Often, adversaries will use an IP address as part of the URL that is used as a delivery mechanism. The previous screenshot indicates that the adversary may be using an IP address as part of the URL. The next command will search the memory image for any HTTP entries in memory:

strings cridex_laptop.mem | grep "http://"

That command produces the following output:

Examining the output shows some interesting data. First, there is the URL http://chaseonline.com/. In addition, there appears to be website coding associated with this hit. A search of various sites for data on Cridex reveals that it is often used to steal banking credentials by hooking various APIs in the web browser and redirecting the traffic for various sites, including Chase Bank. (Microsoft has a write-up on Cridex available at https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=win32%2Fcridex.)

This short example shows how Strings can be utilized by responders to gather more evidence and provide additional context to an incident investigation. Strings is only limited to what keywords can be used.