Memory image analyzed with Volatility: malicious process `svchost.exe` (running from `C:\ProgramData\`) identified with network connections to `45.33.xx.xx` - KAPE triage collection from WS-BILL-023 and three additional affected workstations - Full disk image of WS-BILL-023 created with FTK Imager -