[Vol-users] Need some assistance with strings output

Tom Yarrish tom at yarrish.com
Wed Oct 26 16:43:41 CDT 2011

Hello all,
I'm looking for some guidance on next steps with some data I have from
a memory analysis.

I was following the steps on using strings to look for processes that
might have malicious IP's or URL's in memory:


The issue I'm having now is where to proceed with the output I have.
So for example in my URL.txt file I have this:

1b64666b7 [2632:834520759] http://ghc.ru
1b646674d [2632:834520909] http://rst.void.ru

Now my understanding of the output is [PID:Address Space].  The
particular PID in this instance refers to:

0x89c82020 WINWORD.EXE            2632   2284     11    943 2011-10-11 15:07:13

So how do I go deeper in to looking at why winword.exe may be making
http requests?  And what does the first value (ex 1b64666b7) refer to?
 Is that the virtual address in the memory dump file or something

If there's any additional docs online I could look at to explain this
further that would be helpful as well.

Thanks ahead of time,

More information about the Vol-users mailing list