rlvknlg.exe

Relevant-Knowledge

TMRG Inc.

The component is part of the TMRG platform which will track various behaviors of web browsing habits including tracking sites and domains visited as well as ads clicked. The application rlvknlg.exe by TMRG has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address server-54-192-204-155.atl50.r.cloudfront.net on port 443.
Publisher:
TMRG, Inc.  (signed by TMRG Inc.)

Product:
Relevant-Knowledge

Version:
1.3.337.392 (Build 337.392)

MD5:
7b686ae62cef913d93ad475ea022e123

SHA-1:
43fd876cee64b1a50a7be99e3d9972b714043f6d

SHA-256:
db212d5996eaae3cfbb815be8a69a2940a5b5ac91ee1a1ae1e750c9b6cd2c81f

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
10/22/2018 10:17:53 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.TMRG (M)
17.1.20.0

File size:
3.6 MB (3,740,576 bytes)

Product version:
1.3.337.392 (Build 337.392)

Copyright:
Copyright © 2001-2004

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\rlvknlg.exe

Digital Signature
Signed by:

Authority:
Symantec Corporation

Valid from:
1/18/2016 4:00:00 AM

Valid to:
2/17/2018 3:59:59 AM

Subject:
CN=TMRG Inc., O=TMRG Inc., L=Reston, S=Virginia, C=US

Issuer:
CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:
7E36C4BE2CEB69DF7BCEDB3B868E9EF9

File PE Metadata
Compilation timestamp:
12/29/2016 12:24:02 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

Entry address:
0x245F0C

Entry point:
E8, DC, 53, 01, 00, E9, 78, FE, FF, FF, 8B, FF, 55, 8B, EC, 51, 53, 8B, 45, 0C, 83, C0, 0C, 89, 45, FC, 64, 8B, 1D, 00, 00, 00, 00, 8B, 03, 64, A3, 00, 00, 00, 00, 8B, 45, 08, 8B, 5D, 0C, 8B, 6D, FC, 8B, 63, FC, FF, E0, 5B, C9, C2, 08, 00, 58, 59, 87, 04, 24, FF, E0, 58, 59, 87, 04, 24, FF, E0, 58, 59, 87, 04, 24, FF, E0, 8B, FF, 55, 8B, EC, 51, 51, 53, 56, 57, 64, 8B, 35, 00, 00, 00, 00, 89, 75, FC, C7, 45, F8, 88, 5F, 64, 00, 6A, 00, FF, 75, 0C, FF, 75, F8, FF, 75, 08, E8, 9C, 0D, 04, 00, 8B, 45, 0C, 8B...
 
[+]

Entropy:
6.6133

Code size:
2.7 MB (2,820,096 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to server-54-192-204-155.atl50.r.cloudfront.net  (54.192.204.155:443)

TCP (HTTP):
Connects to oss-ad-iad.securestudies.com  (165.193.78.187:80)

TCP (HTTP):
Connects to wwwc.ri7.securestudies.com  (4.16.75.8:80)

TCP (HTTP SSL):
Connects to wwwc.ia7.securestudies.com  (205.217.176.8:443)

TCP (HTTP):
Connects to wwwc.ia2.securestudies.com  (66.119.34.42:80)

TCP (HTTP):
Connects to www.yandex.ru  (213.180.193.3:80)

TCP (HTTP SSL):
Connects to static.30.4.4.46.clients.your-server.de  (46.4.4.30:443)

TCP (HTTP):
Connects to leo.proxyswitcher.com  (23.226.229.23:80)

TCP (HTTP SSL):
Connects to ip5.23.odnoklassniki.ru  (5.61.23.5:443)

TCP (HTTP SSL):
Connects to ip10.155.odnoklassniki.ru  (217.20.155.10:443)

TCP (HTTP):
Connects to host165-64-35-185.static.arubacloud.fr  (185.35.64.165:80)

TCP (HTTP SSL):
Connects to dsde550-7.fornex.org  (212.224.118.33:443)

TCP (HTTP SSL):
Connects to avatars-fast.yandex.net  (87.250.247.173:443)

TCP (HTTP SSL):
Connects to avatars.mds.yandex.net  (87.250.247.184:443)

TCP (HTTP):
Connects to a92-123-155-51.deploy.akamaitechnologies.com  (92.123.155.51:80)

TCP (HTTP):
Connects to a92-123-155-32.deploy.akamaitechnologies.com  (92.123.155.32:80)

TCP (HTTP):
Connects to 88.105.120.77.colo.static.dcvolia.com  (77.120.105.88:80)

TCP (HTTP):
Connects to wwwc.ri6.securestudies.com  (4.16.74.232:80)

TCP (HTTP):
Connects to wwwc.ri4.securestudies.com  (4.16.74.168:80)

TCP (HTTP):
Connects to wwwc.ia5.securestudies.com  (165.193.93.104:80)

Remove rlvknlg.exe - Powered by Reason Core Security