» RKInstaller.exe
Overview
Analysis
File Details
Downloads (2)
Network (2)

RKInstaller.exe

TMRG, Inc.

The component is part of the TMRG platform which will track various behaviors of web browsing habits including tracking sites and domains visited as well as ads clicked. The application RKInstaller.exe, “Relevant-Knowledge Installer” by TMRG has been detected as adware by 25 anti-malware scanners. Part of RelevantKnowledge, a program typically installed via a software bundle (with the user's knowledge should they read the EULA) and will run in the background collecting and monitoring information about the user's behavior in order to build an extensive profile.

File name:

RKInstaller.exe

Publisher:

TMRG, INC. (signed by TMRG, Inc.)

Description:

Relevant-Knowledge Installer

Version:

1, 0, 0, 86

MD5:

af8ac2a4307d949833cf26af5d958bdf

SHA-1:

0fede0997d3c5b9f1f70f99e42166e33e4c4ca15

SHA-256:

f8d11b1e3e027355a11163049b530de4fd67183abd08a691d5d18744653ef575

Scanner detections:

25 / 68

Status:

Adware

Analysis date:

4/25/2024 7:07:13 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Adware.Relevant.BH

1151

Agnitum Outpost

Adware.Relevant

7.1.1

AhnLab V3 Security

Adware/Win32.Relevant

2013.12.29

avast!

Win32:PUP-gen [PUP]

2014.9-130824

AVG

RelevantKnowledge

2014.0.3539

Baidu Antivirus

Trojan.Win32.Agent

4.0.3.131126

Bitdefender

Adware.Relevant.BH

1.0.20.1180

Bkav FE

W32.Clod90f.Trojan

1.3.0.4613

Boost by Reason

Adware.Installer.TMRG.L

2013.8.24.13

Comodo Security

ApplicUnwnt.Win32.AdWare.RK.~A

17516

Dr.Web

Trojan.DownLoader7.55414

9.0.1.0236

Emsisoft Anti-Malware

Adware.Relevant.BH

8.13.08.24.01

ESET NOD32

Win32/Adware.RK.AG

7.9190

F-Secure

Adware.Relevant.BH

11.2013-26-11_3

G Data

Adware.Relevant.BH

13.8.22

Kaspersky

not-a-virus:WebToolbar.Win32.RK

14.0.0.3773

Malwarebytes

PUP.Adware.RelevantKnowledge

v2013.08.24.01

MicroWorld eScan

Adware.Relevant.BH

14.0.0.708

NANO AntiVirus

Trojan.Win32.Relevant.cbpecr

0.28.0.57029

nProtect

Adware/W32.Agent.451600

13.12.27.01

Reason Heuristics

PUP.Installer.TMRG.L

14.8.7.22

Rising Antivirus

PE:Trojan.Win32.Generic.12E2188E!316807310

23.00.65.13822

Sophos

Relevant-Installer

4.96

VIPRE Antivirus

Adware.Win32.RelevantKnowledge.a

24866

XVirus List

Win32.Detected

2.8.7

File size:

441 KB (451,600 bytes)

Product version:

1, 0, 0, 86

Original file name:

RKInstaller.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\downloads\rkinstaller.exe

Digital Signature

Signed by:

TMRG, Inc.

Authority:

Thawte, Inc.

Valid from:

7/20/2011 5:00:00 PM

Valid to:

1/11/2013 3:59:59 PM

Subject:

CN="TMRG, Inc.", O="TMRG, Inc.", L=Reston, S=Virginia, C=US

Issuer:

CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:

3E610C00C4D725B9689279CC88EEA594

File PE Metadata

Compilation timestamp:

8/23/2011 8:03:39 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

8.0

CTPH (ssdeep):

6144:ZZmQiKD+jSaSIBRN1u49+BbE5VjPr6FkC+rfnsQg7zRQiV/R7f2tTBqHtSu:yKDJ3YaojD6FkC+rfns597f2tTsNb

Entry address:

0x35B1D

Entry point:

E8, C9, CD, 00, 00, E9, 16, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, 8B, 07, 83, F8, FE, 74, 0D, 8B, 4F, 04, 03, CE, 33, 0C, 30, E8, C5, 8A, FF, FF, 8B, 4F, 0C, 8B, 47, 08, 03, CE, 33, 0C, 30, E9, B5, 8A, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 83, EC, 14, 53, 8B, 5C, 24, 20, 55, 56, 8B, 73, 08, 33, 35, A8, 94, 46, 00, 57, 8B, 06, 83, F8, FE, C6, 44, 24, 13, 00, C7, 44, 24, 18, 01, 00, 00, 00, 8D, 7B, 10, 74, 0D, 8B, 4E, 04, 03, CF, 33, 0C, 38, E8, 71, 8A, FF, FF, 8B, 4E, 0C, 8B, 46... 
[+]

Entropy:

6.4569

Code size:

344 KB (352,256 bytes)

The file RKInstaller.exe has been seen being distributed by the following 2 URLs.

http://softwareprovisioning.com/.../rkinstaller.exe

http://www.belchfire.net/.../rkinstaller.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):

Connects to post.securestudies.com (165.193.78.234:443)

TCP (HTTP):

Connects to ocsp.comodoca.com (178.255.83.1:80)

Remove RKInstaller.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.