Hello all, I'm looking for some guidance on next steps with some data I have from a memory analysis. I was following the steps on using strings to look for processes that might have malicious IP's or URL's in memory: https://code.google.com/p/volatility/wiki/CommandReference#strings The issue I'm having now is where to proceed with the output I have. So for example in my URL.txt file I have this: 1b64666b7 [2632:834520759] http://ghc.ru 1b646674d [2632:834520909] http://rst.void.ru Now my understanding of the output is [PID:Address Space]. The particular PID in this instance refers to: 0x89c82020 WINWORD.EXE 2632 2284 11 943 2011-10-11 15:07:13 So how do I go deeper in to looking at why winword.exe may be making http requests? And what does the first value (ex 1b64666b7) refer to? Is that the virtual address in the memory dump file or something else? If there's any additional docs online I could look at to explain this further that would be helpful as well. Thanks ahead of time, Tom