Used by App-v in Windows

Paths:

C:\Windows\System32\mavinject.exe
C:\Windows\SysWOW64\mavinject.exe

Detection: mavinject.exe should not run unless APP-v is in use on the workstation

Execute

Inject evil.dll into a process with PID 3110.

MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll

Alternate data streams

Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172

Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll"