I'd say there's a 50/50 chance of the cause being code injection as compared to just normal process activity over time. So IMO, no, its not enough to warrant further investigation of services.exe. However, your belief that the malware injects code into services.exe (i.e. because you read a report online, someone told you, etc) is enough. You should check out the malfind and ldrmodules plugins, as they can help locate and identify injected code - unless you really want to review 141 VAD segments manually ;=) If you want to know more about the VADs, check our wiki, the final few chapters of Malware Cookbook, or consider registering for one of our upcoming training courses (which cover VADs and 5 days worth of other material in depth). Hope this helps! MHL On Tue, Dec 11, 2012 at 11:12 AM, Kathy Simm <kathys39(a)hotmail.com> wrote: