Investigation Timeline

Filter by confidence:
5/15/2026
04:25 AM
UnresolvedInterpretation

Initial confidence: Unresolved

Investigation created from probe observation. No enrichment performed. Destination IPs and process legitimacy are unknown.

initial_assignment

Observed svchost.exe outbound connections to unknown external IPs — WORKSTATION-01

5/15/2026
05:30 AM
SupportedInterpretation

Confidence: Unresolved → Supported

RDAP and BGP evidence confirms Anthropic PBC ownership of 160.79.104.10 (AS399358). RPKI ROA valid. DNS corroboration via claude.ai and anthropic.com resolution. Three independent authoritative sources corroborate IP block ownership.

new_evidence

Observed svchost.exe outbound connections to unknown external IPs — WORKSTATION-01

5/15/2026
07:00 AM
ContradictedInterpretation

Confidence: Supported → Contradicted

Historical BGP data (ev-spike-010) shows 160.79.104.0/23 was briefly announced via Lumen (AS3356) as alternate transit in Q4 2025. While IP ownership (AS399358) is unchanged, the assumption of exclusive Cloudflare transit was contradicted. Routing continuity requires verification before conclusion can stand.

new_evidence

Observed svchost.exe outbound connections to unknown external IPs — WORKSTATION-01

5/15/2026
08:00 AM
SupportedInterpretation

Confidence: Contradicted → Supported

Investigator review confirmed: (1) the routing anomaly affected transit PATH only, not IP block OWNERSHIP — AS399358 registration to Anthropic PBC was continuous throughout Q4 2025; (2) investigator note-spike-001 confirms Claude Desktop installation providing service attribution; (3) note-spike-002 confirms process legitimacy. The contradiction was specific to a transit path assumption, not the core attribution. All original attribution evidence (ev-spike-001, ev-spike-002, ev-spike-006, ev-spike-007) remains valid and unaffected.

human_note

Observed svchost.exe outbound connections to unknown external IPs — WORKSTATION-01

5/15/2026
08:10 AM
SupportedInterpretation

Confidence: Unresolved → Supported

Investigator confirmed process legitimacy via note-spike-002: process tree shows legitimate parent (services.exe), image path is C:\Windows\System32\svchost.exe, and digital signature is valid (Microsoft Windows Publisher). Process is not a malware impersonator.

human_note

Observed svchost.exe outbound connections to unknown external IPs — WORKSTATION-01

5/15/2026
08:15 AM
ContextualInterpretation

Initial confidence: Contextual

Service attribution to Claude Desktop is circumstantial: consistent with all evidence (Claude Desktop installed, DNS queries for claude.ai, Anthropic IP attribution, HTTPS connection pattern) but not independently verified via automated endpoint analysis. The linkage between the installed application and these specific network flows was not confirmed programmatically.

initial_assignment

Observed svchost.exe outbound connections to unknown external IPs — WORKSTATION-01