The malfind plugin, as the name suggests, is used to find, or at least direct the investigator toward hints of, malware that may have been injected into various processes. The output of the malfind plugin may be particularly lengthy and so should be run in a separate Terminal to avoid constant scrolling when reviewing the output from the other plugin commands.

The command used to run malfind is as follows:

volatility --profile=WinXPSP3x86 -f cridex.vmem malfind

The malfind plugin can also be run directly on processes using the -p switch.

As we've discovered, winlogon.exe is assigned the PID 608. To run malfind on PID 608, we type:

volatility --profile=WinXPSP3x86 -f cridex.vmem malfind -p 608