rocba — Live Investigation Report
The attacker’s C2 relay node. Zero disk artifacts — no persistence, no lateral movement, no staged files. This host deliberately leaves nothing on disk.
1 confirmed · 4 refuted · ~23 minutes · ~$14
T1055 confirmed in MsMpEng.exe (Windows Defender’s engine): two VadS PAGE_EXECUTE_READWRITE regions with x64 shellcode prologue recovered before malfind timeout. The attacker injected into their own AV. Round 1 timed out — Auditor returned INCONCLUSIVE. Round 2 recovered one VAD record and returned CONFIRMED. The architecture fails safe.
The same four memory-only signals refuted here as on nfury: T1071.001, T1134, T1547.001, T1574. Consistent Auditor behavior across victim machines and attacker infrastructure.