demo-critical-exfil · Overview

Session

`demo-critical-exfil`

claude-code on staging-ci-01 · 20s · first 2026-04-22 20:14:21 · last 2026-04-22 20:14:41

Notes 0

No notes yet. Leave the first one so the next reviewer inherits the context.

Processes 4

File opens 0

DNS / TCP / UDP 1 / 0 / 2

Sensitive hits 2

Event timeline · 20:14:21 → 20:14:41 · peak 1 event/bin

Sensitive path hits · 2 matches

Path	Reason	Op	Process	When
`C:\Users\ci\.aws\credentials`	aws credentials	open	`C:\Users\bill\AppData\Roaming\Claude\claude-code\2.1.111\claude.exe` pid 9900	`2026-04-22T20:14:25.406495887Z`
`C:\Users\ci\.ssh\id_rsa`	ssh keys	open	`C:\Users\bill\AppData\Roaming\Claude\claude-code\2.1.111\claude.exe` pid 9900	`2026-04-22T20:14:26.406495887Z`

Suspicious host queries · 1 match

Host	Reason
`pastebin.com`	paste site

Suspicious command lines · 2 matches

Command	Reason	Process	When
`powershell -EncodedCommand JABjACAAPQAgACIASABlAGwAbABvACIAOwAgACQAYwA=` Decoded payload `$c = "Hello"; $c`	powershell encoded command	`C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe` pid 9101	`2026-04-22T20:14:39.406495887Z`
`sc.exe create SvcUpdater binPath= "C:\Users\ci\AppData\Local\Temp\svc-updater.exe" start= auto`	service install	`C:\Windows\System32\sc.exe` pid 9102	`2026-04-22T20:14:41.406495887Z`

Registry persistence · 1 hit

Key	Value	Op	Reason	Process	When
`\REGISTRY\USER\S-1-5-21-1000\Software\Microsoft\Windows\CurrentVersion\Run`	`SvcUpdater`	set	run key	pid 9100	`2026-04-22T20:14:33.406495887Z`

Loaded images · 1 flagged load

Image	Reason	Loaded by	When
`C:\Users\ci\AppData\Local\Temp\svc-updater.exe`	session-written	`C:\Windows\System32\cmd.exe` pid 9100	`2026-04-22T20:14:31.406495887Z`

Posted 2026-04-22 22:14:21Z