Evidence Explorer
The following items were explicitly checked and NOT found. Negative evidence is documented to ensure analytic completeness.
What Was NOT Found
- —PTR (reverse DNS) lookup for 160.79.104.10 returned NXDOMAIN. No PTR record is configured for this IP. The absence is confirmed — not an error.
- —Manual threat intelligence check for 160.79.104.10 across available sources returned no known threat associations, no malware C2 listings, no abuse reports, and no blocklist entries.
IP address 160.79.104.10 is part of block 160.79.104.0/21, allocated via Direct Allocation to Anthropic, PBC (handle: ANTHR-1) in ARIN. The network is announced from AS399358.
AS399358 is registered as 'ANTHROPIC' to Anthropic, PBC in the ARIN registry. The AS originates the prefix 160.79.104.0/23 and 160.79.104.0/21 in BGP.
DNS A record query for claude.ai returned 160.79.104.10. This corroborates the TCP connection destination as belonging to Anthropic's claude.ai service.
IP address 151.101.1.140 is part of block 151.101.0.0/17 allocated to Fastly, Inc. The network originates from AS54113 (FASTLY).
PTR (reverse DNS) lookup for 160.79.104.10 returned NXDOMAIN. No PTR record is configured for this IP. The absence is confirmed — not an error.
RPKI Route Origin Authorization (ROA) for 160.79.104.0/23 is valid and signed for origin AS399358. This cryptographically confirms that AS399358 is the authorized originator of this prefix.
Anthropic's official IP address documentation at platform.claude.com/docs/en/api/ip-addresses lists 160.79.104.0/23 as an Anthropic inbound IP range. This is the authoritative public declaration by the service operator.
Manual threat intelligence check for 160.79.104.10 across available sources returned no known threat associations, no malware C2 listings, no abuse reports, and no blocklist entries.
BGP analysis shows that AS399358 (Anthropic) uses AS13335 (Cloudflare) as its upstream BGP transit provider. The fact that traffic routing passes through Cloudflare infrastructure does not imply that Cloudflare operates the destination service. IP block ownership (AS399358/Anthropic) is unaffected by transit path.
Historical BGP route data from Q4 2025 shows that the prefix 160.79.104.0/23 was briefly announced via AS3356 (Lumen Technologies / Level 3) as an alternate transit path rather than exclusively via AS13335 (Cloudflare) during the period approximately 2025-10-01 to 2026-01-31. IP block ownership by AS399358 (Anthropic) was unchanged throughout this period. The routing anomaly affected only the transit path, not the IP block attribution.
Claude Desktop application is installed on WORKSTATION-01. The installation was confirmed via local system inspection. This strongly supports attribution of the observed svchost.exe connections to Claude Desktop's expected API communication behavior.