It could be direct calls to VirtualAlloc. Try to isolate the memory type using "!address -summary". Better yet, find a copy of vadump.exe from an old resource kit. It gives a more readable breakdown.
You might get some clues by diff'ing the output from two runs of windbg's !vadump command, and then dumping some of the newly allocated RAM. If you have symbol files and you dump RAM using the dps command, windbg will display symbol matches for each DWORD. In other words, if a value has a name in the symbol file, you'll see it. A nice example of that is when dumping C++ objects with vtables. The vtable has a symbol, so you'll see what type it is.
Last but not least, you could breakpoint VirtualAlloc and dump the stack for each call. Even absent a rigorous comparison between allocs and frees, you might notice an interesting call stack or allocation size. The breakpoint syntax to dump the stack and continue is
bp kernel32!virtualalloc "kb;g"
Hope that helps,
Gary Kratkin