This is our old Q&A Site. Please post any new questions and answers at

Following an encrypted GET request stream of a downloaded file and find these functions in the body;

GetLocaleInfo SetCurrentDirectory FileTimeToLocalFileTime GetVolumePathName VirtualAllocEx DeleteFile GetStdHandle SetConsoleTitle GetProcessHeap CreateEvent DllUnregisterServer DllRegisterServer DllCanUnloadNow DllGetClassObject

I understand what each function does i.e. dllregisterserver will add a registry entry for the preceding dll but are these functions that are being executed on the system by the download or am I missing something?

Any advice will be appreciated, Thanks

asked 19 Mar '15, 08:07

froggy101's gravatar image

accept rate: 0%

these functions that are being executed on the system by the download or am I missing something?

Most certainly they are not executed by simply downloading the file. Based on your brief description, this could be almost anything, from a text file containing those string up to a binary with debug symbols showing the strings.

So, (most certainly) no reason to worry.

If you want a more detailed analysis, please upload the capture file somewhere (google drive, dropbox, and post the link here. However, as you've mentioned an encrypted connection, I guess the capture file won't help, unless you are able to post the key as well. If that's not possible, you can try to upload whatever you see with "Follow TCP Stream" (ASCII or screenshot), so we can have a look at that.


permanent link

answered 19 Mar '15, 14:16

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
accept rate: 15%

edited 19 Mar '15, 14:17

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 19 Mar '15, 08:07

question was seen: 1,715 times

last updated: 19 Mar '15, 14:17

p​o​w​e​r​e​d by O​S​Q​A