DEMO Read-only showcase seeded with synthetic data. Sign-in, reviewing, rules, retention and alerts are disabled. Browse every page and session freely. Install on your fleet →
Session

demo-critical-exfil

claude-code on staging-ci-01 · 20s · first 2026-04-22 20:14:21 · last 2026-04-22 20:14:41
Notes 0

No notes yet. Leave the first one so the next reviewer inherits the context.

Process tree · 4 processes · expand a row to see per-pid activity
  • root sensitive C:\Users\bill\AppData\Roaming\Claude\claude-code\2.1.111\claude.exe pid 9900 · 2026-04-22T20:14:21.406495887Z · still running
    2 opens 1 writes 1 DNS 2 sensitive
    top activity for this pid
    Opens
    C:\Users\ci\.aws\credentials1
    C:\Users\ci\.ssh\id_rsa1
    Writes
    C:\Users\ci\AppData\Local\Temp\svc-updater.exe1
    DNS
    pastebin.com1
    Sensitive
    C:\Users\ci\.aws\credentialsaws credentials · open
    C:\Users\ci\.ssh\id_rsassh keys · open
  • root shell C:\Windows\System32\cmd.exe pid 9100 · 2026-04-22T20:14:23.406495887Z · still running
    2 TCP
    top activity for this pid
    TCP
    185.220.101.42:4444 (udp)1
    45.137.21.9:53413 (udp)1
  • root shell C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pid 9101 · 2026-04-22T20:14:39.406495887Z · still running
    powershell -EncodedCommand JABjACAAPQAgACIASABlAGwAbABvACIAOwAgACQAYwA=
  • root C:\Windows\System32\sc.exe pid 9102 · 2026-04-22T20:14:41.406495887Z · still running
    sc.exe create SvcUpdater binPath= "C:\Users\ci\AppData\Local\Temp\svc-updater.exe" start= auto