File name:	Rsvp.msi
Full analysis:	https://app.any.run/tasks/e8eab480-7849-4c14-b9eb-90b9f7987544
Verdict:	Malicious activity
Analysis date:	February 17, 2026, 22:16:50
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	logmeinrescue rmm-tool github
Indicators:
MIME:	application/x-msi
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Number of Pages: 300, Template: Intel;0, Number of Words: 0, Security: 0, Name of Creating Application: Windows Installer, Author: LogMeIn, Inc., Title: LogMeIn Resolve Unattended, Comments: LogMeIn Resolve Unattended v1.31.1.908, Revision Number: {8098BA0B-7793-4EE4-B183-8CD08EB3DF44}
MD5:	77ECE0ECFA33976DFB172CC05B1175AE
SHA1:	3000CF4AD32ABB5242ED300A9366A683AB6FDD43
SHA256:	AC30DC171AB52BE869DD3674E674350B5FCD1B79F3CB9B0D8388D63EDC1ED018
SSDEEP:	196608:zeuIOAOiPyoSbf6wvs1q1yvWROg5LMgCEPuLld88aq:J1AnP+WwkLvWRn5Ag0N

.msi	\|	Microsoft Windows Installer (98.5)
.msi	\|	Microsoft Installer (100)

CodePage:	Windows Latin 1 (Western European)
Pages:	300
Template:	Intel;0
Words:	-
Security:	None
Software:	Windows Installer
Author:	LogMeIn, Inc.
Title:	LogMeIn Resolve Unattended
Comments:	LogMeIn Resolve Unattended v1.31.1.908
RevisionNumber:	{8098BA0B-7793-4EE4-B183-8CD08EB3DF44}


(PID) Process:	(2456) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:	write	Name:	SrCreateRp (Enter)
Value: 4800000000000000467604255BA0DC0198090000401D0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2456) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Enter)
Value: 4800000000000000467604255BA0DC0198090000401D0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2456) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppEnumGroups (Leave)
Value: 4800000000000000474B5A255BA0DC0198090000401D0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2456) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGatherWriterMetadata (Enter)
Value: 48000000000000009B4979255BA0DC0198090000401D0000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(4368) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer
Operation:	write	Name:	IDENTIFY (Enter)
Value: 4800000000000000C9F989255BA0DC0110110000D81D0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(4368) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(4368) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer
Operation:	write	Name:	IDENTIFY (Leave)
Value: 48000000000000003EBE8E255BA0DC0110110000D81D0000E80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(4368) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:	write	Name:	Element
Value: 0000000000000000000000000000000006000000000000004800000000000000715E5C2FA985EB1190A89A9B763584210000000000000000745E5C2FA985EB1190A89A9B7635842100000000000000000000000000000000
(PID) Process:	(4368) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\12000002
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(4368) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\12000002
Operation:	write	Name:	Element
Value: \EFI\Microsoft\Boot\bootmgfw.efi

PID	Process	Filename		Type
2456	msiexec.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—
2456	msiexec.exe	C:\Windows\Installer\1e9a4a.msi		—
		MD5:—	SHA256:—
2456	msiexec.exe	C:\Windows\Installer\1e9a4c.msi		—
		MD5:—	SHA256:—
8960	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB		binary
		MD5:49B2D38426E2CA1157A091272B71077B	SHA256:0125E69A928A91B4D605F44FBD1586FBCF10B9FA16F5C150F7FB5A12413EEDD9
8960	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141		binary
		MD5:93434F0F3E74C69FCD457D051866FF20	SHA256:DB229ACF64F4C20F04198C7DFE27038D714038E86444057951826788412C8F91
8960	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_F3911A996680A5E4031AB6109A606645		binary
		MD5:AA2F417D6FDF9314C52F32E414037C8C	SHA256:6477FD063345BCF69622B901FF7925FD44DCD465665279DDC026E1FCC15AD140
8960	msiexec.exe	C:\Users\admin\AppData\Local\Temp\MSI57A3.tmp		binary
		MD5:2AB7767B0581330A8184F52ABC7280D2	SHA256:D3D2C268FEE70B2514C4F66D889C80654F463E0A762A75823771CD978C058B5A
2456	msiexec.exe	C:\System Volume Information\SPP\snapshot-2		binary
		MD5:937745AA23253FB71C9E3544210FD93C	SHA256:46DFE6AD92995BF2D7CF32D7A0E3FE9A83C0D8E3B2790038D6EBF20347F87E32
8960	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB		binary
		MD5:332BE424A93B30DD3A88AA2B257C5514	SHA256:7B628F0CB971A6C4D07CC534C1A1119DA9D8E5386FEFF80B11F865BBC1CB65E4
8960	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141		binary
		MD5:BC11CF08F4B09D6C28C50B9CC56DDABE	SHA256:9670189359782539A4EA179B6ECA6596F702599B14C4C71D8B740543B3FC170F

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6768	MoUsoCoreWorker.exe	GET	304	51.104.136.2:443	https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop	unknown	—	—	whitelisted
—	—	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAjTxtAB8my1oj8MfWpz%2F7Y%3D	unknown	—	—	whitelisted
7236	svchost.exe	GET	304	51.104.136.2:443	https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2	unknown	—	—	whitelisted
—	—	GET	200	204.79.197.203:80	http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ3L3%2F%2Fa6ADK8NraY2GXzVaYrHG4AQUb6t%2B2v%2BXQ3LsO2d33oJhNYhHQoUCEzMAAAAGb6JMMcOVb6sAAAAAAAY%3D	unknown	—	—	whitelisted
8960	msiexec.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEA6tOj%2F6cMCiCuI2gYmTUVM%3D	unknown	—	—	whitelisted
356	svchost.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
356	svchost.exe	POST	200	20.190.160.5:443	https://login.live.com/RST2.srf	unknown	binary	11.1 Kb	whitelisted
8960	msiexec.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D	unknown	—	—	whitelisted
6472	SIHClient.exe	GET	304	20.165.94.63:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	whitelisted
356	svchost.exe	POST	200	20.190.160.5:443	https://login.live.com/RST2.srf	unknown	binary	10.3 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
8520	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
6768	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7236	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5568	SearchApp.exe	92.123.104.37:443	www.bing.com	AKAMAI-ASN1	NL	whitelisted
—	—	184.30.131.245:80	ocsp.digicert.com	AKAMAI-AS	US	whitelisted
—	—	204.79.197.203:80	oneocsp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
—	—	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
8960	msiexec.exe	184.30.131.245:80	ocsp.digicert.com	AKAMAI-AS	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 40.127.240.158 51.104.136.2	whitelisted
self.events.data.microsoft.com	52.182.143.215	whitelisted
www.bing.com	92.123.104.37 92.123.104.42 92.123.104.38 92.123.104.33 92.123.104.50 92.123.104.39 92.123.104.45 92.123.104.35 92.123.104.34	whitelisted
google.com	142.251.37.14	whitelisted
ocsp.digicert.com	184.30.131.245	whitelisted
oneocsp.microsoft.com	204.79.197.203	whitelisted
client.wns.windows.com	172.211.123.250	whitelisted
login.live.com	20.190.160.5 40.126.32.136 20.190.160.130 20.190.160.64 20.190.160.67 20.190.160.128 40.126.32.68 20.190.160.2 20.190.159.131 20.190.159.75 20.190.159.128 40.126.31.131 20.190.159.23 20.190.159.0 20.190.159.4 40.126.31.71	whitelisted
crl.microsoft.com	184.24.77.15 184.24.77.23 184.24.77.11 184.24.77.12 184.24.77.29 184.24.77.16 184.24.77.19 184.24.77.41 184.24.77.25 184.24.77.10 184.24.77.42 184.24.77.7 184.24.77.38 184.24.77.36 184.24.77.35 184.24.77.27 184.24.77.30 184.24.77.40 184.24.77.37 184.24.77.33	whitelisted
go.microsoft.com	23.52.181.141	whitelisted

PID	Process	Class	Message
7236	svchost.exe	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2292	svchost.exe	Misc activity	ET INFO Observed DNS Query to RMM Domain (gotoresolve .com)
4776	GoToResolveLoggerProcess.exe	Misc activity	ET INFO Observed RMM Domain (gotoresolve .com in TLS SNI)
4776	GoToResolveLoggerProcess.exe	Misc activity	ET INFO Observed RMM Domain (gotoresolve .com in TLS SNI)
7932	GoToResolveUnattended.exe	Misc activity	ET INFO Observed RMM Domain (gotoresolve .com in TLS SNI)
4776	GoToResolveLoggerProcess.exe	Misc activity	ET INFO Observed RMM Domain (gotoresolve .com in TLS SNI)
4776	GoToResolveLoggerProcess.exe	Misc activity	ET INFO Observed RMM Domain (gotoresolve .com in TLS SNI)
2292	svchost.exe	Misc activity	ET INFO Observed DNS Query to RMM Domain (gotoresolve .com)
4776	GoToResolveLoggerProcess.exe	Misc activity	ET INFO Observed RMM Domain (gotoresolve .com in TLS SNI)
4776	GoToResolveLoggerProcess.exe	Misc activity	ET INFO Observed RMM Domain (gotoresolve .com in TLS SNI)

Process	Message
GoToResolveUnattended.exe	DllMain: DLL_PROCESS_ATTACH: lpReserved=0
GoToResolveUnattended.exe	DllMain: DLL_THREAD_ATTACH
GoToResolveUnattended.exe	DllMain: DLL_THREAD_ATTACH
GoToResolveUnattended.exe	DllMain: DLL_THREAD_ATTACH
GoToResolveUnattended.exe	DllMain: DLL_THREAD_ATTACH
GoToResolveUnattended.exe	DllMain: DLL_THREAD_ATTACH
GoToResolveUnattended.exe	DllMain: DLL_THREAD_DETACH
GoToResolveProcessChecker.exe	DllMain: DLL_PROCESS_ATTACH: lpReserved=0
GoToResolveProcessChecker.exe	DllMain: DLL_PROCESS_ATTACH: lpReserved=0
GoToResolveProcessChecker.exe	DllMain: DLL_THREAD_ATTACH

General Info

Rsvp.msi

77ECE0ECFA33976DFB172CC05B1175AE

3000CF4AD32ABB5242ED300A9366A683AB6FDD43

AC30DC171AB52BE869DD3674E674350B5FCD1B79F3CB9B0D8388D63EDC1ED018

196608:zeuIOAOiPyoSbf6wvs1q1yvWROg5LMgCEPuLld88aq:J1AnP+WwkLvWRn5Ag0N

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes settings of System certificates

SUSPICIOUS

Executes as Windows Service

Executing commands from ".cmd" file

Starts CMD.EXE for commands execution

Uses TIMEOUT.EXE to delay execution

Creates files in the driver directory

LOGMEINRESCUE mutex has been found

Named pipe usage

Creates/Modifies COM task schedule object

Reads the BIOS version

The process creates files with name similar to system file names

Adds/modifies Windows certificates

Creates or modifies Windows services

Searches for installed software

The process verifies whether the antivirus software is installed

Starts a Microsoft application from unusual location

INFO

Reads security settings of Internet Explorer

Checks proxy server information

Reads the computer name

Checks supported languages

Creates files or folders in the user directory

Manages system restore points

Executable content was dropped or overwritten

Drops script file

Creates files in the program directory

Reads the machine GUID from the registry

Reads Environment values

Reads CPU info

Process checks computer location settings

Reads the time zone

Creates a software uninstall entry

Reads product name

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files