From a7b6d2aad2021d0b26620371d2e4fda8cb7f23b5 Mon Sep 17 00:00:00 2001
From: Eli Salem <eli.salem@cyberdomain.local>
Date: Wed, 20 Mar 2019 10:53:11 +0200
Subject: [PATCH] Add aswrundll.exe non microsoft lolbin

---
 yml/LOLUtilz/OtherBinaries/aswrundll.yml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 yml/LOLUtilz/OtherBinaries/aswrundll.yml

diff --git a/yml/LOLUtilz/OtherBinaries/aswrundll.yml b/yml/LOLUtilz/OtherBinaries/aswrundll.yml
new file mode 100644
index 0000000..72414cc
--- /dev/null
+++ b/yml/LOLUtilz/OtherBinaries/aswrundll.yml
@@ -0,0 +1,20 @@
+Name: aswrundll.exe
+Description: This process is used by AVAST antivirus to run and execute any modules
+Author: Eli Salem
+Created: 19\03\2019
+Commands:
+  - Command: "C:\Program Files\Avast Software\Avast\aswrundll" "C:\Users\Public\Libraries\tempsys\module.dll" 
+    Description: Load and execute modules using aswrundll
+    Usecase: Execute malicious modules using aswrundll.exe
+    Category: Execute
+    Privileges: Any
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+Full_Path:
+- Path: C:\Program Files\Avast Software\Avast\aswrundll
+Code_Sample: 
+- Code: ["C:\Program Files\Avast Software\Avast\aswrundll" "C:\Users\Public\Libraries\tempsys\module.dll" "C:\Users\module.dll"]
+Resources:
+ - Link: https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research
+ Acknowledgement:
+  - Person: Eli Salem 
+    handle: https://www.linkedin.com/in/eli-salem-954728150