volatility -f /path/to/memory/dump.001 --profile=<profile> dlllist -p <pidofprocess> >dlllist-results.txt
Shows DLL files loaded by the process, and their location.
The first line is the location of the process binary. Does it look normal? Any other weird files in that same directory?
How about all the things it loads, does that look normal, or did someone hijack a DLL?