If you execute UAC and select an appropriate profile (like full, or ir_triage) you'll have a list of hashes of executables which were running at the time of acquisition. Within process folder within live_response, you'll hash_running_process.md5 and .sha1

Edit those and strip the first column. If you're using Notepad++, you can just open the file, press Alt + Shift and select the second column and delete it. Save this as a new file, called process.md5 (you need the original listing to identify the process and map it back to pstree/cmd).

1. Download VirusTotal search from Didier Stevens' website (https://blog.didierstevens.com/programs/virustotal-tools/)

2. Fetch an API key from VirusTotal (free for small volume queries)

3. Make sure you have Python2.7 installed

4. Execute the following command

$ python2.7 virustotal-search.py -k APIKEY hashes.md5

This will display the results via the console, as well as save it as a CSV file.