This pattern covers traces of ASCII and UNICODE strings that look suspicious such as website, password and HTTP forms or strange names that intuitively shouldn't be present according to the purpose of a module or its container process (example is taken from Victimware presentation case study25):
0:005> s-sa 00040000 L1d000 0004004d "!This program cannot be run in D" 0004006d "OS mode." 00040081 "3y@" 000400b8 "Rich" 000401d0 ".text" 000401f7 "`.rdata" 0004021f "@.data" 00040248 ".reloc" [...] 00054018 "GET /stat?uptime=%d&downlink=%d&" 00054038 "uplink=%d&id=%s&statpass=%s&comm" 00054058 "ent=%s HTTP/1.0" 000540ac "%s%s%s" 000540d8 "ftp://%s:%s@%s:%d" 000540fc "Accept-Encoding:" 00054118 "Accept-Encoding:" 00054130 "0123456789ABCDEF" 00054144 "://" 00054160 "POST %s HTTP/1.0" 00054172 "Host: %s" 0005417c "User-Agent: %s" 0005418c "Accept: text/html" 0005419f "Connection: Close" 000541b2 "Content-Type: application/x-www-" 000541d2 "form-urlencoded" 000541e3 "Content-Length: %d" 000541fc "id=" 00054208 "POST %s HTTP/1.1" 0005421a "Host: %s" 00054224 "User-Agent: %s" 00054234 "Accept: text/html" 00054247 "Connection: Close" 0005425a "Content-Type: application/x-www-" 0005427a "form-urlencoded" 0005428b "Content-Length: %d" 000542a4 "id=%s&base=" 000542b8 "id=%s&brw=%d&type=%d&data=" 000542d8 "POST %s HTTP/1.1" 000542ea "Host: %s" 000542f4 "User-Agent: %s" 00054304 "Accept: text/html" 00054317 "Connection: Close" 0005432a "Content-Type: application/x-www-" 0005434a "form-urlencoded" 0005435b "Content-Length: %d" 00054378 "id=%s&os=%s&plist=" 00054390 "POST %s HTTP/1.1" 000543a2 "Host: %s" 000543ac "User-Agent: %s" 000543bc "Accept: text/html" 000543cf "Connection: Close" 000543e2 "Content-Type: application/x-www-" 00054402 "form-urlencoded" 00054413 "Content-Length: %d" 00054430 "id=%s&data=%s" 00054440 "POST %s HTTP/1.1" 00054452 "Host: %s" 0005445c "User-Agent: %s" 0005446c "Accept: text/html" 0005447f "Connection: Close" 00054492 "Content-Type: application/x-www-" 000544b2 "form-urlencoded" 000544c3 "Content-Length: %d" 000544e0 "GET %s HTTP/1.0" 000544f1 "Host: %s" 000544fb "User-Agent: %s" 0005450b "Connection: close" 00054528 "POST /get/scr.html HTTP/1.0" 00054545 "Host: %s" 0005454f "User-Agent: %s" 0005455f "Connection: close" 00054572 "Content-Length: %d" 00054586 "Content-Type: multipart/form-dat" 000545a6 "a; boundary=--------------------" 000545c6 "-------%d" 000545d4 "-----------------------------%d" 000545f8 "%sContent-Disposition: form-data" 00054618 "; name="id"" 00054630 "%sContent-Disposition: form-data" 00054650 "; name="screen"; filename="%d"" 00054670 "Content-Type: application/octet-" 00054690 "stream" 000546a0 "%s(%d) : %s" 000546ac "%s failed with error %d: %s" 000546c8 "%02X" 000546d8 "BlackwoodPRO" 000546e8 "FinamDirect" 000546f4 "GrayBox" 000546fc "MbtPRO" 00054704 "Laser" 0005470c "LightSpeed" 00054718 "LTGroup" 00054720 "Mbt" 00054724 "ScotTrader" 00054730 "SaxoTrader" 00054740 "Program: %s" 0005474f "Username: %s" 0005475e "Password: %s" 0005476d "AccountNO: %s" [...]