Sigtrace AI.Trace · Forensic session report

Session `demo-sensitive-hits`

Agent claude-code on host ml-workstation · 18s

Session ID: demo-sensitive-hits
Agent: claude-code
Host: ml-workstation
First seen: 2026-04-22 17:14:21Z
Last seen: 2026-04-22 17:14:39Z
Duration: 18s
Events captured: 15
Posted at: 2026-04-22 22:14:21Z
Report generated: 2026-04-23 10:21:51Z
Report ID: fbbbed495e12a883
Schema version: 1
Live dashboard: https://demo.sigtrace.ai/ui/sessions/demo-sensitive-hits

Verdict Critical 10 sensitive paths 1 flagged load 1 registry hit 1 shell spawn

Sensitive path hits · 10

Path	Reason	Op	Process	Pid	When
`C:\Users\bill\.aws\credentials`	aws credentials	open	`C:\Users\bill\AppData\Roaming\Claude\claude-code\2.1.111\claude.exe`	9999	`2026-04-22T17:14:22.265696906Z`
`C:\Users\bill\.ssh\id_rsa`	ssh keys	open	`C:\Users\bill\AppData\Roaming\Claude\claude-code\2.1.111\claude.exe`	9999	`2026-04-22T17:14:23.265696906Z`
`C:\Users\bill\.ssh\id_ed25519`	ssh keys	open	`C:\Users\bill\AppData\Roaming\Claude\claude-code\2.1.111\claude.exe`	9999	`2026-04-22T17:14:24.265696906Z`
`C:\work\myapp\.env`	dotenv	write	`C:\Users\bill\AppData\Roaming\Claude\claude-code\2.1.111\claude.exe`	9999	`2026-04-22T17:14:25.265696906Z`
`C:\work\myapp\.env.production`	dotenv	write	`C:\Users\bill\AppData\Roaming\Claude\claude-code\2.1.111\claude.exe`	9999	`2026-04-22T17:14:26.265696906Z`
`C:\Users\bill\.kube\config`	kube config	open	`C:\Users\bill\AppData\Roaming\Claude\claude-code\2.1.111\claude.exe`	9999	`2026-04-22T17:14:27.265696906Z`
`C:\Users\bill\.docker\config.json`	docker credentials	open	`C:\Users\bill\AppData\Roaming\Claude\claude-code\2.1.111\claude.exe`	9999	`2026-04-22T17:14:28.265696906Z`
`C:\Users\bill\.npmrc`	npm credentials	open	`C:\Users\bill\AppData\Roaming\Claude\claude-code\2.1.111\claude.exe`	9999	`2026-04-22T17:14:29.265696906Z`
`C:\Users\bill\.pypirc`	pypi credentials	open	`C:\Users\bill\AppData\Roaming\Claude\claude-code\2.1.111\claude.exe`	9999	`2026-04-22T17:14:30.265696906Z`
`C:\Users\bill\.git-credentials`	git credentials	open	`C:\Users\bill\AppData\Roaming\Claude\claude-code\2.1.111\claude.exe`	9999	`2026-04-22T17:14:31.265696906Z`

Suspicious host queries · 0

No suspicious host queries.

Suspicious command lines · 0

No suspicious command lines.

Registry persistence · 1

Key	Value	Op	Reason	Process	Pid	When
`\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\UpdaterSvc`	`ImagePath`	set	service install		9100	`2026-04-22T17:14:39.265696906Z`

Flagged image loads · 1

Image	Reason	Process	Pid	When
`C:\Users\bill\AppData\Local\Temp\updater-setup.exe`	session-written	`C:\Windows\System32\cmd.exe`	9100	`2026-04-22T17:14:37.265696906Z`

Top processes · 2

Image	Count
`C:\Users\bill\AppData\Roaming\Claude\claude-code\2.1.111\claude.exe`	1
`C:\Windows\System32\cmd.exe`	1

Top file opens · 4

Path	Count
`C:\Users\bill\.docker\config.json`	1
`C:\Users\bill\.git-credentials`	1
`C:\Users\bill\.npmrc`	1
`C:\Users\bill\.pypirc`	1

File writes · 3

Path	Count
`C:\Users\bill\AppData\Local\Temp\updater-setup.exe`	1
`C:\work\myapp\.env`	1
`C:\work\myapp\.env.production`	1

File renames / deletes

No renames or deletes.

DNS queries · 0

No DNS queries.

TCP targets · 0

No TCP connections.