MDR conducted network and C2 examinations using Wireshark and FakeNet to perform a network capture during the execution of Are_bengal_cats_legal_in_australia_72495.js. FakeNet showed various domain names being reached out to with GET /xmlrpc.php HTTP/1.1 requests via Powershell.exe. The requests contained Base64-encoded cookies which, when decoded, showed enumeration information regarding device directories and host information such as the folder path of C:\Users<Username>\AppData\Roaming\ , as shown in Figure 13. As shown below, the process would read USERNAME and USER DOMAIN information and send the data to the URIs.