Hi list, I believe that one of my lab VM is owned by a sophisticated rootkit. There are many signs of that: Rootkit in my lab? Rootkit in my lab? (part II) Live analysis was a dead end. Needless to say that common live analysis tools and AV found nothing. So I have been focussed for days on analyzing the RAM with Volatility. And I found absolutely nothing. I am just afraid that now it is beyond my skills at this moment. If some of you are curious, do not hesitate to have a look. Of course, I would love to learn more and get some tips and feedbacks. I can provide more volatility output if necessary, or even the dump. Thank you! --- phocean