How to identify rogue processes

volatility -f /path/to/memory/dump.001 --profile=<profile> malprocfind > malprocfind-results.txt && cat malprocfind-results.txt && grep False malprocfind-results.txt

The more False flags in the grep output, the more suspicious the process is. Also look in the full output for multiple instances for which there should only be one, misspelled names, processes without running parents etc.

volatility -f /path/to/memory/dump.001 --profile=<profile> psscan > psscan-results.txt

Use the PID and PPID (Parent PID) to see what processes (parents) spawned what other processes (children) to determine if something is off. (iexplorer spawning a cmd.exe would qualify)

volatility -f /path/to/memory/dump.001 --profile=<profile> pstree > pstree-results.txt

pstree does the same as psscan, but in a more graphical way

If you want full-on graphics, use pstotal:

volatility -f /path/to/memory/dump.001 --profile=<profile> pstotal --cmd --output=dot --output-file=/path/pstotal-graph.dot

Then view it with xdot on Linux:

xdot pstotal.dot