DEMO Read-only showcase seeded with synthetic data. Sign-in, reviewing, rules, retention and alerts are disabled. Browse every page and session freely. Install on your fleet →
Session

demo-critical-exfil

claude-code on staging-ci-01 · 20s · first 2026-04-22 20:14:21 · last 2026-04-22 20:14:41
Notes 0

No notes yet. Leave the first one so the next reviewer inherits the context.

Timeline · 12 events

  1. 2026-04-22
  2. 20:14
    • 20:14:21 process_start Process started C:\Users\bill\AppData\Roaming\Claude\claude-code\2.1.111\claude.exe pid 9900
    • 20:14:23 process_start Process started C:\Windows\System32\cmd.exe pid 9100
    • 20:14:25 file_open Opened C:\Users\ci\.aws\credentials pid 9900 sensitive
    • 20:14:26 file_open Opened C:\Users\ci\.ssh\id_rsa pid 9900 sensitive
    • 20:14:27 dns DNS lookup pastebin.com pid 9900
    • 20:14:29 file_write Wrote C:\Users\ci\AppData\Local\Temp\svc-updater.exe pid 9900
    • 20:14:31 image_load Loaded image C:\Users\ci\AppData\Local\Temp\svc-updater.exe · session-written pid 9100
    • 20:14:33 registry_set Wrote registry \REGISTRY\USER\S-1-5-21-1000\Software\Microsoft\Windows\CurrentVersion\Run\SvcUpdater · run key pid 9100
    • 20:14:35 udp_connect UDP send 185.220.101.42:4444 (udp) pid 9100
    • 20:14:36 udp_connect UDP send 45.137.21.9:53413 (udp) pid 9100
    • 20:14:39 process_start Process started powershell -EncodedCommand JABjACAAPQAgACIASABlAGwAbABvACIAOwAgACQAYwA= pid 9101
    • 20:14:41 process_start Process started sc.exe create SvcUpdater binPath= "C:\Users\ci\AppData\Local\Temp\svc-updater.exe" start= auto pid 9102