[Vol-users] Finding injected code

Hey all. Got a naughty email sent with malicious links, so I ran it in my sendbox and got an image. I'm trying to locate the injected code: Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ---------- -------------------- ------ ------ ------ -------- ------ ------ -------------------- -------------------- 0x89e23830 System 4 0 76 206 ------ 0 0x89c207e8 smss.exe 640 4 3 19 ------ 0 2013-02-27 22:05:55 0x89c093e0 csrss.exe 712 640 11 369 0 0 2013-02-27 22:05:59 0x89c0ab10 winlogon.exe 748 640 18 516 0 0 2013-02-27 22:06:04 0x89b72020 services.exe 792 748 16 277 0 0 2013-02-27 22:06:05 0x89bc9980 lsass.exe 804 748 18 370 0 0 2013-02-27 22:06:05 0x89d74da0 nvsvc32.exe 996 792 4 200 0 0 2013-02-27 22:06:05 0x89c067e8 svchost.exe 1056 792 19 199 0 0 2013-02-27 22:06:05 0x894dbda0 svchost.exe 1124 792 11 243 0 0 2013-02-27 22:06:05 0x894e8638 svchost.exe 1260 792 69 1188 0 0 2013-02-27 22:06:06 0x89d7a360 svchost.exe 1308 792 6 77 0 0 2013-02-27 22:06:06 0x894fa3e0 svchost.exe 1392 792 4 81 0 0 2013-02-27 22:06:06 0x89cd4c08 explorer.exe 1676 1632 23 529 0 0 2013-02-27 22:06:06 0x89af39e0 rundll32.exe 1760 1676 4 116 0 0 2013-02-27 22:06:06 0x89bdb1d0 Bootcamp.exe 1768 1676 5 246 0 0 2013-02-27 22:06:06 0x89ba7558 RTHDCPL.EXE 1788 1676 4 197 0 0 2013-02-27 22:06:06 0x89bf8c10 rundll32.exe 1800 1676 1 88 0 0 2013-02-27 22:06:06 0x89b78da0 ctfmon.exe 1828 1676 3 145 0 0 2013-02-27 22:06:06 0x89b8e620 svchost.exe 668 792 4 107 0 0 2013-02-27 22:06:17 0x89c0dc10 AppleOSSMgr.exe 716 792 3 39 0 0 2013-02-27 22:06:17 0x89ac32c8 AppleTimeSrv.ex 872 792 1 44 0 0 2013-02-27 22:06:17 0x89aca958 svchost.exe 1088 792 4 86 0 0 2013-02-27 22:06:17 0x89ad7c18 svchost.exe 1304 792 8 141 0 0 2013-02-27 22:06:17 0x89397918 wmiprvse.exe 1896 1056 6 140 0 0 2013-02-27 15:06:42 0x89152020 qegyas.exe 2364 2236 0 -------- 0 0 2013-02-27 15:08:35 2013-02-27 15:08:44 0x89160558 rundll32.exe 3032 1260 0 -------- 0 0 2013-02-27 15:08:49 2013-02-27 15:08:49 0x89399638 ntvdm.exe 3992 1676 0 -------- 0 0 2013-02-27 15:09:42 2013-02-27 15:09:43 0x8951f020 rundll32.exe 4016 1260 0 -------- 0 0 2013-02-27 15:13:51 2013-02-27 15:13:51 0x890fb648 DumpIt.exe 3720 1676 0 -------- 0 0 2013-02-27 15:13:59 2013-02-27 15:14:01 0x89124da0 DumpIt.exe 368 1676 2 68 0 0 2013-02-27 15:14:22 malfind shows the following: Process: csrss.exe Pid: 712 Address: 0x7f6f0000 Process: explorer.exe Pid: 1676 Address: 0x3d920000 Process: explorer.exe Pid: 1676 Address: 0x23f0000 Process: rundll32.exe Pid: 1760 Address: 0xb30000 Process: rundll32.exe Pid: 1760 Address: 0x3d920000 Process: Bootcamp.exe Pid: 1768 Address: 0x10c0000 Process: Bootcamp.exe Pid: 1768 Address: 0x3d920000 Process: RTHDCPL.EXE Pid: 1788 Address: 0x1bd0000 Process: RTHDCPL.EXE Pid: 1788 Address: 0x4af0000 Process: RTHDCPL.EXE Pid: 1788 Address: 0x3d920000 Process: rundll32.exe Pid: 1800 Address: 0xda0000 Process: rundll32.exe Pid: 1800 Address: 0x3d920000 Process: ctfmon.exe Pid: 1828 Address: 0xeb0000 Process: ctfmon.exe Pid: 1828 Address: 0x3d920000 Process: DumpIt.exe Pid: 368 Address: 0x130000 Process: DumpIt.exe Pid: 368 Address: 0x6fff0000 Just how would I go about seeing the injected code? Thanks for the assist. James