RKInstaller.exe

TMRG Inc.

The component is part of the TMRG platform which will track various behaviors of web browsing habits including tracking sites and domains visited as well as ads clicked. The application RKInstaller.exe, “Relevant-Knowledge Installer” by TMRG has been detected as adware by 18 anti-malware scanners. This file is typically installed with the program Open Downloader Manager by Installer Technology Co which is a potentially unwanted software program. Part of RelevantKnowledge, a program typically installed via a software bundle (with the user's knowledge should they read the EULA) and will run in the background collecting and monitoring information about the user's behavior in order to build an extensive profile.
Publisher:
TMRG, INC.  (signed by TMRG Inc.)

Description:
Relevant-Knowledge Installer

Version:
1.0.1.4 (Build 4)

MD5:
25e65e1c96264024922dec25233fd6f0

SHA-1:
7dca11208de954c55e352a1ca266b223ece286fa

SHA-256:
06f11f4a555a4891c93f13f82dc06e8bcedda2a71c8a5e6aa5c18da871f41238

Scanner detections:
18 / 68

Status:
Adware

Explanation:
Bundled via 3rd-party installers and monitors the user's behavior.

Analysis date:
9/23/2018 8:03:14 AM UTC  (today)

Scan engine
Detection
Engine version

Antiy Labs AVL
RiskWare[WebToolbar:not-a-virus]/Win32.RK
0.1.0.1

avast!
Win32:Relevant-X [PUP]
2014.9-140221

Comodo Security
ApplicUnwnt
17820

Dr.Web
Adware.Relevant.101
9.0.1.0160

Emsisoft Anti-Malware
Application.Generic.964608
8.15.06.09.03

ESET NOD32
Win32/Adware.RK.AG (variant)
8.9451

F-Secure
Riskware.Application.Generic.964608
11.2015-09-06_3

K7 AntiVirus
Unwanted-Program
13.176.11226

K7 Gateway Antivirus
Unwanted-Program
13.176.11226

Kaspersky
not-a-virus:WebToolbar.Win32.RK
14.0.0.4276

Kingsoft AntiVirus
Win32.Troj.RK.g.(kcloud)
331020.49267

Malwarebytes
PUP.Optional.RelevantKnowledge
v2014.02.21.07

Norman
Application.Generic.964608
11.20150609

Reason Heuristics
PUP.Installer.TMRG.L
14.2.21.19

Sophos
Generic PUA HN
4.97

Trend Micro House Call
TROJ_GEN.F47V0109
7.2.52

VIPRE Antivirus
Marketscore.RelevantKnowledge
26682

XVirus List
Win.Detected
2.3.31

File size:
385.3 KB (394,520 bytes)

Product version:
1.0.1.4 (Build 4)

Copyright:
Copyright © 2007-2013

Original file name:
RKInstaller.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\rkinstaller.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
12/1/2013 6:00:00 PM

Valid to:
1/31/2016 5:59:59 PM

Subject:
CN=TMRG Inc., OU=Digital ID Class 3 - Microsoft Software Validation v2, O=TMRG Inc., L=Reston, S=Virginia, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
51FEA1E74EDC6FFFF4BD5F65BD540362

File PE Metadata
Compilation timestamp:
12/18/2013 8:36:10 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
12288:Vd7bRzhcrnZFUMR6uFTg3o+qWpRqhonTshyT:7xzWrnZFUMRVq4+qWKonTtT

Entry address:
0x1E02A

Entry point:
E8, E2, D0, 00, 00, E9, 78, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, EC, 20, 8B, 45, 08, 56, 57, 6A, 08, 59, BE, 64, E1, 44, 00, 8D, 7D, E0, F3, A5, 89, 45, F8, 8B, 45, 0C, 5F, 89, 45, FC, 5E, 85, C0, 74, 0C, F6, 00, 08, 74, 07, C7, 45, F4, 00, 40, 99, 01, 8D, 45, F4, 50, FF, 75, F0, FF, 75, E4, FF, 75, E0, FF, 15, 4C, D2, 44, 00, C9, C2, 08, 00, C3, B8, BC, BC, 42, 00, A3, 00, DF, 45, 00, C7, 05, 04, DF, 45, 00, 46, B3, 42, 00, C7, 05, 08, DF, 45, 00, FA, B2, 42, 00, C7, 05, 0C, DF, 45, 00, 33, B3, 42, 00, C7...
 
[+]

Entropy:
6.6323

Code size:
302 KB (309,248 bytes)

The file RKInstaller.exe has been discovered within the following program.

Open Downloader Manager  by Installer Technology Co
ODM is a download manager that plugs into various web browsers (IE, Chrome and Firefox). The installer is designed to bundle and offer various additional offers including toolbars and other potentially harmful programs.
opendownloadmanager.com
73% remove it
 
Powered by Should I Remove It?

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to post.securestudies.com  (165.193.78.234:443)

TCP (HTTP):
Connects to ocsp.comodoca.com  (178.255.83.1:80)

TCP (HTTP):
Connects to relevantknowledge.com  (165.193.78.245:80)

TCP (HTTP):
Connects to 131.subnet180-250-66.speedy.telkom.net.id  (180.250.66.131:80)

TCP (HTTP):
Connects to 125.235.4.59.adsl.viettel.vn  (125.235.4.59:80)

Remove RKInstaller.exe - Powered by Reason Core Security