154100x80000000000000001836026Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-07 19:16:08.425{C2494F38-30F8-62C7-CF01-000000006102}1316C:\Windows\System32\mavinject.exe10.0.14393.4467 (rs1_release.210604-1844)Microsoft Application Virtualization InjectorMicrosoft® Windows® Operating SystemMicrosoft Corporationmavinject64.exe"C:\Windows\system32\mavinject.exe" 4964 /HMODULE=0x013C0000 foo.dll 4C:\Users\Administrator\WIN-HOST-MHAAG-\Administrator{C2494F38-3010-62C7-6ACF-130000000000}0x13cf6a2HighMD5=F39812E1DF34B0E6071F486B08E42E00,SHA256=E8BD813C87E9EDB3DFE2043E99015F287CCF8FF35E84D1209A65EE5C1BFC63DE{C2494F38-305F-62C7-AE01-000000006102}4508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 154100x80000000000000001835983Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-07 19:16:05.679{C2494F38-30F5-62C7-CE01-000000006102}4596C:\Windows\System32\mavinject.exe10.0.14393.4467 (rs1_release.210604-1844)Microsoft Application Virtualization InjectorMicrosoft® Windows® Operating SystemMicrosoft Corporationmavinject64.exe"C:\Windows\system32\mavinject.exe" 4964 /HMODULE=0x013C0000 foo.dll 4C:\Users\Administrator\WIN-HOST-MHAAG-\Administrator{C2494F38-3010-62C7-6ACF-130000000000}0x13cf6a2HighMD5=F39812E1DF34B0E6071F486B08E42E00,SHA256=E8BD813C87E9EDB3DFE2043E99015F287CCF8FF35E84D1209A65EE5C1BFC63DE{C2494F38-305F-62C7-AE01-000000006102}4508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 154100x80000000000000001834762Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-07 19:14:20.249{C2494F38-308C-62C7-BF01-000000006102}4320C:\Windows\System32\mavinject.exe10.0.14393.4467 (rs1_release.210604-1844)Microsoft Application Virtualization InjectorMicrosoft® Windows® Operating SystemMicrosoft Corporationmavinject64.exemavinject.exe 1000 /INJECTRUNNING C:\AtomicRedTeam\atomics\T1218\src\x64\T1218.dllC:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{C2494F38-3010-62C7-6ACF-130000000000}0x13cf6a2HighMD5=F39812E1DF34B0E6071F486B08E42E00,SHA256=E8BD813C87E9EDB3DFE2043E99015F287CCF8FF35E84D1209A65EE5C1BFC63DE{C2494F38-308C-62C7-BD01-000000006102}2120C:\Windows\System32\cmd.exe"cmd.exe" /c "mavinject.exe 1000 /INJECTRUNNING C:\AtomicRedTeam\atomics\T1218\src\x64\T1218.dll"WIN-HOST-MHAAG-\Administrator 154100x80000000000000001834718Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-07 19:14:20.222{C2494F38-308C-62C7-BD01-000000006102}2120C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c "mavinject.exe 1000 /INJECTRUNNING C:\AtomicRedTeam\atomics\T1218\src\x64\T1218.dll"C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{C2494F38-3010-62C7-6ACF-130000000000}0x13cf6a2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{C2494F38-305F-62C7-AE01-000000006102}4508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator