domains visited as well as ads clicked. The application rkinstall.exe, “RelevantKnowledge Installer” by TMRG has been detected as adware by 27 anti-malware scanners. This is a setup and installation application and has been known to bundle potentially unwanted software. Part of RelevantKnowledge, a program typically installed via a software bundle (with the user's knowledge should they read the EULA) and will run in the background collecting and monitoring information about the user's behavior in order to build an extensive profile.

File name:

rkinstall.exe

Publisher:

TMRG, Inc. (signed and verified)

Description:

RelevantKnowledge Installer

Version:

1, 0, 0, 82

MD5:

cbd0707569ec6cf952912ac4c42c37da

SHA-1:

7e7dced5cbf6f86dc97884133301e6de3f2f57cc

SHA-256:

aa04f3c0c1634eabaa4cf8fd1e79882da243c16b1ae8c76c17e1eef5e013e613

Scanner detections:

27 / 68

Status:

Adware

Analysis date:

4/23/2024 2:31:08 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Adware.Relevant.BA

1053

AhnLab V3 Security

Adware/Win32.Relevant

2014.02.07

Avira AntiVirus

Adware/Relevant.Q

7.11.129.216

avast!

Win32:PUP-gen [PUP]

2014.9-140318

AVG

RelevantKnowledge

2015.0.3531

Bitdefender

Adware.Relevant.BA

1.0.20.385

Bkav FE

W32.Clodf12.Trojan

1.3.0.4923

Dr.Web

Adware.Relevant.78

9.0.1.077

Emsisoft Anti-Malware

Adware.Relevant.BA

8.14.03.18.02

ESET NOD32

Win32/Adware.RK.AB

8.9389

Fortinet FortiGate

Riskware/OSS

3/18/2014

F-Prot

W32/AdSpy.A

v6.4.7.1.166

F-Secure

Adware.Relevant.BA

11.2014-18-03_3

G Data

Adware.Relevant.BA

14.3.24

IKARUS anti.virus

not-a-virus:Adware.RelevantKnowledge.cb

t3scan.2.2.29

Kaspersky

not-a-virus:WebToolbar.Win32.RK

14.0.0.4152

Malwarebytes

PUP.Optional.RelevantKnowledge

v2014.03.18.02

MicroWorld eScan

Adware.Relevant.BA

15.0.0.231

NANO AntiVirus

Trojan.Win32.Relevant.xrotp

0.28.0.57630

nProtect

Adware.Relevant.BA

14.02.06.02

Quick Heal

Spyware.Marketscore (Not a Virus)

3.14.12.00

Reason Heuristics

PUP.Installer.TMRG.J

14.8.7.22

Sophos

RKnowledge Installer

4.97

SUPERAntiSpyware

Spyware.RelevantKnowledge

10720

Vba32 AntiVirus

Adware.Relevant.0961

3.12.24.3

VIPRE Antivirus

Adware.Win32.RelevantKnowledge.a

26196

XVirus List

Win32.Detected

2.8.7

File size:

348.6 KB (356,992 bytes)

Product version:

1, 0, 0, 82

Original file name:

RKInstaller.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\appdata\local\temp\{random}.tmp\rkinstall.exe

Digital Signature

Signed by:

TMRG, Inc.

Authority:

Thawte Consulting (Pty) Ltd.

Valid from:

7/17/2007 1:00:00 AM

Valid to:

9/28/2009 12:59:59 AM

Subject:

CN="TMRG, Inc.", OU=SECURE APPLICATION DEVELOPMENT, O="TMRG, Inc.", L=Reston, S=Virginia, C=US

Issuer:

CN=Thawte Code Signing CA, O=Thawte Consulting (Pty) Ltd., C=ZA

Serial number:

02491544000D8C9D63F061B1EBAE8466

File PE Metadata

Compilation timestamp:

6/10/2009 10:30:38 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

7.10

CTPH (ssdeep):

6144:mS8WXivXWk0qeOhmwPrYohOR9QUrIxX/FVqc7gv7R0rpKo85/kE:mM6XFpLh1Pr9hOR9QcIxX/fqc7gvKrsL

Entry address:

0x34108

Entry point:

6A, 60, 68, 80, 8C, 44, 00, E8, 20, 2B, 00, 00, BF, 94, 00, 00, 00, 8B, C7, E8, E0, DF, FF, FF, 89, 65, E8, 8B, F4, 89, 3E, 56, FF, 15, EC, 40, 44, 00, 8B, 4E, 10, 89, 0D, AC, 92, 45, 00, 8B, 46, 04, A3, B8, 92, 45, 00, 8B, 56, 08, 89, 15, BC, 92, 45, 00, 8B, 76, 0C, 81, E6, FF, 7F, 00, 00, 89, 35, B0, 92, 45, 00, 83, F9, 02, 74, 0C, 81, CE, 00, 80, 00, 00, 89, 35, B0, 92, 45, 00, C1, E0, 08, 03, C2, A3, B4, 92, 45, 00, 33, F6, 56, 8B, 3D, D0, 41, 44, 00, FF, D7, 66, 81, 38, 4D, 5A, 75, 1F, 8B, 48, 3C, 03... 
[+]

Developed / compiled with:

Microsoft Visual C++ v7.0

Code size:

268 KB (274,432 bytes)

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP SSL):

Connects to post.securestudies.com (165.193.78.234:443)

Remove rkinstall.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.