Following an encrypted GET request stream of a downloaded file and find these functions in the body; GetLocaleInfo SetCurrentDirectory FileTimeToLocalFileTime GetVolumePathName VirtualAllocEx DeleteFile GetStdHandle SetConsoleTitle GetProcessHeap CreateEvent DllUnregisterServer DllRegisterServer DllCanUnloadNow DllGetClassObject I understand what each function does i.e. dllregisterserver will add a registry entry for the preceding dll but are these functions that are being executed on the system by the download or am I missing something? Any advice will be appreciated, Thanks asked 19 Mar '15, 08:07 froggy101 |
One Answer:
Most certainly they are not executed by simply downloading the file. Based on your brief description, this could be almost anything, from a text file containing those string up to a binary with debug symbols showing the strings. So, (most certainly) no reason to worry. If you want a more detailed analysis, please upload the capture file somewhere (google drive, dropbox, cloudshark.org) and post the link here. However, as you've mentioned an encrypted connection, I guess the capture file won't help, unless you are able to post the key as well. If that's not possible, you can try to upload whatever you see with "Follow TCP Stream" (ASCII or screenshot), so we can have a look at that. Regards answered 19 Mar '15, 14:16 Kurt Knochner ♦ edited 19 Mar '15, 14:17 |