Sigtrace AI.Trace · Forensic session report

Session `demo-critical-exfil`

Agent claude-code on host staging-ci-01 · 20s

Verdict Critical 2 sensitive paths 1 suspicious host 2 suspicious cmdlines 1 flagged load 1 registry hit 2 shell spawns 2 network targets

Sensitive path hits · 2

Path	Reason	Op	Process	Pid	When
`C:\Users\ci\.aws\credentials`	aws credentials	open	`C:\Users\bill\AppData\Roaming\Claude\claude-code\2.1.111\claude.exe`	9900	`2026-04-22T20:14:25.406495887Z`
`C:\Users\ci\.ssh\id_rsa`	ssh keys	open	`C:\Users\bill\AppData\Roaming\Claude\claude-code\2.1.111\claude.exe`	9900	`2026-04-22T20:14:26.406495887Z`

Host	Reason
`pastebin.com`	paste site

Cmdline	Reason	Process	Pid	When
`powershell -EncodedCommand JABjACAAPQAgACIASABlAGwAbABvACIAOwAgACQAYwA=` `$c = "Hello"; $c`	powershell encoded command	`C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe`	9101	`2026-04-22T20:14:39.406495887Z`
`sc.exe create SvcUpdater binPath= "C:\Users\ci\AppData\Local\Temp\svc-updater.exe" start= auto`	service install	`C:\Windows\System32\sc.exe`	9102	`2026-04-22T20:14:41.406495887Z`

Key	Value	Op	Reason	Process	Pid	When
`\REGISTRY\USER\S-1-5-21-1000\Software\Microsoft\Windows\CurrentVersion\Run`	`SvcUpdater`	set	run key		9100	`2026-04-22T20:14:33.406495887Z`

Image	Reason	Process	Pid	When
`C:\Users\ci\AppData\Local\Temp\svc-updater.exe`	session-written	`C:\Windows\System32\cmd.exe`	9100	`2026-04-22T20:14:31.406495887Z`

Image	Count
`C:\Users\bill\AppData\Roaming\Claude\claude-code\2.1.111\claude.exe`	1
`C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe`	1
`C:\Windows\System32\cmd.exe`	1
`C:\Windows\System32\sc.exe`	1

No file opens captured.

Path	Count
`C:\Users\ci\AppData\Local\Temp\svc-updater.exe`	1

No renames or deletes.

Query	Count
`pastebin.com`	1

No TCP connections.

Target	Count
`185.220.101.42:4444`	1
`45.137.21.9:53413`	1