Another good plugin that aids in discovering hidden processes is the psxview plugin. This plugin compares the active process indicated within psActiveProcessHead with any other possible sources within the memory image. To run the plugin, type the following command:

dfir@Desktop-SFARF6G~$ volatility -f cridex_laptop.mem -profile=WinXPSP2x86 psxview

The command produces the following:

A False within the column indicates that the process is not found in that area. This allows the analyst to review that list and determine whether there is a legitimate reason that the process may not be there, or if it is indicative of an attempt to hide the process.