I've got a memory dump of a clean system and a memory dump of a system infected with a piece of malware that I believe has been injected into services.exe.

When I use the vadinfo command, there are 93 memory segments associated with services.exe in the clean dump, and 234 segments in the infected dump.

Is this difference in the number of segments enough to warrant further review of services.exe?  If so, is the next step to dump the extra memory segments that are in the infected dump using the vaddump command and review each of those dumps?

Thanks - any info is appreciated.