@jrdepriest lol that's a fair point, I'm not a malware analyst and I'm unfamiliar with their TOS. If it's not strictly prohibited anywhere, you could always isolate your VMs and then lock down the local firewalls to observed c&c traffic from whatever sample you're working with. You're way ahead of me and have likely thought of that already, but wanted to chime in.