├── .gitignore ├── LICENSE ├── README.md ├── assets └── img │ └── B_Blue-Jupyter-03.png ├── incident-response └── sysmon-logs │ ├── Processes.ipynb │ ├── Sysmon-Stats.ipynb │ ├── examples │ └── HuntingMetasploit.evtx │ └── sysmon.py ├── log-analysis ├── HTTP.ipynb └── samples │ └── access.log ├── malware-analysis ├── .gitignore ├── Malware-Analysis.ipynb ├── MalwareSample.py ├── README.md ├── dropbox │ ├── SampleNegative.txt │ └── SamplePositive.txt └── saved-specimens │ └── .gitkeep ├── poetry.lock ├── pyproject.toml ├── requirements.txt └── utils ├── __init__.py ├── colors.py └── malware.py /.gitignore: -------------------------------------------------------------------------------- 1 | *__pycache__/ 2 | *.ipynb_checkpoints/ 3 | .idea/**.swp 4 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2021 Michael Taggart 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # THIS REPOSITORY HAS BEEN ARCHIVED AND MIGRATED TO [Codeberg](https://codeberg.org/The-Taggart-Institute/blue-jupyter) 2 | 3 |

4 | 5 | ![B_Blue-Jupyter-03](https://user-images.githubusercontent.com/57866415/134895071-5a8774e1-f3fc-49dd-9ca5-9130611fc2da.png) 6 |

7 |
8 | 9 | [Documentation][wiki]   |   [Pull Requests][pr]   |   [Issues][issues] 10 | 11 | ![GitHub last commit][lastcommit] [![Pull Requests][img-pr-badge]][pr] [![License][img-license-badge]][license] 12 | 13 |
14 | 15 | ## About This Repository 16 | 17 | This repo contains Jupyter Notebooks useful for several aspects of Blue Team work. 18 | 19 | ## Installation 20 | 21 | ### Linux 22 | You need Jupyter Notebooks! On linux, run: 23 | ``` 24 | $ pip3 install jupyter 25 | ``` 26 | Clone and enter the directory: 27 | ``` 28 | $ git clone https://github.com/mttaggart/blue-jupyter.git && cd blue-jupyter 29 | ``` 30 | If you don't have it already, install `poetry`: 31 | ``` 32 | $ pip3 install poetry 33 | ``` 34 | Install the dependencies with `poetry`: 35 | ``` 36 | $ poetry install 37 | ``` 38 | Then, start a poetry shell and go to the directory of the notebook you want to run. Then, start the Jupyter server: 39 | ``` 40 | $ poetry shell 41 | ``` 42 | ``` 43 | $ cd [notebook-directory] 44 | ``` 45 | ``` 46 | $ jupyter notebook 47 | ``` 48 | For developing notebooks, install and use the Jupyter `lab` command: 49 | ``` 50 | $ pip3 install jupyterlab 51 | ``` 52 | ``` 53 | $ jupyter lab 54 | ``` 55 | 56 | 59 | [issues]:https://github.com/mttaggart/blue-jupyter/issues "Blue-Jupyter Issues ➶" 60 | [pull-requests]:https://github.com/mttaggart/blue-jupyter/pulls "Blue-Jupyter Requests ➶" 61 | [wiki]:https://github.com/mttaggart/blue-jupyter/wiki "Blue-Jupyter Documentation ➶" 62 | [repo]:https://github.com/mttaggart/blue-jupyter "Blue-Jupyter Repository ➶" 63 | [pr]:https://github.com/mttaggart/blue-jupyter/pulls "Blue-Jupyter Pull Requests ➶" 64 | [license]:https://github.com/mttaggart/blue-jupyter/blob/master/LICENSE "Blue-Jupyter License File ➶" 65 | [docker]:https://www.docker.com/ "Docker (external link) ➶" 66 | 67 | 70 | [lastcommit]:https://img.shields.io/github/last-commit/mttaggart/blue-jupyter?style=for-the-badge 71 | [img-pr-badge]:https://img.shields.io/badge/PRs-welcome-orange.svg?style=for-the-badge&logo=data%3Aimage%2Fsvg%2Bxml%3Bbase64%2CPD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c3ZnIGlkPSJzdmcyIiB3aWR0aD0iNjQ1IiBoZWlnaHQ9IjU4NSIgdmVyc2lvbj0iMS4wIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPiA8ZyBpZD0ibGF5ZXIxIj4gIDxwYXRoIGlkPSJwYXRoMjQxNyIgZD0ibTI5Ny4zIDU1MC44N2MtMTMuNzc1LTE1LjQzNi00OC4xNzEtNDUuNTMtNzYuNDM1LTY2Ljg3NC04My43NDQtNjMuMjQyLTk1LjE0Mi03Mi4zOTQtMTI5LjE0LTEwMy43LTYyLjY4NS01Ny43Mi04OS4zMDYtMTE1LjcxLTg5LjIxNC0xOTQuMzQgMC4wNDQ1MTItMzguMzg0IDIuNjYwOC01My4xNzIgMTMuNDEtNzUuNzk3IDE4LjIzNy0zOC4zODYgNDUuMS02Ni45MDkgNzkuNDQ1LTg0LjM1NSAyNC4zMjUtMTIuMzU2IDM2LjMyMy0xNy44NDUgNzYuOTQ0LTE4LjA3IDQyLjQ5My0wLjIzNDgzIDUxLjQzOSA0LjcxOTcgNzYuNDM1IDE4LjQ1MiAzMC40MjUgMTYuNzE0IDYxLjc0IDUyLjQzNiA2OC4yMTMgNzcuODExbDMuOTk4MSAxNS42NzIgOS44NTk2LTIxLjU4NWM1NS43MTYtMTIxLjk3IDIzMy42LTEyMC4xNSAyOTUuNSAzLjAzMTYgMTkuNjM4IDM5LjA3NiAyMS43OTQgMTIyLjUxIDQuMzgwMSAxNjkuNTEtMjIuNzE1IDYxLjMwOS02NS4zOCAxMDguMDUtMTY0LjAxIDE3OS42OC02NC42ODEgNDYuOTc0LTEzNy44OCAxMTguMDUtMTQyLjk4IDEyOC4wMy01LjkxNTUgMTEuNTg4LTAuMjgyMTYgMS44MTU5LTI2LjQwOC0yNy40NjF6IiBmaWxsPSIjZGQ1MDRmIi8%2BIDwvZz48L3N2Zz4%3D 72 | [img-license-badge]:https://img.shields.io/badge/license-mit-367588.svg?style=for-the-badge 73 | [img-docker-badge]:https://img.shields.io/badge/Supports-Docker-yellow.svg?style=for-the-badge&logo=docker 74 | -------------------------------------------------------------------------------- /assets/img/B_Blue-Jupyter-03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mttaggart/blue-jupyter/3266db2fa05a2323614594eda59456b03becece4/assets/img/B_Blue-Jupyter-03.png -------------------------------------------------------------------------------- /incident-response/sysmon-logs/Processes.ipynb: -------------------------------------------------------------------------------- 1 | { 2 | "cells": [ 3 | { 4 | "cell_type": "markdown", 5 | "id": "606f227e-e30b-4a86-a23f-c3cd487ab513", 6 | "metadata": {}, 7 | "source": [ 8 | "# Sysmon Process Analysis\n", 9 | "\n", 10 | "This notebook is intended to review process creations as revealed by Sysmon logs." 11 | ] 12 | }, 13 | { 14 | "cell_type": "code", 15 | "execution_count": 1, 16 | "id": "92e82f02-2cf9-4805-92b7-61eabed05422", 17 | "metadata": {}, 18 | "outputs": [], 19 | "source": [ 20 | "# Import dependencies\n", 21 | "import sys\n", 22 | "import os\n", 23 | "sys.path.append(os.path.abspath(\"../../utils\"))\n", 24 | "from malware import *\n", 25 | "from sysmon import load_events\n", 26 | "import plotly.express as px\n", 27 | "import plotly.graph_objects as go\n", 28 | "import pandas as pd\n", 29 | "import ipywidgets as widgets\n", 30 | "from IPython.display import display\n", 31 | "from getpass import getpass\n", 32 | "import networkx as nx\n", 33 | "from virus_total_apis import PublicApi as VirusTotalPublicApi\n", 34 | "import re" 35 | ] 36 | }, 37 | { 38 | "cell_type": "markdown", 39 | "id": "ae1e9513-81bf-472b-bcc7-9dac1efa3761", 40 | "metadata": {}, 41 | "source": [ 42 | "Begin by entering the file to examine (relative or absolute path)" 43 | ] 44 | }, 45 | { 46 | "cell_type": "code", 47 | "execution_count": 2, 48 | "id": "6686e7cd-594b-4bba-a9ac-87143b2d0dda", 49 | "metadata": { 50 | "jupyter": { 51 | "source_hidden": true 52 | }, 53 | "tags": [] 54 | }, 55 | "outputs": [ 56 | { 57 | "data": { 58 | "application/vnd.jupyter.widget-view+json": { 59 | "model_id": "7aef35e913bd44abab789efdc56e3e0b", 60 | "version_major": 2, 61 | "version_minor": 0 62 | }, 63 | "text/plain": [ 64 | "Text(value='examples/HuntingMetasploit.evtx', description='Logfile', placeholder='/path/to/logfile.evtx')" 65 | ] 66 | }, 67 | "metadata": {}, 68 | "output_type": "display_data" 69 | } 70 | ], 71 | "source": [ 72 | "file_path = widgets.Text(\n", 73 | " value='examples/HuntingMetasploit.evtx',\n", 74 | " placeholder='/path/to/logfile.evtx',\n", 75 | " description='Logfile',\n", 76 | " disabled=False\n", 77 | ")\n", 78 | "display(file_path)" 79 | ] 80 | }, 81 | { 82 | "cell_type": "code", 83 | "execution_count": 3, 84 | "id": "d2906d08-fda5-4636-ae3a-d4b6048974e4", 85 | "metadata": {}, 86 | "outputs": [ 87 | { 88 | "name": "stdin", 89 | "output_type": "stream", 90 | "text": [ 91 | "Enter VirusTotal API Key (blank if none): ································································\n" 92 | ] 93 | } 94 | ], 95 | "source": [ 96 | "VT_API_KEY = getpass(\"Enter VirusTotal API Key (blank if none): \")" 97 | ] 98 | }, 99 | { 100 | "cell_type": "code", 101 | "execution_count": 4, 102 | "id": "407428a9-81c1-407e-9391-6475db2accd8", 103 | "metadata": {}, 104 | "outputs": [], 105 | "source": [ 106 | "vt = VirusTotalPublicApi(VT_API_KEY)" 107 | ] 108 | }, 109 | { 110 | "cell_type": "code", 111 | "execution_count": 5, 112 | "id": "67027c75-0115-44cf-9ac9-40594de6eee7", 113 | "metadata": {}, 114 | "outputs": [], 115 | "source": [ 116 | "# Create DataFrame\n", 117 | "events = load_events(file_path.value)\n", 118 | "df = pd.DataFrame([vars(e) for e in events])" 119 | ] 120 | }, 121 | { 122 | "cell_type": "code", 123 | "execution_count": 6, 124 | "id": "62c7715f-f0ae-49d8-bfe1-2f11ad0d5698", 125 | "metadata": {}, 126 | "outputs": [], 127 | "source": [ 128 | "event_1 = df[df.event_id == \"1\"]" 129 | ] 130 | }, 131 | { 132 | "cell_type": "markdown", 133 | "id": "b833aa08-e026-4bd4-a7a0-cdd802d76307", 134 | "metadata": {}, 135 | "source": [ 136 | "## Hash Review\n", 137 | "\n", 138 | "Let's start by choosing the images to review" 139 | ] 140 | }, 141 | { 142 | "cell_type": "code", 143 | "execution_count": 7, 144 | "id": "36ad23bf-73f4-4d35-bd27-820f27d3391b", 145 | "metadata": {}, 146 | "outputs": [ 147 | { 148 | "data": { 149 | "text/html": [ 150 | "
\n", 151 | "\n", 164 | "\n", 165 | " \n", 166 | " \n", 167 | " \n", 168 | " \n", 169 | " \n", 170 | " \n", 171 | " \n", 172 | " \n", 173 | " \n", 174 | " \n", 175 | " \n", 176 | " \n", 177 | " \n", 178 | " \n", 179 | " \n", 180 | " \n", 181 | " \n", 182 | " \n", 183 | " \n", 184 | " \n", 185 | " \n", 186 | " \n", 187 | " \n", 188 | " \n", 189 | " \n", 190 | " \n", 191 | " \n", 192 | " \n", 193 | " \n", 194 | " \n", 195 | " \n", 196 | " \n", 197 | " \n", 198 | " \n", 199 | " \n", 200 | " \n", 201 | " \n", 202 | " \n", 203 | " \n", 204 | " \n", 205 | " \n", 206 | " \n", 207 | " \n", 208 | " \n", 209 | " \n", 210 | " \n", 211 | " \n", 212 | " \n", 213 | " \n", 214 | " \n", 215 | " \n", 216 | " \n", 217 | " \n", 218 | " \n", 219 | " \n", 220 | " \n", 221 | " \n", 222 | " \n", 223 | " \n", 224 | " \n", 225 | " \n", 226 | " \n", 227 | " \n", 228 | " \n", 229 | " \n", 230 | " \n", 231 | " \n", 232 | " \n", 233 | " \n", 234 | " \n", 235 | " \n", 236 | " \n", 237 | " \n", 238 | " \n", 239 | " \n", 240 | " \n", 241 | " \n", 242 | " \n", 243 | " \n", 244 | " \n", 245 | " \n", 246 | " \n", 247 | " \n", 248 | " \n", 249 | " \n", 250 | " \n", 251 | " \n", 252 | " \n", 253 | " \n", 254 | " \n", 255 | " \n", 256 | " \n", 257 | " \n", 258 | " \n", 259 | " \n", 260 | " \n", 261 | " \n", 262 | " \n", 263 | " \n", 264 | " \n", 265 | " \n", 266 | " \n", 267 | " \n", 268 | " \n", 269 | " \n", 270 | " \n", 271 | " \n", 272 | " \n", 273 | " \n", 274 | " \n", 275 | " \n", 276 | " \n", 277 | " \n", 278 | " \n", 279 | " \n", 280 | " \n", 281 | " \n", 282 | " \n", 283 | " \n", 284 | " \n", 285 | " \n", 286 | " \n", 287 | " \n", 288 | " \n", 289 | " \n", 290 | " \n", 291 | " \n", 292 | " \n", 293 | " \n", 294 | " \n", 295 | " \n", 296 | " \n", 297 | " \n", 298 | " \n", 299 | " \n", 300 | " \n", 301 | " \n", 302 | " \n", 303 | " \n", 304 | " \n", 305 | " \n", 306 | " \n", 307 | " \n", 308 | " \n", 309 | " \n", 310 | " \n", 311 | " \n", 312 | " \n", 313 | " \n", 314 | " \n", 315 | " \n", 316 | " \n", 317 | " \n", 318 | " \n", 319 | " \n", 320 | " \n", 321 | " \n", 322 | " \n", 323 | " \n", 324 | " \n", 325 | " \n", 326 | " \n", 327 | " \n", 328 | " \n", 329 | " \n", 330 | " \n", 331 | " \n", 332 | " \n", 333 | " \n", 334 | " \n", 335 | " \n", 336 | " \n", 337 | " \n", 338 | " \n", 339 | " \n", 340 | " \n", 341 | " \n", 342 | " \n", 343 | " \n", 344 | " \n", 345 | " \n", 346 | " \n", 347 | " \n", 348 | " \n", 349 | " \n", 350 | " \n", 351 | " \n", 352 | " \n", 353 | " \n", 354 | " \n", 355 | " \n", 356 | " \n", 357 | " \n", 358 | " \n", 359 | " \n", 360 | " \n", 361 | " \n", 362 | " \n", 363 | " \n", 364 | " \n", 365 | " \n", 366 | " \n", 367 | " \n", 368 | " \n", 369 | " \n", 370 | " \n", 371 | " \n", 372 | " \n", 373 | " \n", 374 | " \n", 375 | " \n", 376 | " \n", 377 | " \n", 378 | " \n", 379 | " \n", 380 | " \n", 381 | " \n", 382 | " \n", 383 | " \n", 384 | " \n", 385 | " \n", 386 | " \n", 387 | " \n", 388 | " \n", 389 | " \n", 390 | " \n", 391 | " \n", 392 | " \n", 393 | " \n", 394 | " \n", 395 | " \n", 396 | " \n", 397 | " \n", 398 | " \n", 399 | " \n", 400 | " \n", 401 | " \n", 402 | " \n", 403 | " \n", 404 | " \n", 405 | " \n", 406 | " \n", 407 | " \n", 408 | " \n", 409 | " \n", 410 | " \n", 411 | " \n", 412 | " \n", 413 | " \n", 414 | " \n", 415 | " \n", 416 | " \n", 417 | " \n", 418 | " \n", 419 | " \n", 420 | " \n", 421 | " \n", 422 | " \n", 423 | " \n", 424 | " \n", 425 | " \n", 426 | " \n", 427 | " \n", 428 | " \n", 429 | " \n", 430 | " \n", 431 | " \n", 432 | " \n", 433 | " \n", 434 | " \n", 435 | " \n", 436 | " \n", 437 | " \n", 438 | " \n", 439 | " \n", 440 | " \n", 441 | " \n", 442 | " \n", 443 | " \n", 444 | " \n", 445 | " \n", 446 | " \n", 447 | " \n", 448 | " \n", 449 | " \n", 450 | " \n", 451 | " \n", 452 | " \n", 453 | " \n", 454 | " \n", 455 | " \n", 456 | " \n", 457 | " \n", 458 | " \n", 459 | " \n", 460 | " \n", 461 | " \n", 462 | " \n", 463 | " \n", 464 | " \n", 465 | " \n", 466 | " \n", 467 | " \n", 468 | " \n", 469 | " \n", 470 | " \n", 471 | " \n", 472 | " \n", 473 | " \n", 474 | " \n", 475 | " \n", 476 | " \n", 477 | " \n", 478 | " \n", 479 | " \n", 480 | " \n", 481 | " \n", 482 | " \n", 483 | " \n", 484 | " \n", 485 | " \n", 486 | " \n", 487 | " \n", 488 | " \n", 489 | " \n", 490 | " \n", 491 | " \n", 492 | " \n", 493 | " \n", 494 | " \n", 495 | " \n", 496 | " \n", 497 | " \n", 498 | " \n", 499 | " \n", 500 | " \n", 501 | " \n", 502 | " \n", 503 | " \n", 504 | " \n", 505 | " \n", 506 | " \n", 507 | " \n", 508 | " \n", 509 | " \n", 510 | " \n", 511 | " \n", 512 | " \n", 513 | " \n", 514 | " \n", 515 | " \n", 516 | " \n", 517 | " \n", 518 | " \n", 519 | " \n", 520 | " \n", 521 | " \n", 522 | " \n", 523 | " \n", 524 | " \n", 525 | " \n", 526 | " \n", 527 | " \n", 528 | " \n", 529 | " \n", 530 | " \n", 531 | " \n", 532 | " \n", 533 | " \n", 534 | " \n", 535 | " \n", 536 | " \n", 537 | "
soupuser_idevent_idtime_createdpidusersrc_ipdest_ipsrc_portdest_portintegrity_levelshashescommand_lineparent_command_lineparent_imagetarget_objectdetailstarget_filenamequery_namequery_results
image
C:\\Windows\\System32\\taskhostw.exe77777700007777700000
C:\\Windows\\System32\\AtBroker.exe44444400004444400000
C:\\Windows\\System32\\LogonUI.exe44444400004444400000
C:\\Windows\\System32\\TSTheme.exe44444400004444400000
C:\\Windows\\System32\\consent.exe22222200002222200000
C:\\Windows\\System32\\rdpclip.exe22222200002222200000
C:\\Windows\\System32\\sethc.exe22222200002222200000
C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2011.6-0\\MpCmdRun.exe11111100001111100000
C:\\Users\\THM-Threat\\Downloads\\shell.exe11111100001111100000
C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe11111100001111100000
C:\\Windows\\System32\\SecurityHealthService.exe11111100001111100000
C:\\Windows\\System32\\Speech_OneCore\\common\\SpeechRuntime.exe11111100001111100000
C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe11111100001111100000
C:\\Windows\\System32\\rundll32.exe11111100001111100000
\n", 538 | "
" 539 | ], 540 | "text/plain": [ 541 | " soup user_id event_id \\\n", 542 | "image \n", 543 | "C:\\Windows\\System32\\taskhostw.exe 7 7 7 \n", 544 | "C:\\Windows\\System32\\AtBroker.exe 4 4 4 \n", 545 | "C:\\Windows\\System32\\LogonUI.exe 4 4 4 \n", 546 | "C:\\Windows\\System32\\TSTheme.exe 4 4 4 \n", 547 | "C:\\Windows\\System32\\consent.exe 2 2 2 \n", 548 | "C:\\Windows\\System32\\rdpclip.exe 2 2 2 \n", 549 | "C:\\Windows\\System32\\sethc.exe 2 2 2 \n", 550 | "C:\\ProgramData\\Microsoft\\Windows Defender\\Platf... 1 1 1 \n", 551 | "C:\\Users\\THM-Threat\\Downloads\\shell.exe 1 1 1 \n", 552 | "C:\\Windows\\ImmersiveControlPanel\\SystemSettings... 1 1 1 \n", 553 | "C:\\Windows\\System32\\SecurityHealthService.exe 1 1 1 \n", 554 | "C:\\Windows\\System32\\Speech_OneCore\\common\\Speec... 1 1 1 \n", 555 | "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powe... 1 1 1 \n", 556 | "C:\\Windows\\System32\\rundll32.exe 1 1 1 \n", 557 | "\n", 558 | " time_created pid user \\\n", 559 | "image \n", 560 | "C:\\Windows\\System32\\taskhostw.exe 7 7 7 \n", 561 | "C:\\Windows\\System32\\AtBroker.exe 4 4 4 \n", 562 | "C:\\Windows\\System32\\LogonUI.exe 4 4 4 \n", 563 | "C:\\Windows\\System32\\TSTheme.exe 4 4 4 \n", 564 | "C:\\Windows\\System32\\consent.exe 2 2 2 \n", 565 | "C:\\Windows\\System32\\rdpclip.exe 2 2 2 \n", 566 | "C:\\Windows\\System32\\sethc.exe 2 2 2 \n", 567 | "C:\\ProgramData\\Microsoft\\Windows Defender\\Platf... 1 1 1 \n", 568 | "C:\\Users\\THM-Threat\\Downloads\\shell.exe 1 1 1 \n", 569 | "C:\\Windows\\ImmersiveControlPanel\\SystemSettings... 1 1 1 \n", 570 | "C:\\Windows\\System32\\SecurityHealthService.exe 1 1 1 \n", 571 | "C:\\Windows\\System32\\Speech_OneCore\\common\\Speec... 1 1 1 \n", 572 | "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powe... 1 1 1 \n", 573 | "C:\\Windows\\System32\\rundll32.exe 1 1 1 \n", 574 | "\n", 575 | " src_ip dest_ip src_port \\\n", 576 | "image \n", 577 | "C:\\Windows\\System32\\taskhostw.exe 0 0 0 \n", 578 | "C:\\Windows\\System32\\AtBroker.exe 0 0 0 \n", 579 | "C:\\Windows\\System32\\LogonUI.exe 0 0 0 \n", 580 | "C:\\Windows\\System32\\TSTheme.exe 0 0 0 \n", 581 | "C:\\Windows\\System32\\consent.exe 0 0 0 \n", 582 | "C:\\Windows\\System32\\rdpclip.exe 0 0 0 \n", 583 | "C:\\Windows\\System32\\sethc.exe 0 0 0 \n", 584 | "C:\\ProgramData\\Microsoft\\Windows Defender\\Platf... 0 0 0 \n", 585 | "C:\\Users\\THM-Threat\\Downloads\\shell.exe 0 0 0 \n", 586 | "C:\\Windows\\ImmersiveControlPanel\\SystemSettings... 0 0 0 \n", 587 | "C:\\Windows\\System32\\SecurityHealthService.exe 0 0 0 \n", 588 | "C:\\Windows\\System32\\Speech_OneCore\\common\\Speec... 0 0 0 \n", 589 | "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powe... 0 0 0 \n", 590 | "C:\\Windows\\System32\\rundll32.exe 0 0 0 \n", 591 | "\n", 592 | " dest_port \\\n", 593 | "image \n", 594 | "C:\\Windows\\System32\\taskhostw.exe 0 \n", 595 | "C:\\Windows\\System32\\AtBroker.exe 0 \n", 596 | "C:\\Windows\\System32\\LogonUI.exe 0 \n", 597 | "C:\\Windows\\System32\\TSTheme.exe 0 \n", 598 | "C:\\Windows\\System32\\consent.exe 0 \n", 599 | "C:\\Windows\\System32\\rdpclip.exe 0 \n", 600 | "C:\\Windows\\System32\\sethc.exe 0 \n", 601 | "C:\\ProgramData\\Microsoft\\Windows Defender\\Platf... 0 \n", 602 | "C:\\Users\\THM-Threat\\Downloads\\shell.exe 0 \n", 603 | "C:\\Windows\\ImmersiveControlPanel\\SystemSettings... 0 \n", 604 | "C:\\Windows\\System32\\SecurityHealthService.exe 0 \n", 605 | "C:\\Windows\\System32\\Speech_OneCore\\common\\Speec... 0 \n", 606 | "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powe... 0 \n", 607 | "C:\\Windows\\System32\\rundll32.exe 0 \n", 608 | "\n", 609 | " integrity_levels hashes \\\n", 610 | "image \n", 611 | "C:\\Windows\\System32\\taskhostw.exe 7 7 \n", 612 | "C:\\Windows\\System32\\AtBroker.exe 4 4 \n", 613 | "C:\\Windows\\System32\\LogonUI.exe 4 4 \n", 614 | "C:\\Windows\\System32\\TSTheme.exe 4 4 \n", 615 | "C:\\Windows\\System32\\consent.exe 2 2 \n", 616 | "C:\\Windows\\System32\\rdpclip.exe 2 2 \n", 617 | "C:\\Windows\\System32\\sethc.exe 2 2 \n", 618 | "C:\\ProgramData\\Microsoft\\Windows Defender\\Platf... 1 1 \n", 619 | "C:\\Users\\THM-Threat\\Downloads\\shell.exe 1 1 \n", 620 | "C:\\Windows\\ImmersiveControlPanel\\SystemSettings... 1 1 \n", 621 | "C:\\Windows\\System32\\SecurityHealthService.exe 1 1 \n", 622 | "C:\\Windows\\System32\\Speech_OneCore\\common\\Speec... 1 1 \n", 623 | "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powe... 1 1 \n", 624 | "C:\\Windows\\System32\\rundll32.exe 1 1 \n", 625 | "\n", 626 | " command_line \\\n", 627 | "image \n", 628 | "C:\\Windows\\System32\\taskhostw.exe 7 \n", 629 | "C:\\Windows\\System32\\AtBroker.exe 4 \n", 630 | "C:\\Windows\\System32\\LogonUI.exe 4 \n", 631 | "C:\\Windows\\System32\\TSTheme.exe 4 \n", 632 | "C:\\Windows\\System32\\consent.exe 2 \n", 633 | "C:\\Windows\\System32\\rdpclip.exe 2 \n", 634 | "C:\\Windows\\System32\\sethc.exe 2 \n", 635 | "C:\\ProgramData\\Microsoft\\Windows Defender\\Platf... 1 \n", 636 | "C:\\Users\\THM-Threat\\Downloads\\shell.exe 1 \n", 637 | "C:\\Windows\\ImmersiveControlPanel\\SystemSettings... 1 \n", 638 | "C:\\Windows\\System32\\SecurityHealthService.exe 1 \n", 639 | "C:\\Windows\\System32\\Speech_OneCore\\common\\Speec... 1 \n", 640 | "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powe... 1 \n", 641 | "C:\\Windows\\System32\\rundll32.exe 1 \n", 642 | "\n", 643 | " parent_command_line \\\n", 644 | "image \n", 645 | "C:\\Windows\\System32\\taskhostw.exe 7 \n", 646 | "C:\\Windows\\System32\\AtBroker.exe 4 \n", 647 | "C:\\Windows\\System32\\LogonUI.exe 4 \n", 648 | "C:\\Windows\\System32\\TSTheme.exe 4 \n", 649 | "C:\\Windows\\System32\\consent.exe 2 \n", 650 | "C:\\Windows\\System32\\rdpclip.exe 2 \n", 651 | "C:\\Windows\\System32\\sethc.exe 2 \n", 652 | "C:\\ProgramData\\Microsoft\\Windows Defender\\Platf... 1 \n", 653 | "C:\\Users\\THM-Threat\\Downloads\\shell.exe 1 \n", 654 | "C:\\Windows\\ImmersiveControlPanel\\SystemSettings... 1 \n", 655 | "C:\\Windows\\System32\\SecurityHealthService.exe 1 \n", 656 | "C:\\Windows\\System32\\Speech_OneCore\\common\\Speec... 1 \n", 657 | "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powe... 1 \n", 658 | "C:\\Windows\\System32\\rundll32.exe 1 \n", 659 | "\n", 660 | " parent_image \\\n", 661 | "image \n", 662 | "C:\\Windows\\System32\\taskhostw.exe 7 \n", 663 | "C:\\Windows\\System32\\AtBroker.exe 4 \n", 664 | "C:\\Windows\\System32\\LogonUI.exe 4 \n", 665 | "C:\\Windows\\System32\\TSTheme.exe 4 \n", 666 | "C:\\Windows\\System32\\consent.exe 2 \n", 667 | "C:\\Windows\\System32\\rdpclip.exe 2 \n", 668 | "C:\\Windows\\System32\\sethc.exe 2 \n", 669 | "C:\\ProgramData\\Microsoft\\Windows Defender\\Platf... 1 \n", 670 | "C:\\Users\\THM-Threat\\Downloads\\shell.exe 1 \n", 671 | "C:\\Windows\\ImmersiveControlPanel\\SystemSettings... 1 \n", 672 | "C:\\Windows\\System32\\SecurityHealthService.exe 1 \n", 673 | "C:\\Windows\\System32\\Speech_OneCore\\common\\Speec... 1 \n", 674 | "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powe... 1 \n", 675 | "C:\\Windows\\System32\\rundll32.exe 1 \n", 676 | "\n", 677 | " target_object details \\\n", 678 | "image \n", 679 | "C:\\Windows\\System32\\taskhostw.exe 0 0 \n", 680 | "C:\\Windows\\System32\\AtBroker.exe 0 0 \n", 681 | "C:\\Windows\\System32\\LogonUI.exe 0 0 \n", 682 | "C:\\Windows\\System32\\TSTheme.exe 0 0 \n", 683 | "C:\\Windows\\System32\\consent.exe 0 0 \n", 684 | "C:\\Windows\\System32\\rdpclip.exe 0 0 \n", 685 | "C:\\Windows\\System32\\sethc.exe 0 0 \n", 686 | "C:\\ProgramData\\Microsoft\\Windows Defender\\Platf... 0 0 \n", 687 | "C:\\Users\\THM-Threat\\Downloads\\shell.exe 0 0 \n", 688 | "C:\\Windows\\ImmersiveControlPanel\\SystemSettings... 0 0 \n", 689 | "C:\\Windows\\System32\\SecurityHealthService.exe 0 0 \n", 690 | "C:\\Windows\\System32\\Speech_OneCore\\common\\Speec... 0 0 \n", 691 | "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powe... 0 0 \n", 692 | "C:\\Windows\\System32\\rundll32.exe 0 0 \n", 693 | "\n", 694 | " target_filename \\\n", 695 | "image \n", 696 | "C:\\Windows\\System32\\taskhostw.exe 0 \n", 697 | "C:\\Windows\\System32\\AtBroker.exe 0 \n", 698 | "C:\\Windows\\System32\\LogonUI.exe 0 \n", 699 | "C:\\Windows\\System32\\TSTheme.exe 0 \n", 700 | "C:\\Windows\\System32\\consent.exe 0 \n", 701 | "C:\\Windows\\System32\\rdpclip.exe 0 \n", 702 | "C:\\Windows\\System32\\sethc.exe 0 \n", 703 | "C:\\ProgramData\\Microsoft\\Windows Defender\\Platf... 0 \n", 704 | "C:\\Users\\THM-Threat\\Downloads\\shell.exe 0 \n", 705 | "C:\\Windows\\ImmersiveControlPanel\\SystemSettings... 0 \n", 706 | "C:\\Windows\\System32\\SecurityHealthService.exe 0 \n", 707 | "C:\\Windows\\System32\\Speech_OneCore\\common\\Speec... 0 \n", 708 | "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powe... 0 \n", 709 | "C:\\Windows\\System32\\rundll32.exe 0 \n", 710 | "\n", 711 | " query_name query_results \n", 712 | "image \n", 713 | "C:\\Windows\\System32\\taskhostw.exe 0 0 \n", 714 | "C:\\Windows\\System32\\AtBroker.exe 0 0 \n", 715 | "C:\\Windows\\System32\\LogonUI.exe 0 0 \n", 716 | "C:\\Windows\\System32\\TSTheme.exe 0 0 \n", 717 | "C:\\Windows\\System32\\consent.exe 0 0 \n", 718 | "C:\\Windows\\System32\\rdpclip.exe 0 0 \n", 719 | "C:\\Windows\\System32\\sethc.exe 0 0 \n", 720 | "C:\\ProgramData\\Microsoft\\Windows Defender\\Platf... 0 0 \n", 721 | "C:\\Users\\THM-Threat\\Downloads\\shell.exe 0 0 \n", 722 | "C:\\Windows\\ImmersiveControlPanel\\SystemSettings... 0 0 \n", 723 | "C:\\Windows\\System32\\SecurityHealthService.exe 0 0 \n", 724 | "C:\\Windows\\System32\\Speech_OneCore\\common\\Speec... 0 0 \n", 725 | "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powe... 0 0 \n", 726 | "C:\\Windows\\System32\\rundll32.exe 0 0 " 727 | ] 728 | }, 729 | "execution_count": 7, 730 | "metadata": {}, 731 | "output_type": "execute_result" 732 | } 733 | ], 734 | "source": [ 735 | "event_1.groupby(\"image\").count().sort_values(by=\"pid\", ascending=False)" 736 | ] 737 | }, 738 | { 739 | "cell_type": "code", 740 | "execution_count": 20, 741 | "id": "a87a471f-942b-4a0b-8109-cbac4375ab77", 742 | "metadata": {}, 743 | "outputs": [ 744 | { 745 | "name": "stdin", 746 | "output_type": "stream", 747 | "text": [ 748 | "Please enter a comma-separated list of images to review: C:\\Users\\THM-Threat\\Downloads\\shell.exe,C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\n" 749 | ] 750 | } 751 | ], 752 | "source": [ 753 | "review_images = input(\"Please enter a comma-separated list of images to review: \").split(\",\")\n", 754 | "for_review = event_1[event_1.image.apply(lambda i: i in review_images)].reset_index()\n", 755 | "pd.set_option(\"display.max_colwidth\", 100)" 756 | ] 757 | }, 758 | { 759 | "cell_type": "markdown", 760 | "id": "c3c4fbb3-4dc9-4703-866d-15544b9fce81", 761 | "metadata": { 762 | "tags": [] 763 | }, 764 | "source": [ 765 | "Let's submit these bad boys to VirusTotal!" 766 | ] 767 | }, 768 | { 769 | "cell_type": "code", 770 | "execution_count": 24, 771 | "id": "ca1a8dd1-dc0a-43d5-bcfb-7c6609081dd4", 772 | "metadata": { 773 | "jupyter": { 774 | "source_hidden": true 775 | }, 776 | "tags": [] 777 | }, 778 | "outputs": [], 779 | "source": [ 780 | "for idx, h in enumerate(for_review.hashes.values):\n", 781 | " clean_hashes = re.sub(r\"[A-Z0-9]+=\",\"\", h).split(\",\") \n", 782 | " hash_results = []\n", 783 | " for c in clean_hashes:\n", 784 | " res = vt.get_file_report(c)\n", 785 | " hash_results.append(str(malicious_confidence(res)))\n", 786 | " for_review.loc[idx, \"malicious_confidence\"] = \",\".join(hash_results)" 787 | ] 788 | }, 789 | { 790 | "cell_type": "code", 791 | "execution_count": 28, 792 | "id": "f3da9385-639c-4bf0-bb47-860e82c7e405", 793 | "metadata": {}, 794 | "outputs": [ 795 | { 796 | "data": { 797 | "text/html": [ 798 | "
\n", 799 | "\n", 812 | "\n", 813 | " \n", 814 | " \n", 815 | " \n", 816 | " \n", 817 | " \n", 818 | " \n", 819 | " \n", 820 | " \n", 821 | " \n", 822 | " \n", 823 | " \n", 824 | " \n", 825 | " \n", 826 | " \n", 827 | " \n", 828 | " \n", 829 | " \n", 830 | " \n", 831 | " \n", 832 | "
imagemalicious_confidence
0C:\\Users\\THM-Threat\\Downloads\\shell.exeNone,None,None
1C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe0.0,None,None
\n", 833 | "
" 834 | ], 835 | "text/plain": [ 836 | " image \\\n", 837 | "0 C:\\Users\\THM-Threat\\Downloads\\shell.exe \n", 838 | "1 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \n", 839 | "\n", 840 | " malicious_confidence \n", 841 | "0 None,None,None \n", 842 | "1 0.0,None,None " 843 | ] 844 | }, 845 | "execution_count": 28, 846 | "metadata": {}, 847 | "output_type": "execute_result" 848 | } 849 | ], 850 | "source": [ 851 | "for_review[[\"image\",\"malicious_confidence\"]]" 852 | ] 853 | }, 854 | { 855 | "cell_type": "markdown", 856 | "id": "9ff13e84-cfb2-4f70-b0b7-ab877e272b16", 857 | "metadata": {}, 858 | "source": [ 859 | "**Malicious Confidence** is the result of averaging any scan data from Virus Total for each hash provided. `None` means no data was returned, but any number is the percentage of the VT providers that detected the hash as malicious." 860 | ] 861 | } 862 | ], 863 | "metadata": { 864 | "kernelspec": { 865 | "display_name": "Python 3 (ipykernel)", 866 | "language": "python", 867 | "name": "python3" 868 | }, 869 | "language_info": { 870 | "codemirror_mode": { 871 | "name": "ipython", 872 | "version": 3 873 | }, 874 | "file_extension": ".py", 875 | "mimetype": "text/x-python", 876 | "name": "python", 877 | "nbconvert_exporter": "python", 878 | "pygments_lexer": "ipython3", 879 | "version": "3.8.10" 880 | } 881 | }, 882 | "nbformat": 4, 883 | "nbformat_minor": 5 884 | } 885 | -------------------------------------------------------------------------------- /incident-response/sysmon-logs/examples/HuntingMetasploit.evtx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mttaggart/blue-jupyter/3266db2fa05a2323614594eda59456b03becece4/incident-response/sysmon-logs/examples/HuntingMetasploit.evtx -------------------------------------------------------------------------------- /incident-response/sysmon-logs/sysmon.py: -------------------------------------------------------------------------------- 1 | from Evtx import Evtx 2 | from bs4 import BeautifulSoup 3 | 4 | class SysmonEvent: 5 | 6 | @staticmethod 7 | def extract_event_data(soup, query): 8 | """ 9 | Attempts to select event data from the eventdata soup component 10 | """ 11 | try: 12 | return soup.eventdata.select_one(query).text 13 | except: 14 | return "" 15 | 16 | def __init__(self, soup): 17 | self.soup = soup 18 | self.user_id = soup.security.attrs["userid"] 19 | self.event_id = soup.eventid.text 20 | 21 | self.time_created = soup.timecreated.attrs["systemtime"] 22 | self.pid = SysmonEvent.extract_event_data(soup, "data[name='ProcessId']") 23 | self.image = SysmonEvent.extract_event_data(soup, "data[name='Image']") 24 | self.user = SysmonEvent.extract_event_data(soup, "data[name='User']") 25 | 26 | class ProcessCreate(SysmonEvent): 27 | """ 28 | Event ID 1 29 | """ 30 | def __init__(self, soup): 31 | super().__init__(soup) 32 | self.hashes = SysmonEvent.extract_event_data(soup, "data[name='Hashes']") 33 | self.command_line = SysmonEvent.extract_event_data(soup, "data[name='CommandLine']") 34 | self.parent_command_line = SysmonEvent.extract_event_data(soup, "data[name='ParentCommandLine']") 35 | self.parent_image = SysmonEvent.extract_event_data(soup, "data[name='ParentImage']") 36 | self.integrity_levels = SysmonEvent.extract_event_data(soup, "data[name='IntegrityLevel']") 37 | 38 | class FileCreationTimeChanged(SysmonEvent): 39 | """ 40 | Event ID 2 41 | """ 42 | def __init__(self, soup): 43 | super().__init__(soup) 44 | self.target_filename = SysmonEvent.extract_event_data(soup, "data[name='TargetFilename']") 45 | self.creation_utc_time = SysmonEvent.extract_event_data(soup, "data[name='CreationUtcTime']") 46 | self.previous_creation_utc_time = SysmonEvent.extract_event_data(soup, "data[name='PreviousCreationUtcTime']") 47 | 48 | class NetworkConnect(SysmonEvent): 49 | """ 50 | Event ID 3 51 | """ 52 | def __init__(self, soup): 53 | super().__init__(soup) 54 | self.src_ip = SysmonEvent.extract_event_data(soup, "data[name='SourceIp']") 55 | self.dest_ip = SysmonEvent.extract_event_data(soup, "data[name='DestinationIp']") 56 | self.src_port = SysmonEvent.extract_event_data(soup, "data[name='SourcePort']") 57 | self.dest_port = SysmonEvent.extract_event_data(soup, "data[name='DestinationPort']") 58 | self.integrity_levels = SysmonEvent.extract_event_data(soup, "data[name='IntegrityLevel']") 59 | 60 | class DriverLoaded(SysmonEvent): 61 | """ 62 | Event ID 6 63 | """ 64 | def __init__(self, soup): 65 | super().__init__(soup) 66 | self.image_loaded = SysmonEvent.extract_event_data(soup, "data[name='ImageLoaded']") 67 | self.signed = SysmonEvent.extract_event_data(soup, "data[name='Signed']") 68 | self.hashes = SysmonEvent.extract_event_data(soup, "data[name='Hashes']") 69 | self.signature = SysmonEvent.extract_event_data(soup, "data[name='Signature']") 70 | self.signature_status = SysmonEvent.extract_event_data(soup, "data[name='SignatureStatus']") 71 | 72 | class ImageLoaded(SysmonEvent): 73 | """ 74 | Event ID 7 75 | """ 76 | def __init__(self, soup): 77 | super().__init__(soup) 78 | self.image_loaded = SysmonEvent.extract_event_data(soup, "data[name='ImageLoaded']") 79 | self.signed = SysmonEvent.extract_event_data(soup, "data[name='Signed']") 80 | self.hashes = SysmonEvent.extract_event_data(soup, "data[name='Hashes']") 81 | self.signature = SysmonEvent.extract_event_data(soup, "data[name='Signature']") 82 | self.signature_status = SysmonEvent.extract_event_data(soup, "data[name='SignatureStatus']") 83 | 84 | class CreateRemoteThread(SysmonEvent): 85 | """ 86 | Event ID 8 87 | """ 88 | def __init__(self, soup): 89 | super().__init__(soup) 90 | self.source_pid = SysmonEvent.extract_event_data(soup, "data[name='SourceProcessId']") 91 | self.target_pid = SysmonEvent.extract_event_data(soup, "data[name='TargetProcessId']") 92 | self.source_image = SysmonEvent.extract_event_data(soup, "data[name='SourceImage']") 93 | self.target_image = SysmonEvent.extract_event_data(soup, "data[name='TargetImage']") 94 | self.new_thread_id = SysmonEvent.extract_event_data(soup, "data[name='NewThreadId']") 95 | 96 | class RawAccessRead(SysmonEvent): 97 | """ 98 | Event ID 9 99 | """ 100 | def __init__(self, soup): 101 | super().__init__(soup) 102 | self.device = SysmonEvent.extract_event_data(soup, "data[name='Device']") 103 | 104 | class FileCreate(SysmonEvent): 105 | """ 106 | Event ID 11 107 | """ 108 | def __init__(self, soup): 109 | super().__init__(soup) 110 | self.target_filename = SysmonEvent.extract_event_data(soup, "data[name='TargetFilename']") 111 | 112 | class RegistryCreateDelete(SysmonEvent): 113 | """ 114 | Event ID 12 115 | """ 116 | def __init__(self, soup): 117 | super().__init__(soup) 118 | self.target_object = SysmonEvent.extract_event_data(soup, "data[name='TargetObject']") 119 | 120 | class RegistryValueSet(SysmonEvent): 121 | """ 122 | Event ID 13 123 | """ 124 | def __init__(self, soup): 125 | super().__init__(soup) 126 | self.target_object = SysmonEvent.extract_event_data(soup, "data[name='TargetObject']") 127 | self.details = SysmonEvent.extract_event_data(soup, "data[name='Details']") 128 | 129 | class RegistryKeyValueRename(SysmonEvent): 130 | """ 131 | Event ID 14 132 | """ 133 | def __init__(self, soup): 134 | super().__init__(soup) 135 | self.target_object = SysmonEvent.extract_event_data(soup, "data[name='TargetObject']") 136 | self.new_name = SysmonEvent.extract_event_data(soup, "data[name='NewName']") 137 | 138 | class PipeEvent(SysmonEvent): 139 | """ 140 | Event ID 17, 18 141 | """ 142 | def __init__(self, soup): 143 | super().__init__(soup) 144 | self.pipe_name = SysmonEvent.extract_event_data(soup, "data[name='PipeName']") 145 | 146 | class WmiEventFilter(SysmonEvent): 147 | """ 148 | Event ID 19 149 | """ 150 | def __init__(self, soup): 151 | super().__init__(soup) 152 | self.event_namespace = SysmonEvent.extract_event_data(soup, "data[name='EventNamespace']") 153 | self.filter_name = SysmonEvent.extract_event_data(soup, "data[name='Name']") 154 | self.query = SysmonEvent.extract_event_data(soup, "data[name='Query']") 155 | 156 | class DNSEvent(SysmonEvent): 157 | """ 158 | Event ID 22 159 | """ 160 | def __init__(self, soup): 161 | super().__init__(soup) 162 | self.query_name = SysmonEvent.extract_event_data(soup, "data[name='QueryName']") 163 | self.query_results = SysmonEvent.extract_event_data(soup, "data[name='QueryResults']") 164 | 165 | class ProcessTampering(SysmonEvent): 166 | """ 167 | Event ID 25 168 | """ 169 | def __init__(self, soup): 170 | super().__init__(soup) 171 | self.type = SysmonEvent.extract_event_data(soup, "data[name='Type']") 172 | 173 | 174 | EVENT_TYPES = { 175 | "1": ProcessCreate, 176 | "2": FileCreationTimeChanged, 177 | "3": NetworkConnect, 178 | "6": DriverLoaded, 179 | "7": ImageLoaded, 180 | "8": CreateRemoteThread, 181 | "9": RawAccessRead, 182 | "11": FileCreate, 183 | "12": RegistryCreateDelete, 184 | "13": RegistryValueSet, 185 | "14": RegistryKeyValueRename, 186 | "17": PipeEvent, 187 | "18": PipeEvent, 188 | "19": WmiEventFilter, 189 | "22": DNSEvent, 190 | "25": ProcessTampering 191 | } 192 | 193 | def load_event_xml(file_path): 194 | """ 195 | Loads raw XML from Evtx file 196 | """ 197 | with Evtx.Evtx(file_path) as f: 198 | records_xml = [f.xml() for f in f.records()] 199 | return records_xml 200 | 201 | def build_event(raw_xml): 202 | soup = BeautifulSoup(raw_xml, "lxml") 203 | id = soup.eventid.text 204 | if id in EVENT_TYPES: 205 | constructor = EVENT_TYPES[id] 206 | return constructor(soup) 207 | return SysmonEvent(soup) 208 | 209 | def load_events(file_path): 210 | """ 211 | Generate and return a list of SysmonEvents 212 | """ 213 | records_xml = load_event_xml(file_path) 214 | return [build_event(r) for r in records_xml] -------------------------------------------------------------------------------- /malware-analysis/.gitignore: -------------------------------------------------------------------------------- 1 | saved-specimens/* 2 | dropbox/* 3 | -------------------------------------------------------------------------------- /malware-analysis/Malware-Analysis.ipynb: -------------------------------------------------------------------------------- 1 | { 2 | "cells": [ 3 | { 4 | "cell_type": "markdown", 5 | "id": "3ce518f2-2d5c-4306-9c7e-c2b722ef35a3", 6 | "metadata": {}, 7 | "source": [ 8 | "# Malware Analysis & Triage Kit\n", 9 | "This notebook performs the initial stages of immediate malware triage.\n", 10 | "\n", 11 | "## How To\n", 12 | "Take your malware specimen and drop it into the `dropbox` directory. The notebook will walk you through the stages of initial analysis.\n", 13 | "\n", 14 | "At the end of this process, you will have a triage report in the `saved-specimens` directory. This report includes findings from initial triage, including the defanged specimen in a password-proteced Zip file and static analysis artifacts." 15 | ] 16 | }, 17 | { 18 | "cell_type": "markdown", 19 | "id": "5f44fca4-7efb-4475-80d9-c9379cb20efe", 20 | "metadata": {}, 21 | "source": [ 22 | "# Imports and Setup" 23 | ] 24 | }, 25 | { 26 | "cell_type": "code", 27 | "execution_count": null, 28 | "id": "27c75489", 29 | "metadata": {}, 30 | "outputs": [], 31 | "source": [ 32 | "# Imports\n", 33 | "from hashlib import *\n", 34 | "import sys\n", 35 | "import os\n", 36 | "from getpass import getpass\n", 37 | "from virus_total_apis import PublicApi as VirusTotalPublicApi\n", 38 | "import json\n", 39 | "from MalwareSample import *\n", 40 | "from pprint import pprint\n", 41 | "import os.path\n", 42 | "from time import sleep" 43 | ] 44 | }, 45 | { 46 | "cell_type": "markdown", 47 | "id": "664c107c-4e09-4454-9d0f-14b02a4a4359", 48 | "metadata": {}, 49 | "source": [ 50 | "### Check Dropbox and Saved-Specimens" 51 | ] 52 | }, 53 | { 54 | "cell_type": "code", 55 | "execution_count": null, 56 | "id": "2c185a74-8ca6-47a9-a907-575f9977bf97", 57 | "metadata": {}, 58 | "outputs": [], 59 | "source": [ 60 | "MalwareSample.check_dir(\"dropbox\")\n", 61 | "MalwareSample.check_dir(\"saved-specimens\")\n", 62 | "empty = MalwareSample.is_dir_empty(\"dropbox\")\n", 63 | "if empty:\n", 64 | " print(r\" \\\\--> \" + recc + \"Put some samples in the dropbox!\")" 65 | ] 66 | }, 67 | { 68 | "cell_type": "markdown", 69 | "id": "6040f004-b9e1-40a8-97d7-47a695a244d1", 70 | "metadata": {}, 71 | "source": [ 72 | "### Enumerate Samples in the Dropbox" 73 | ] 74 | }, 75 | { 76 | "cell_type": "code", 77 | "execution_count": null, 78 | "id": "05d854a4-2ee3-46ec-b054-9951ac45a4be", 79 | "metadata": {}, 80 | "outputs": [], 81 | "source": [ 82 | "samples=!ls dropbox/*\n", 83 | "for s in samples:\n", 84 | " print(info + \"Sample: \" + s)" 85 | ] 86 | }, 87 | { 88 | "cell_type": "code", 89 | "execution_count": null, 90 | "id": "6ac2bf59-027e-42d6-90e0-aeed55b19080", 91 | "metadata": {}, 92 | "outputs": [], 93 | "source": [ 94 | "sample_obj = [MalwareSample(s) for s in samples]" 95 | ] 96 | }, 97 | { 98 | "cell_type": "markdown", 99 | "id": "d304d261-d1d8-45da-bcb5-895bcf0fa13d", 100 | "metadata": {}, 101 | "source": [ 102 | "### Create a Saved Specimen directory for the specimen(s)" 103 | ] 104 | }, 105 | { 106 | "cell_type": "code", 107 | "execution_count": null, 108 | "id": "2180e548-b0ab-4c22-9be5-ad174c1c731f", 109 | "metadata": {}, 110 | "outputs": [], 111 | "source": [ 112 | "for obj in sample_obj:\n", 113 | " saved_sample_name = MalwareSample.create_specimen_dirs(obj.sample_name)\n", 114 | " obj.saved_sample_name = saved_sample_name" 115 | ] 116 | }, 117 | { 118 | "cell_type": "markdown", 119 | "id": "5bbd76df", 120 | "metadata": {}, 121 | "source": [ 122 | "### Defang Sample" 123 | ] 124 | }, 125 | { 126 | "cell_type": "code", 127 | "execution_count": null, 128 | "id": "26e85823-d891-4dfb-925e-8d36f24d3cb2", 129 | "metadata": {}, 130 | "outputs": [], 131 | "source": [ 132 | "for obj in sample_obj:\n", 133 | " sample_path = MalwareSample.move_and_defang(obj.sample_name, obj.saved_sample_name)\n", 134 | " obj.sample_path = sample_path" 135 | ] 136 | }, 137 | { 138 | "cell_type": "markdown", 139 | "id": "7532c0d9-1a4d-4cc9-af82-f9153d1aaa09", 140 | "metadata": {}, 141 | "source": [ 142 | "---" 143 | ] 144 | }, 145 | { 146 | "cell_type": "markdown", 147 | "id": "6a11a2b7-dca9-4892-82b4-7d2c7d73956c", 148 | "metadata": {}, 149 | "source": [ 150 | "## File Hashes" 151 | ] 152 | }, 153 | { 154 | "cell_type": "markdown", 155 | "id": "b6c61ed7-9ffe-420b-925f-4430abcc0532", 156 | "metadata": {}, 157 | "source": [ 158 | "### SHA256 Sum" 159 | ] 160 | }, 161 | { 162 | "cell_type": "code", 163 | "execution_count": null, 164 | "id": "005b84f0", 165 | "metadata": {}, 166 | "outputs": [], 167 | "source": [ 168 | "for obj in sample_obj:\n", 169 | " hash = MalwareSample.get_sha256sum(obj.sample_path, obj.saved_sample_name)\n", 170 | " obj.sha256sum = hash\n", 171 | " print(info + obj.sample_name + \": \" + obj.sha256sum)" 172 | ] 173 | }, 174 | { 175 | "cell_type": "markdown", 176 | "id": "b6262536-41fe-46ef-a122-a7128be06891", 177 | "metadata": {}, 178 | "source": [ 179 | "---" 180 | ] 181 | }, 182 | { 183 | "cell_type": "markdown", 184 | "id": "1ba005fc-242a-44bd-9830-fe02dbd500db", 185 | "metadata": {}, 186 | "source": [ 187 | "## String Analysis" 188 | ] 189 | }, 190 | { 191 | "cell_type": "markdown", 192 | "id": "0b20f1aa", 193 | "metadata": {}, 194 | "source": [ 195 | "### StringSifter\n", 196 | "StringSifter is a FLARE developed tool that uses an ML model to rank a binary's strings by relevance to malware analysis." 197 | ] 198 | }, 199 | { 200 | "cell_type": "code", 201 | "execution_count": null, 202 | "id": "d55ea3ab-ef6e-41f9-a76e-6cd8d16083ed", 203 | "metadata": {}, 204 | "outputs": [], 205 | "source": [ 206 | "length = int(input(recc + \"Input your desired minimum string length [default is 4, 6-8 is recommended] > \"))" 207 | ] 208 | }, 209 | { 210 | "cell_type": "code", 211 | "execution_count": null, 212 | "id": "6703a990-6415-4898-b395-b77dccc629fc", 213 | "metadata": {}, 214 | "outputs": [], 215 | "source": [ 216 | "for obj in sample_obj:\n", 217 | " MalwareSample.pull_strings(length, obj.saved_sample_name, obj.sample_path)" 218 | ] 219 | }, 220 | { 221 | "cell_type": "markdown", 222 | "id": "ae8b0dfd-abcd-4215-87d9-275190551475", 223 | "metadata": {}, 224 | "source": [ 225 | "## VT Analysis\n", 226 | "Submit samples to Virus Total and generate a malicious confidence level." 227 | ] 228 | }, 229 | { 230 | "cell_type": "code", 231 | "execution_count": null, 232 | "id": "98eea2a6-b219-4e50-ba91-9d43afa5b49c", 233 | "metadata": {}, 234 | "outputs": [], 235 | "source": [ 236 | "VT_API_KEY = getpass(\"Enter VirusTotal API Key (blank if none): \")" 237 | ] 238 | }, 239 | { 240 | "cell_type": "code", 241 | "execution_count": null, 242 | "id": "22aaffd7-4ad5-48cf-bfac-636c62338621", 243 | "metadata": {}, 244 | "outputs": [], 245 | "source": [ 246 | "if VT_API_KEY:\n", 247 | " vt = VirusTotalPublicApi(VT_API_KEY)\n", 248 | "else:\n", 249 | " print(info + \"No VT API Key. Skipping...\")" 250 | ] 251 | }, 252 | { 253 | "cell_type": "markdown", 254 | "id": "b7bfdd87-4fcb-4b05-a0e7-8b1c796f17a7", 255 | "metadata": {}, 256 | "source": [ 257 | "Note: If there are more than 4 samples in the dropbox, hashes are submitted with a sleep of 16 seconds to remain under the public API rate limit. So hit go, grab a beverage of choice, stretch out and relax. This could be a while depending on how many samples you're submitting." 258 | ] 259 | }, 260 | { 261 | "cell_type": "code", 262 | "execution_count": null, 263 | "id": "eab96775-bec5-4501-bfb9-3b3695190dd0", 264 | "metadata": {}, 265 | "outputs": [], 266 | "source": [ 267 | "if VT_API_KEY:\n", 268 | " for obj in sample_obj:\n", 269 | " print(info + obj.sample_name + \":\")\n", 270 | " print(r\" \\\\--> \" + info + \"SHA256sum: \" + obj.sha256sum)\n", 271 | " res = vt.get_file_report(obj.sha256sum)\n", 272 | " conf = malicious_confidence(res)\n", 273 | " print(r\" \\\\--> \" + info + \"Confidence level: \" + str(conf))\n", 274 | " crit_level = determine_criticality(conf)\n", 275 | " obj.criticality = crit_level\n", 276 | " \n", 277 | "\n", 278 | " if len(sample_obj) >= 5:\n", 279 | " sleep(16)\n", 280 | " \n", 281 | "else:\n", 282 | " print(info + \"No VT API Key. Skipping...\")" 283 | ] 284 | }, 285 | { 286 | "cell_type": "markdown", 287 | "id": "343fa9fa-4c44-445c-ab71-687f1e7d56fa", 288 | "metadata": {}, 289 | "source": [ 290 | "## Zip and Password Protect" 291 | ] 292 | }, 293 | { 294 | "cell_type": "code", 295 | "execution_count": null, 296 | "id": "d1d38b8e-dc28-42ba-a9ce-2ab3bf11ce61", 297 | "metadata": {}, 298 | "outputs": [], 299 | "source": [ 300 | "for obj in sample_obj:\n", 301 | " zip_file = MalwareSample.zip_and_password_protect(obj.sample_path, obj.saved_sample_name)\n", 302 | " MalwareSample.delete_unzipped_sample(obj.sample_path, zip_file)" 303 | ] 304 | }, 305 | { 306 | "cell_type": "markdown", 307 | "id": "633b965d-d0f8-47ab-ad92-07e379e2cdbf", 308 | "metadata": {}, 309 | "source": [ 310 | "---" 311 | ] 312 | }, 313 | { 314 | "cell_type": "markdown", 315 | "id": "1aca7034-9406-4f2a-bd8b-0b238c72db37", 316 | "metadata": {}, 317 | "source": [ 318 | "### Debug Object Vars" 319 | ] 320 | }, 321 | { 322 | "cell_type": "code", 323 | "execution_count": null, 324 | "id": "9bcc8b5c-46a0-4e5e-bdc8-a9ae68b889ce", 325 | "metadata": {}, 326 | "outputs": [], 327 | "source": [ 328 | "for obj in sample_obj:\n", 329 | " pprint(vars(obj))" 330 | ] 331 | } 332 | ], 333 | "metadata": { 334 | "kernelspec": { 335 | "display_name": "Python 3 (ipykernel)", 336 | "language": "python", 337 | "name": "python3" 338 | }, 339 | "language_info": { 340 | "codemirror_mode": { 341 | "name": "ipython", 342 | "version": 3 343 | }, 344 | "file_extension": ".py", 345 | "mimetype": "text/x-python", 346 | "name": "python", 347 | "nbconvert_exporter": "python", 348 | "pygments_lexer": "ipython3", 349 | "version": "3.8.10" 350 | } 351 | }, 352 | "nbformat": 4, 353 | "nbformat_minor": 5 354 | } 355 | -------------------------------------------------------------------------------- /malware-analysis/MalwareSample.py: -------------------------------------------------------------------------------- 1 | import os 2 | import hashlib 3 | import sys 4 | from datetime import datetime 5 | import pyminizip 6 | 7 | sys.path.append('../utils/') 8 | from malware import * 9 | from colors import * 10 | 11 | # Globals 12 | root_dir = os.getcwd() 13 | dropbox = "dropbox/" 14 | saved_specimens = "saved-specimens/" 15 | now = datetime.now() 16 | date_time = now.strftime("%m-%d-%Y-%H%M%S") 17 | 18 | 19 | class MalwareSample: 20 | 21 | @staticmethod 22 | def check_dir(dir): 23 | """ 24 | Checks if the specified directory exists, if not, it creates it. 25 | 26 | For use with dropbox and saved-specimens dirs, which are important ot the functionality of the notebook 27 | """ 28 | if not os.path.isdir(dir): 29 | os.mkdir(dir) 30 | print(info + "Created " + dir) 31 | else: 32 | print(info + "Directory '" + dir + "' exists.") 33 | 34 | @staticmethod 35 | def is_dir_empty(dir): 36 | """ 37 | Checks if the specified directory is empty 38 | 39 | For use with dropbox, prompts user to drop things in dropbox if it is empty. 40 | """ 41 | dir_files = os.listdir(dir) 42 | if len(dir_files) == 0: 43 | print(recc + "Directory '" + dir + "' is empty.") 44 | return True 45 | 46 | def __init__(self, sample_name): 47 | self.sample_name = sample_name.replace("dropbox/", "") 48 | self.saved_sample_name = "" 49 | self.sample_path = "" 50 | self.sha256sum = "" 51 | 52 | @classmethod 53 | def create_specimen_dirs(cls, sample_name): 54 | """ 55 | Creates date time stamped specimen dir to hold all triage artifacts 56 | """ 57 | saved_sample_name = str(date_time) + "_" + sample_name 58 | sample_dir = saved_specimens + saved_sample_name 59 | os.system("mkdir " + sample_dir) 60 | return saved_sample_name 61 | 62 | @classmethod 63 | def move_and_defang(cls, sample_name, saved_sample_name): 64 | """ 65 | Moves and renames sample so it is 'defanged' i.e. won't execute if you accidentally double click while 66 | transferring from your physical host and encrypt your hard drive three days before final papers are due. 67 | 68 | Renames using convention: [Malware].[Name].[OriginalExtension].[DefangExtension] 69 | """ 70 | prefix = "Malware." 71 | suffix = ".malz" 72 | defanged_sample = prefix + sample_name + suffix 73 | saved_sample = "saved-specimens/" + saved_sample_name + "/" + defanged_sample 74 | # Copy for dev/troubleshooting, move for prod version 75 | # os.system("mv dropbox/" + sample + " saved-specimens/" + specimen_dir) 76 | os.system("cp dropbox/" + sample_name + " " + saved_sample) 77 | return saved_sample 78 | 79 | @classmethod 80 | def get_sha256sum(cls, sample_path, saved_sample_name): 81 | """ 82 | Sha256 sum hash method 83 | """ 84 | sha256_hash = hashlib.sha256() 85 | with open(sample_path, "rb") as f: 86 | for byte_block in iter(lambda: f.read(4096), b""): 87 | sha256_hash.update(byte_block) 88 | sha256_value = sha256_hash.hexdigest() 89 | with open(saved_specimens + saved_sample_name + "/sha256sum.txt", "w") as shafile: 90 | shafile.write(sha256_value) 91 | shafile.close() 92 | return sha256_value 93 | 94 | @classmethod 95 | def pull_strings(cls, length, saved_sample_name, sample_path): 96 | """ 97 | Strings with StringSifter 98 | Ranking extracted strings for relevance in malware analysis 99 | $ poetry add stringsifter~=2.0 100 | $ flarestrings -n 8 | rank_strings --scores > outfile [outfile] 101 | Writes outfile into specimen dir 102 | """ 103 | sifter_out = "StringSifter-Out.log" 104 | outfile = saved_specimens + saved_sample_name + "/" + sifter_out 105 | cmd = "flarestrings -n " + str(length) + " " + sample_path + " | rank_strings --scores > " + outfile 106 | os.system(cmd) 107 | print(recc + "Written to outfile: " + outfile) 108 | 109 | @classmethod 110 | def zip_and_password_protect(cls, sample_path, saved_sample_name): 111 | """ 112 | Zips and password protects sample with standard pass: infected 113 | """ 114 | zip_name = saved_specimens + saved_sample_name + "/" + saved_sample_name + ".zip" 115 | password = "infected" 116 | com_lvl = 5 117 | pyminizip.compress(sample_path, None, zip_name, 118 | password, com_lvl) 119 | with open(saved_specimens + saved_sample_name + "/" + "password.txt", "w") as password_file: 120 | password_file.write(password) 121 | password_file.close() 122 | return zip_name 123 | 124 | @classmethod 125 | def delete_unzipped_sample(cls, sample_path, zip_name): 126 | """ 127 | Checks if the sample zip file exists and, if so, deletes the original sample. This is the last thing that 128 | should be done during triage. 129 | """ 130 | try: 131 | if os.path.exists(zip_name): 132 | os.remove(sample_path) 133 | except Exception as e: 134 | print(printError + "Error: file does not exist....") 135 | 136 | -------------------------------------------------------------------------------- /malware-analysis/README.md: -------------------------------------------------------------------------------- 1 | # Malware Analysis 2 | This notebook automates the initial stages of malware triage. 3 | 4 | ## Setup 5 | From the `malware-analysis` directory, enter: 6 | ``` 7 | jupyter notebook 8 | ``` 9 | 10 | ## TODO 11 | - [ ] Robust Reporting 12 | - [ ] Findings written to log file 13 | - [ ] Sample name 14 | - [ ] Hash values 15 | - [ ] StringSifter measurements 16 | - [ ] Upload widget 17 | - [ ] SSDeep Fuzzy Hashing (requires apt dependencies so may not be a good fit) 18 | - [ ] "Windows Shopping" No sample on hand? Calls to Malware Bazaar API for a recently submitted sample. 19 | 20 | ## Version 0.2 | "The Hand That Strikes" 21 | We are now cooking on an induction stovetop. 22 | 23 | - [x] Malware defanged 24 | - [x] StringSifter for ML ranking of extracted strings 25 | - [x] Specimen saved in standard convention `[MalwareType].[Name].[TrueExtension].[DefangedExtension]` 26 | - [x] Archives sample, log output, password file, and other info into date stamped dir in `saved-specimens` in password-protected zip file, password 'infected' 27 | 28 | ## Version 0.1 | The "It's A Start" Update 29 | - [x] Drop malware into dropbox 30 | - [x] Hashes taken 31 | - [x] VT analysis (requires API key) 32 | 33 | 34 | ## WNI 35 | - FLOSS output (dependency adding issue w/ poetry, supplanted by StringSifter) 36 | -------------------------------------------------------------------------------- /malware-analysis/dropbox/SampleNegative.txt: -------------------------------------------------------------------------------- 1 | They're using our own satellites against us. And the clock is ticking. You really think you can fly that thing? Remind me to thank John for a lovely weekend. Did he just throw my cat out of the window? Yeah, but John, if The Pirates of the Caribbean breaks down, the pirates don’t eat the tourists. 2 | 3 | You really think you can fly that thing? What do they got in there? King Kong? Yeah, but John, if The Pirates of the Caribbean breaks down, the pirates don’t eat the tourists. Forget the fat lady! You're obsessed with the fat lady! Drive us out of here! 4 | 5 | Must go faster. Yes, Yes, without the oops! What do they got in there? King Kong? You really think you can fly that thing? Is this my espresso machine? Wh-what is-h-how did you get my espresso machine? Hey, take a look at the earthlings. Goodbye! You know what? It is beets. I've crashed into a beet truck. 6 | 7 | I was part of something special. We gotta burn the rain forest, dump toxic waste, pollute the air, and rip up the OZONE! 'Cause maybe if we screw up this planet enough, they won't want it anymore! Hey, you know how I'm, like, always trying to save the planet? Here's my chance. -------------------------------------------------------------------------------- /malware-analysis/dropbox/SamplePositive.txt: -------------------------------------------------------------------------------- 1 | X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* -------------------------------------------------------------------------------- /malware-analysis/saved-specimens/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mttaggart/blue-jupyter/3266db2fa05a2323614594eda59456b03becece4/malware-analysis/saved-specimens/.gitkeep -------------------------------------------------------------------------------- /pyproject.toml: -------------------------------------------------------------------------------- 1 | [tool.poetry] 2 | name = "blue-jupyter" 3 | version = "0.1.0" 4 | description = "Jupyter Notebooks for the Blue Team" 5 | authors = ["Michael Taggart "] 6 | license = "MIT" 7 | 8 | [tool.poetry.dependencies] 9 | python = ">=3.10,<3.11" 10 | python-evtx = "^0.7.4" 11 | beautifulsoup4 = "^4.10.0" 12 | lxml = "^4.6.3" 13 | ipywidgets = "^7.6.5" 14 | networkx = "^2.6.3" 15 | colorama = "^0.4.4" 16 | fileupload = "^0.1.5" 17 | pyminizip = "^0.2.4" 18 | vt-py = "^0.7.5" 19 | requests = "^2.26.0" 20 | nest-asyncio = "^1.5.1" 21 | jupyterlab = "^3.5.2" 22 | 23 | [tool.poetry.dev-dependencies] 24 | 25 | [build-system] 26 | requires = ["poetry-core>=1.0.0"] 27 | build-backend = "poetry.core.masonry.api" 28 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | appnope==0.1.2; platform_system == "Darwin" and python_version >= "3.7" and sys_platform == "darwin" \ 2 | --hash=sha256:93aa393e9d6c54c5cd570ccadd8edad61ea0c4b9ea7a01409020c9aa019eb442 \ 3 | --hash=sha256:dd83cd4b5b460958838f6eb3000c660b1f9caf2a5b1de4264e941512f603258a 4 | argon2-cffi==21.1.0; python_version >= "3.6" \ 5 | --hash=sha256:f710b61103d1a1f692ca3ecbd1373e28aa5e545ac625ba067ff2feca1b2bb870 \ 6 | --hash=sha256:217b4f0f853ccbbb5045242946ad2e162e396064575860141b71a85eb47e475a \ 7 | --hash=sha256:fa7e7d1fc22514a32b1761fdfa1882b6baa5c36bb3ef557bdd69e6fc9ba14a41 \ 8 | --hash=sha256:e4d8f0ae1524b7b0372a3e574a2561cbdddb3fdb6c28b70a72868189bda19659 \ 9 | --hash=sha256:65213a9174320a1aee03fe826596e0620783966b49eb636955958b3074e87ff9 \ 10 | --hash=sha256:245f64a203012b144b7b8c8ea6d468cb02b37caa5afee5ba4a10c80599334f6a \ 11 | --hash=sha256:4ad152c418f7eb640eac41ac815534e6aa61d1624530b8e7779114ecfbf327f8 \ 12 | --hash=sha256:bc513db2283c385ea4da31a2cd039c33380701f376f4edd12fe56db118a3b21a \ 13 | --hash=sha256:c7a7c8cc98ac418002090e4add5bebfff1b915ea1cb459c578cd8206fef10378 \ 14 | --hash=sha256:165cadae5ac1e26644f5ade3bd9c18d89963be51d9ea8817bd671006d7909057 \ 15 | --hash=sha256:566ffb581bbd9db5562327aee71b2eda24a1c15b23a356740abe3c011bbe0dcb 16 | attrs==21.2.0; python_version >= "3.5" and python_full_version < "3.0.0" or python_full_version >= "3.5.0" and python_version >= "3.5" \ 17 | --hash=sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1 \ 18 | --hash=sha256:ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb 19 | backcall==0.2.0; python_version >= "3.7" \ 20 | --hash=sha256:fbbce6a29f263178a1f7915c1940bde0ec2b2a967566fe1c65c1dfb7422bd255 \ 21 | --hash=sha256:5cbdbf27be5e7cfadb448baf0aa95508f91f2bbc6c6437cd9cd06e2a4c215e1e 22 | beautifulsoup4==4.10.0; python_full_version > "3.0.0" \ 23 | --hash=sha256:9a315ce70049920ea4572a4055bc4bd700c940521d36fc858205ad4fcde149bf \ 24 | --hash=sha256:c23ad23c521d818955a4151a67d81580319d4bf548d3d49f4223ae041ff98891 25 | bleach==4.1.0; python_version >= "3.7" \ 26 | --hash=sha256:4d2651ab93271d1129ac9cbc679f524565cc8a1b791909c4a51eac4446a15994 \ 27 | --hash=sha256:0900d8b37eba61a802ee40ac0061f8c2b5dee29c1927dd1d233e075ebf5a71da 28 | certifi==2021.5.30; python_version >= "2.7" and python_full_version < "3.0.0" or python_full_version >= "3.6.0" \ 29 | --hash=sha256:50b1e4f8446b06f41be7dd6338db18e0990601dce795c2b1686458aa7e8fa7d8 \ 30 | --hash=sha256:2bbf76fd432960138b3ef6dda3dde0544f27cbf8546c458e60baf371917ba9ee 31 | cffi==1.14.6; implementation_name == "pypy" and python_version >= "3.6" \ 32 | --hash=sha256:22b9c3c320171c108e903d61a3723b51e37aaa8c81255b5e7ce102775bd01e2c \ 33 | --hash=sha256:f0c5d1acbfca6ebdd6b1e3eded8d261affb6ddcf2186205518f1428b8569bb99 \ 34 | --hash=sha256:99f27fefe34c37ba9875f224a8f36e31d744d8083e00f520f133cab79ad5e819 \ 35 | --hash=sha256:55af55e32ae468e9946f741a5d51f9896da6b9bf0bbdd326843fec05c730eb20 \ 36 | --hash=sha256:7bcac9a2b4fdbed2c16fa5681356d7121ecabf041f18d97ed5b8e0dd38a80224 \ 37 | --hash=sha256:ed38b924ce794e505647f7c331b22a693bee1538fdf46b0222c4717b42f744e7 \ 38 | --hash=sha256:e22dcb48709fc51a7b58a927391b23ab37eb3737a98ac4338e2448bef8559b33 \ 39 | --hash=sha256:aedb15f0a5a5949ecb129a82b72b19df97bbbca024081ed2ef88bd5c0a610534 \ 40 | --hash=sha256:48916e459c54c4a70e52745639f1db524542140433599e13911b2f329834276a \ 41 | --hash=sha256:f627688813d0a4140153ff532537fbe4afea5a3dffce1f9deb7f91f848a832b5 \ 42 | --hash=sha256:f0010c6f9d1a4011e429109fda55a225921e3206e7f62a0c22a35344bfd13cca \ 43 | --hash=sha256:57e555a9feb4a8460415f1aac331a2dc833b1115284f7ded7278b54afc5bd218 \ 44 | --hash=sha256:e8c6a99be100371dbb046880e7a282152aa5d6127ae01783e37662ef73850d8f \ 45 | --hash=sha256:19ca0dbdeda3b2615421d54bef8985f72af6e0c47082a8d26122adac81a95872 \ 46 | --hash=sha256:d950695ae4381ecd856bcaf2b1e866720e4ab9a1498cba61c602e56630ca7195 \ 47 | --hash=sha256:e9dc245e3ac69c92ee4c167fbdd7428ec1956d4e754223124991ef29eb57a09d \ 48 | --hash=sha256:a8661b2ce9694ca01c529bfa204dbb144b275a31685a075ce123f12331be790b \ 49 | --hash=sha256:b315d709717a99f4b27b59b021e6207c64620790ca3e0bde636a6c7f14618abb \ 50 | --hash=sha256:80b06212075346b5546b0417b9f2bf467fea3bfe7352f781ffc05a8ab24ba14a \ 51 | --hash=sha256:a9da7010cec5a12193d1af9872a00888f396aba3dc79186604a09ea3ee7c029e \ 52 | --hash=sha256:4373612d59c404baeb7cbd788a18b2b2a8331abcc84c3ba40051fcd18b17a4d5 \ 53 | --hash=sha256:f10afb1004f102c7868ebfe91c28f4a712227fe4cb24974350ace1f90e1febbf \ 54 | --hash=sha256:fd4305f86f53dfd8cd3522269ed7fc34856a8ee3709a5e28b2836b2db9d4cd69 \ 55 | --hash=sha256:6d6169cb3c6c2ad50db5b868db6491a790300ade1ed5d1da29289d73bbe40b56 \ 56 | --hash=sha256:5d4b68e216fc65e9fe4f524c177b54964af043dde734807586cf5435af84045c \ 57 | --hash=sha256:33791e8a2dc2953f28b8d8d300dde42dd929ac28f974c4b4c6272cb2955cb762 \ 58 | --hash=sha256:0c0591bee64e438883b0c92a7bed78f6290d40bf02e54c5bf0978eaf36061771 \ 59 | --hash=sha256:8eb687582ed7cd8c4bdbff3df6c0da443eb89c3c72e6e5dcdd9c81729712791a \ 60 | --hash=sha256:ba6f2b3f452e150945d58f4badd92310449876c4c954836cfb1803bdd7b422f0 \ 61 | --hash=sha256:64fda793737bc4037521d4899be780534b9aea552eb673b9833b01f945904c2e \ 62 | --hash=sha256:9f3e33c28cd39d1b655ed1ba7247133b6f7fc16fa16887b120c0c670e35ce346 \ 63 | --hash=sha256:26bb2549b72708c833f5abe62b756176022a7b9a7f689b571e74c8478ead51dc \ 64 | --hash=sha256:eb687a11f0a7a1839719edd80f41e459cc5366857ecbed383ff376c4e3cc6afd \ 65 | --hash=sha256:d2ad4d668a5c0645d281dcd17aff2be3212bc109b33814bbb15c4939f44181cc \ 66 | --hash=sha256:487d63e1454627c8e47dd230025780e91869cfba4c753a74fda196a1f6ad6548 \ 67 | --hash=sha256:c33d18eb6e6bc36f09d793c0dc58b0211fccc6ae5149b808da4a62660678b156 \ 68 | --hash=sha256:06c54a68935738d206570b20da5ef2b6b6d92b38ef3ec45c5422c0ebaf338d4d \ 69 | --hash=sha256:f174135f5609428cc6e1b9090f9268f5c8935fddb1b25ccb8255a2d50de6789e \ 70 | --hash=sha256:f3ebe6e73c319340830a9b2825d32eb6d8475c1dac020b4f0aa774ee3b898d1c \ 71 | --hash=sha256:3c8d896becff2fa653dc4438b54a5a25a971d1f4110b32bd3068db3722c80202 \ 72 | --hash=sha256:4922cd707b25e623b902c86188aca466d3620892db76c0bdd7b99a3d5e61d35f \ 73 | --hash=sha256:c9e005e9bd57bc987764c32a1bee4364c44fdc11a3cc20a40b93b444984f2b87 \ 74 | --hash=sha256:eb9e2a346c5238a30a746893f23a9535e700f8192a68c07c0258e7ece6ff3728 \ 75 | --hash=sha256:818014c754cd3dba7229c0f5884396264d51ffb87ec86e927ef0be140bfdb0d2 \ 76 | --hash=sha256:c9a875ce9d7fe32887784274dd533c57909b7b1dcadcc128a2ac21331a9765dd 77 | charset-normalizer==2.0.6; python_full_version >= "3.6.0" and python_version >= "3" \ 78 | --hash=sha256:5ec46d183433dcbd0ab716f2d7f29d8dee50505b3fdb40c6b985c7c4f5a3591f \ 79 | --hash=sha256:5d209c0a931f215cee683b6445e2d77677e7e75e159f78def0db09d68fafcaa6 80 | colorama==0.4.4; (python_version >= "2.7" and python_full_version < "3.0.0") or (python_full_version >= "3.5.0") \ 81 | --hash=sha256:9f47eda37229f68eee03b24b9748937c7dc3868f906e8ba69fbcbdd3bc5dc3e2 \ 82 | --hash=sha256:5941b2b48a20143d2267e95b1c2a7603ce057ee39fd88e7329b0c292aa16869b 83 | configparser==4.0.2; python_version >= "2.6" \ 84 | --hash=sha256:254c1d9c79f60c45dfde850850883d5aaa7f19a23f13561243a050d5a7c3fe4c \ 85 | --hash=sha256:c7d282687a5308319bf3d2e7706e575c635b0a470342641c93bea0ea3b5331df 86 | debugpy==1.4.3; python_version >= "3.7" and python_full_version < "3.0.0" or python_full_version >= "3.5.0" and python_version >= "3.7" \ 87 | --hash=sha256:88b17d7c2130968f75bdc706a33f46a8a6bb90f09512ea3bd984659d446ee4f4 \ 88 | --hash=sha256:5ded60b402f83df46dee3f25ae5851809937176afdafd3fdbaab60b633b77cad \ 89 | --hash=sha256:c0fd1a66e104752f86ca2faa6a0194dae61442a768f85369fc3d11bacff8120f \ 90 | --hash=sha256:f907941ad7a460646773eb3baae4c88836e9256b390dfbfae8d92a3d3b849a7d \ 91 | --hash=sha256:135a77ac1a8f6ea49a69928f088967d36842bc492d89b45941c6b19222cffa42 \ 92 | --hash=sha256:f3dcc294f3b4d79fdd7ffe1350d5d1e3cc29acaec67dd1c43143a43305bbbc91 \ 93 | --hash=sha256:c3d7db37b7eb234e49f50ba22b3b1637e8daadd68985d9cd35a6152aa10faa75 \ 94 | --hash=sha256:dbda8f877c3dec1559c01c63a1de63969e51a4907dc308f4824238bb776026fe \ 95 | --hash=sha256:7c15014290150b76f0311debf7fbba2e934680572ea60750b0f048143e873b3e \ 96 | --hash=sha256:8d488356cc66172f1ea29635fd148ad131f13fad0e368ae03cc5c0a402372756 \ 97 | --hash=sha256:7e7210a3721fc54b52d8dc2f325e7c937ffcbba02b808e2e3215dcbf0c0b8349 \ 98 | --hash=sha256:3e4de96c70f3398abd1777f048b47564d98a40df1f72d33b47ef5b9478e07206 \ 99 | --hash=sha256:2019ffcd08d7e643c644cd64bee0fd53c730cb8f15ff37e6a320b5afd3785bfa \ 100 | --hash=sha256:847926f78c1e33f7318a743837adb6a9b360a825b558fd21f9240ba518fe1bb1 \ 101 | --hash=sha256:c9665e58b80d839ae1b0815341c63d00cae557c018f198c0b6b7bc5de9eca144 \ 102 | --hash=sha256:ab3f33499c597a2ce454b81088e7f9d56127686e003c4f7a1c97ad4b38a55404 \ 103 | --hash=sha256:0c523fcbb6fb395403ee8508853767b74949335d5cdacc9f83d350670c2c0db2 \ 104 | --hash=sha256:4d53fe5aecf03ba466aa7fa7474c2b2fe28b2a6c0d36688d1e29382bfe88dd5f 105 | decorator==5.1.0; python_version >= "3.7" \ 106 | --hash=sha256:7b12e7c3c6ab203a29e157335e9122cb03de9ab7264b137594103fd4a683b374 \ 107 | --hash=sha256:e59913af105b9860aa2c8d3272d9de5a56a4e608db9a2f167a8480b323d529a7 108 | defusedxml==0.7.1; python_version >= "3.7" and python_full_version < "3.0.0" or python_full_version >= "3.5.0" and python_version >= "3.7" \ 109 | --hash=sha256:a352e7e428770286cc899e2542b6cdaedb2b4953ff269a210103ec58f6198a61 \ 110 | --hash=sha256:1bb3032db185915b62d7c6209c5a8792be6a32ab2fedacc84e01b52c51aa3e69 111 | entrypoints==0.3; python_full_version >= "3.6.1" and python_version >= "3.7" \ 112 | --hash=sha256:589f874b313739ad35be6e0cd7efde2a4e9b6fea91edcc34e58ecbb8dbe56d19 \ 113 | --hash=sha256:c70dd71abe5a8c85e55e12c19bd91ccfeec11a6e99044204511f9ed547d48451 114 | fasttext==0.9.2; python_version >= "3.8" \ 115 | --hash=sha256:665556f1f6dcb4fcbe25fa8ebcd4f71b18fa96a090de09d88d97a60cbd29dcb5 116 | fileupload==0.1.5 \ 117 | --hash=sha256:31d31c1e4f7c74632e66bc53b46c94a3691fc68e449bdcb54d7653be5d4139c5 118 | hexdump==3.3 \ 119 | --hash=sha256:d781a43b0c16ace3f9366aade73e8ad3a7bd5137d58f0b45ab2d3f54876f20db 120 | idna==3.2; python_version >= "3.5" and python_full_version < "3.0.0" or python_full_version >= "3.6.0" and python_version >= "3.5" \ 121 | --hash=sha256:14475042e284991034cb48e06f6851428fb14c4dc953acd9be9a5e95c7b6dd7a \ 122 | --hash=sha256:467fbad99067910785144ce333826c71fb0e63a425657295239737f7ecd125f3 123 | ipykernel==6.4.1; python_version >= "3.7" \ 124 | --hash=sha256:a3f6c2dda2ecf63b37446808a70ed825fea04790779ca524889c596deae0def8 \ 125 | --hash=sha256:df3355e5eec23126bc89767a676c5f0abfc7f4c3497d118c592b83b316e8c0cd 126 | ipython-genutils==0.2.0; python_version >= "3.7" \ 127 | --hash=sha256:72dd37233799e619666c9f639a9da83c34013a73e8bbc79a7a6348d93c61fab8 \ 128 | --hash=sha256:eb2e116e75ecef9d4d228fdc66af54269afa26ab4463042e33785b887c628ba8 129 | ipython==7.28.0; python_version >= "3.7" \ 130 | --hash=sha256:f16148f9163e1e526f1008d7c8d966d9c15600ca20d1a754287cf96d00ba6f1d \ 131 | --hash=sha256:2097be5c814d1b974aea57673176a924c4c8c9583890e7a5f082f547b9975b11 132 | ipywidgets==7.6.5 \ 133 | --hash=sha256:d258f582f915c62ea91023299603be095de19afb5ee271698f88327b9fe9bf43 \ 134 | --hash=sha256:00974f7cb4d5f8d494c19810fedb9fa9b64bffd3cda7c2be23c133a1ad3c99c5 135 | jedi==0.18.0; python_version >= "3.7" \ 136 | --hash=sha256:18456d83f65f400ab0c2d3319e48520420ef43b23a086fdc05dff34132f0fb93 \ 137 | --hash=sha256:92550a404bad8afed881a137ec9a461fed49eca661414be45059329614ed0707 138 | jinja2==3.0.1; python_version >= "3.7" \ 139 | --hash=sha256:1f06f2da51e7b56b8f238affdd6b4e2c61e39598a378cc49345bc1bd42a978a4 \ 140 | --hash=sha256:703f484b47a6af502e743c9122595cc812b0271f661722403114f71a79d0f5a4 141 | joblib==0.16.0; python_version >= "3.8" \ 142 | --hash=sha256:d348c5d4ae31496b2aa060d6d9b787864dd204f9480baaa52d18850cb43e9f49 \ 143 | --hash=sha256:8f52bf24c64b608bf0b2563e0e47d6fcf516abc8cfafe10cfd98ad66d94f92d6 144 | jsonschema==3.2.0; python_version >= "3.5" \ 145 | --hash=sha256:4e5b3cf8216f577bee9ce139cbe72eca3ea4f292ec60928ff24758ce626cd163 \ 146 | --hash=sha256:c8a85b28d377cc7737e46e2d9f2b4f44ee3c0e1deac6bf46ddefc7187d30797a 147 | jupyter-client==7.0.3; python_full_version >= "3.6.1" and python_version >= "3.7" \ 148 | --hash=sha256:b07ceecb8f845f908bbd0f78bb17c0abac7b393de9d929bd92190e36c24c201e \ 149 | --hash=sha256:bb58e3218d74e072673948bd1e2a6bb3b65f32447b3e8c143eeca16b946ee230 150 | jupyter-core==4.8.1; python_full_version >= "3.6.1" and python_version >= "3.7" \ 151 | --hash=sha256:8dd262ec8afae95bd512518eb003bc546b76adbf34bf99410e9accdf4be9aa3a \ 152 | --hash=sha256:ef210dcb4fca04de07f2ead4adf408776aca94d17151d6f750ad6ded0b91ea16 153 | jupyterlab-pygments==0.1.2; python_version >= "3.7" \ 154 | --hash=sha256:abfb880fd1561987efaefcb2d2ac75145d2a5d0139b1876d5be806e32f630008 \ 155 | --hash=sha256:cfcda0873626150932f438eccf0f8bf22bfa92345b814890ab360d666b254146 156 | jupyterlab-widgets==1.0.2; python_version >= "3.6" \ 157 | --hash=sha256:f5d9efface8ec62941173ba1cffb2edd0ecddc801c11ae2931e30b50492eb8f7 \ 158 | --hash=sha256:7885092b2b96bf189c3a705cc3c412a4472ec5e8382d0b47219a66cccae73cfa 159 | lightgbm==3.2.1; python_version >= "3.8" \ 160 | --hash=sha256:79719706046faf708d9436cd989e9c61696ceb1c5fbaf1257ae9c2fa7bcff686 \ 161 | --hash=sha256:b4c158f3026cdf5087a047945686a38b6a1e0f761627907fd959cb7afc2743b3 \ 162 | --hash=sha256:95b0f1c8fec232be2995502151f8a168e30e7fd9a8e89d835ca5919820cd9033 \ 163 | --hash=sha256:0999f69e420281fc450d5ee4559ce0595931750aa377ff1c0228150505ea2bf8 \ 164 | --hash=sha256:bd98e3b501b4c24dc127f4ad93e467f42923fe3eefa99e143b5b93158f024395 165 | lxml==4.6.3; (python_version >= "2.7" and python_full_version < "3.0.0") or (python_full_version >= "3.5.0") \ 166 | --hash=sha256:df7c53783a46febb0e70f6b05df2ba104610f2fb0d27023409734a3ecbb78fb2 \ 167 | --hash=sha256:1b7584d421d254ab86d4f0b13ec662a9014397678a7c4265a02a6d7c2b18a75f \ 168 | --hash=sha256:079f3ae844f38982d156efce585bc540c16a926d4436712cf4baee0cce487a3d \ 169 | --hash=sha256:bc4313cbeb0e7a416a488d72f9680fffffc645f8a838bd2193809881c67dd106 \ 170 | --hash=sha256:8157dadbb09a34a6bd95a50690595e1fa0af1a99445e2744110e3dca7831c4ee \ 171 | --hash=sha256:7728e05c35412ba36d3e9795ae8995e3c86958179c9770e65558ec3fdfd3724f \ 172 | --hash=sha256:4bff24dfeea62f2e56f5bab929b4428ae6caba2d1eea0c2d6eb618e30a71e6d4 \ 173 | --hash=sha256:64812391546a18896adaa86c77c59a4998f33c24788cadc35789e55b727a37f4 \ 174 | --hash=sha256:c1a40c06fd5ba37ad39caa0b3144eb3772e813b5fb5b084198a985431c2f1e8d \ 175 | --hash=sha256:74f7d8d439b18fa4c385f3f5dfd11144bb87c1da034a466c5b5577d23a1d9b51 \ 176 | --hash=sha256:f90ba11136bfdd25cae3951af8da2e95121c9b9b93727b1b896e3fa105b2f586 \ 177 | --hash=sha256:4c61b3a0db43a1607d6264166b230438f85bfed02e8cff20c22e564d0faff354 \ 178 | --hash=sha256:5c8c163396cc0df3fd151b927e74f6e4acd67160d6c33304e805b84293351d16 \ 179 | --hash=sha256:f2380a6376dfa090227b663f9678150ef27543483055cc327555fb592c5967e2 \ 180 | --hash=sha256:c4f05c5a7c49d2fb70223d0d5bcfbe474cf928310ac9fa6a7c6dddc831d0b1d4 \ 181 | --hash=sha256:d2e35d7bf1c1ac8c538f88d26b396e73dd81440d59c1ef8522e1ea77b345ede4 \ 182 | --hash=sha256:289e9ca1a9287f08daaf796d96e06cb2bc2958891d7911ac7cae1c5f9e1e0ee3 \ 183 | --hash=sha256:bccbfc27563652de7dc9bdc595cb25e90b59c5f8e23e806ed0fd623755b6565d \ 184 | --hash=sha256:d916d31fd85b2f78c76400d625076d9124de3e4bda8b016d25a050cc7d603f24 \ 185 | --hash=sha256:820628b7b3135403540202e60551e741f9b6d3304371712521be939470b454ec \ 186 | --hash=sha256:c47ff7e0a36d4efac9fd692cfa33fbd0636674c102e9e8d9b26e1b93a94e7617 \ 187 | --hash=sha256:5a0a14e264069c03e46f926be0d8919f4105c1623d620e7ec0e612a2e9bf1c04 \ 188 | --hash=sha256:92e821e43ad382332eade6812e298dc9701c75fe289f2a2d39c7960b43d1e92a \ 189 | --hash=sha256:efd7a09678fd8b53117f6bae4fa3825e0a22b03ef0a932e070c0bdbb3a35e654 \ 190 | --hash=sha256:efac139c3f0bf4f0939f9375af4b02c5ad83a622de52d6dfa8e438e8e01d0eb0 \ 191 | --hash=sha256:0fbcf5565ac01dff87cbfc0ff323515c823081c5777a9fc7703ff58388c258c3 \ 192 | --hash=sha256:36108c73739985979bf302006527cf8a20515ce444ba916281d1c43938b8bb96 \ 193 | --hash=sha256:122fba10466c7bd4178b07dba427aa516286b846b2cbd6f6169141917283aae2 \ 194 | --hash=sha256:cdaf11d2bd275bf391b5308f86731e5194a21af45fbaaaf1d9e8147b9160ea92 \ 195 | --hash=sha256:3439c71103ef0e904ea0a1901611863e51f50b5cd5e8654a151740fde5e1cade \ 196 | --hash=sha256:4289728b5e2000a4ad4ab8da6e1db2e093c63c08bdc0414799ee776a3f78da4b \ 197 | --hash=sha256:b007cbb845b28db4fb8b6a5cdcbf65bacb16a8bd328b53cbc0698688a68e1caa \ 198 | --hash=sha256:76fa7b1362d19f8fbd3e75fe2fb7c79359b0af8747e6f7141c338f0bee2f871a \ 199 | --hash=sha256:26e761ab5b07adf5f555ee82fb4bfc35bf93750499c6c7614bd64d12aaa67927 \ 200 | --hash=sha256:e1cbd3f19a61e27e011e02f9600837b921ac661f0c40560eefb366e4e4fb275e \ 201 | --hash=sha256:66e575c62792c3f9ca47cb8b6fab9e35bab91360c783d1606f758761810c9791 \ 202 | --hash=sha256:1b38116b6e628118dea5b2186ee6820ab138dbb1e24a13e478490c7db2f326ae \ 203 | --hash=sha256:89b8b22a5ff72d89d48d0e62abb14340d9e99fd637d046c27b8b257a01ffbe28 \ 204 | --hash=sha256:2a9d50e69aac3ebee695424f7dbd7b8c6d6eb7de2a2eb6b0f6c7db6aa41e02b7 \ 205 | --hash=sha256:ce256aaa50f6cc9a649c51be3cd4ff142d67295bfc4f490c9134d0f9f6d58ef0 \ 206 | --hash=sha256:7610b8c31688f0b1be0ef882889817939490a36d0ee880ea562a4e1399c447a1 \ 207 | --hash=sha256:f8380c03e45cf09f8557bdaa41e1fa7c81f3ae22828e1db470ab2a6c96d8bc23 \ 208 | --hash=sha256:3082c518be8e97324390614dacd041bb1358c882d77108ca1957ba47738d9d59 \ 209 | --hash=sha256:884ab9b29feaca361f7f88d811b1eea9bfca36cf3da27768d28ad45c3ee6f969 \ 210 | --hash=sha256:6f12e1427285008fd32a6025e38e977d44d6382cf28e7201ed10d6c1698d2a9a \ 211 | --hash=sha256:33bb934a044cf32157c12bfcfbb6649807da20aa92c062ef51903415c704704f \ 212 | --hash=sha256:542d454665a3e277f76954418124d67516c5f88e51a900365ed54a9806122b83 \ 213 | --hash=sha256:39b78571b3b30645ac77b95f7c69d1bffc4cf8c3b157c435a34da72e78c82468 214 | markupsafe==2.0.1; python_version >= "3.6" \ 215 | --hash=sha256:d8446c54dc28c01e5a2dbac5a25f071f6653e6e40f3a8818e8b45d790fe6ef53 \ 216 | --hash=sha256:36bc903cbb393720fad60fc28c10de6acf10dc6cc883f3e24ee4012371399a38 \ 217 | --hash=sha256:2d7d807855b419fc2ed3e631034685db6079889a1f01d5d9dac950f764da3dad \ 218 | --hash=sha256:add36cb2dbb8b736611303cd3bfcee00afd96471b09cda130da3581cbdc56a6d \ 219 | --hash=sha256:168cd0a3642de83558a5153c8bd34f175a9a6e7f6dc6384b9655d2697312a646 \ 220 | --hash=sha256:99df47edb6bda1249d3e80fdabb1dab8c08ef3975f69aed437cb69d0a5de1e28 \ 221 | --hash=sha256:e0f138900af21926a02425cf736db95be9f4af72ba1bb21453432a07f6082134 \ 222 | --hash=sha256:f9081981fe268bd86831e5c75f7de206ef275defcb82bc70740ae6dc507aee51 \ 223 | --hash=sha256:0955295dd5eec6cb6cc2fe1698f4c6d84af2e92de33fbcac4111913cd100a6ff \ 224 | --hash=sha256:0446679737af14f45767963a1a9ef7620189912317d095f2d9ffa183a4d25d2b \ 225 | --hash=sha256:f826e31d18b516f653fe296d967d700fddad5901ae07c622bb3705955e1faa94 \ 226 | --hash=sha256:fa130dd50c57d53368c9d59395cb5526eda596d3ffe36666cd81a44d56e48872 \ 227 | --hash=sha256:905fec760bd2fa1388bb5b489ee8ee5f7291d692638ea5f67982d968366bef9f \ 228 | --hash=sha256:bf5d821ffabf0ef3533c39c518f3357b171a1651c1ff6827325e4489b0e46c3c \ 229 | --hash=sha256:0d4b31cc67ab36e3392bbf3862cfbadac3db12bdd8b02a2731f509ed5b829724 \ 230 | --hash=sha256:baa1a4e8f868845af802979fcdbf0bb11f94f1cb7ced4c4b8a351bb60d108145 \ 231 | --hash=sha256:6c4ca60fa24e85fe25b912b01e62cb969d69a23a5d5867682dd3e80b5b02581d \ 232 | --hash=sha256:b2f4bf27480f5e5e8ce285a8c8fd176c0b03e93dcc6646477d4630e83440c6a9 \ 233 | --hash=sha256:0717a7390a68be14b8c793ba258e075c6f4ca819f15edfc2a3a027c823718567 \ 234 | --hash=sha256:6557b31b5e2c9ddf0de32a691f2312a32f77cd7681d8af66c2692efdbef84c18 \ 235 | --hash=sha256:49e3ceeabbfb9d66c3aef5af3a60cc43b85c33df25ce03d0031a608b0a8b2e3f \ 236 | --hash=sha256:d7f9850398e85aba693bb640262d3611788b1f29a79f0c93c565694658f4071f \ 237 | --hash=sha256:6a7fae0dd14cf60ad5ff42baa2e95727c3d81ded453457771d02b7d2b3f9c0c2 \ 238 | --hash=sha256:b7f2d075102dc8c794cbde1947378051c4e5180d52d276987b8d28a3bd58c17d \ 239 | --hash=sha256:e9936f0b261d4df76ad22f8fee3ae83b60d7c3e871292cd42f40b81b70afae85 \ 240 | --hash=sha256:2a7d351cbd8cfeb19ca00de495e224dea7e7d919659c2841bbb7f420ad03e2d6 \ 241 | --hash=sha256:60bf42e36abfaf9aff1f50f52644b336d4f0a3fd6d8a60ca0d054ac9f713a864 \ 242 | --hash=sha256:a30e67a65b53ea0a5e62fe23682cfe22712e01f453b95233b25502f7c61cb415 \ 243 | --hash=sha256:611d1ad9a4288cf3e3c16014564df047fe08410e628f89805e475368bd304914 \ 244 | --hash=sha256:5bb28c636d87e840583ee3adeb78172efc47c8b26127267f54a9c0ec251d41a9 \ 245 | --hash=sha256:be98f628055368795d818ebf93da628541e10b75b41c559fdf36d104c5787066 \ 246 | --hash=sha256:1d609f577dc6e1aa17d746f8bd3c31aa4d258f4070d61b2aa5c4166c1539de35 \ 247 | --hash=sha256:7d91275b0245b1da4d4cfa07e0faedd5b0812efc15b702576d103293e252af1b \ 248 | --hash=sha256:01a9b8ea66f1658938f65b93a85ebe8bc016e6769611be228d797c9d998dd298 \ 249 | --hash=sha256:47ab1e7b91c098ab893b828deafa1203de86d0bc6ab587b160f78fe6c4011f75 \ 250 | --hash=sha256:97383d78eb34da7e1fa37dd273c20ad4320929af65d156e35a5e2d89566d9dfb \ 251 | --hash=sha256:6fcf051089389abe060c9cd7caa212c707e58153afa2c649f00346ce6d260f1b \ 252 | --hash=sha256:5855f8438a7d1d458206a2466bf82b0f104a3724bf96a1c781ab731e4201731a \ 253 | --hash=sha256:3dd007d54ee88b46be476e293f48c85048603f5f516008bee124ddd891398ed6 \ 254 | --hash=sha256:023cb26ec21ece8dc3907c0e8320058b2e0cb3c55cf9564da612bc325bed5e64 \ 255 | --hash=sha256:984d76483eb32f1bcb536dc27e4ad56bba4baa70be32fa87152832cdd9db0833 \ 256 | --hash=sha256:2ef54abee730b502252bcdf31b10dacb0a416229b72c18b19e24a4509f273d26 \ 257 | --hash=sha256:3c112550557578c26af18a1ccc9e090bfe03832ae994343cfdacd287db6a6ae7 \ 258 | --hash=sha256:53edb4da6925ad13c07b6d26c2a852bd81e364f95301c66e930ab2aef5b5ddd8 \ 259 | --hash=sha256:f5653a225f31e113b152e56f154ccbe59eeb1c7487b39b9d9f9cdb58e6c79dc5 \ 260 | --hash=sha256:4efca8f86c54b22348a5467704e3fec767b2db12fc39c6d963168ab1d3fc9135 \ 261 | --hash=sha256:ab3ef638ace319fa26553db0624c4699e31a28bb2a835c5faca8f8acf6a5a902 \ 262 | --hash=sha256:f8ba0e8349a38d3001fae7eadded3f6606f0da5d748ee53cc1dab1d6527b9509 \ 263 | --hash=sha256:c47adbc92fc1bb2b3274c4b3a43ae0e4573d9fbff4f54cd484555edbf030baf1 \ 264 | --hash=sha256:37205cac2a79194e3750b0af2a5720d95f786a55ce7df90c3af697bfa100eaac \ 265 | --hash=sha256:1f2ade76b9903f39aa442b4aadd2177decb66525062db244b35d71d0ee8599b6 \ 266 | --hash=sha256:10f82115e21dc0dfec9ab5c0223652f7197feb168c940f3ef61563fc2d6beb74 \ 267 | --hash=sha256:693ce3f9e70a6cf7d2fb9e6c9d8b204b6b39897a2c4a1aa65728d5ac97dcc1d8 \ 268 | --hash=sha256:594c67807fb16238b30c44bdf74f36c02cdf22d1c8cda91ef8a0ed8dabf5620a 269 | matplotlib-inline==0.1.3; python_version >= "3.7" \ 270 | --hash=sha256:a04bfba22e0d1395479f866853ec1ee28eea1485c1d69a6faf00dc3e24ff34ee \ 271 | --hash=sha256:aed605ba3b72462d64d475a21a9296f400a19c4f74a31b59103d2a99ffd5aa5c 272 | mistune==0.8.4; python_version >= "3.7" \ 273 | --hash=sha256:88a1051873018da288eee8538d476dffe1262495144b33ecb586c4ab266bb8d4 \ 274 | --hash=sha256:59a3429db53c50b5c6bcc8a07f8848cb00d7dc8bdb431a4ab41920d201d4756e 275 | more-itertools==5.0.0; python_version >= "2.7" \ 276 | --hash=sha256:38a936c0a6d98a38bcc2d03fdaaedaba9f412879461dd2ceff8d37564d6522e4 \ 277 | --hash=sha256:c0a5785b1109a6bd7fac76d6837fd1feca158e54e521ccd2ae8bfe393cc9d4fc \ 278 | --hash=sha256:fe7a7cae1ccb57d33952113ff4fa1bc5f879963600ed74918f1236e212ee50b9 279 | nbclient==0.5.4; python_full_version >= "3.6.1" and python_version >= "3.7" \ 280 | --hash=sha256:95a300c6fbe73721736cf13972a46d8d666f78794b832866ed7197a504269e11 \ 281 | --hash=sha256:6c8ad36a28edad4562580847f9f1636fe5316a51a323ed85a24a4ad37d4aefce 282 | nbconvert==6.2.0; python_version >= "3.7" \ 283 | --hash=sha256:b1b9dc4f1ff6cafae0e6d91f42fb9046fdc32e6beb6d7e2fa2cd7191ad535240 \ 284 | --hash=sha256:16ceecd0afaa8fd26c245fa32e2c52066c02f13aa73387fffafd84750baea863 285 | nbformat==5.1.3; python_full_version >= "3.6.1" and python_version >= "3.7" \ 286 | --hash=sha256:eb8447edd7127d043361bc17f2f5a807626bc8e878c7709a1c647abda28a9171 \ 287 | --hash=sha256:b516788ad70771c6250977c1374fcca6edebe6126fd2adb5a69aa5c2356fd1c8 288 | nest-asyncio==1.5.1; python_full_version >= "3.6.1" and python_version >= "3.7" \ 289 | --hash=sha256:76d6e972265063fe92a90b9cc4fb82616e07d586b346ed9d2c89a4187acea39c \ 290 | --hash=sha256:afc5a1c515210a23c461932765691ad39e8eba6551c055ac8d5546e69250d0aa 291 | networkx==2.6.3; python_version >= "3.7" \ 292 | --hash=sha256:80b6b89c77d1dfb64a4c7854981b60aeea6360ac02c6d4e4913319e0a313abef \ 293 | --hash=sha256:c0946ed31d71f1b732b5aaa6da5a0388a345019af232ce2f49c766e2d6795c51 294 | notebook==6.4.4; python_version >= "3.6" \ 295 | --hash=sha256:33488bdcc5cbef23c3cfa12cd51b0b5459a211945b5053d17405980611818149 \ 296 | --hash=sha256:26b0095c568e307a310fd78818ad8ebade4f00462dada4c0e34cbad632b9085d 297 | numpy==1.21.2; python_version >= "3.8" and python_version < "3.11" \ 298 | --hash=sha256:52a664323273c08f3b473548bf87c8145b7513afd63e4ebba8496ecd3853df13 \ 299 | --hash=sha256:51a7b9db0a2941434cd930dacaafe0fc9da8f3d6157f9d12f761bbde93f46218 \ 300 | --hash=sha256:9f2dc79c093f6c5113718d3d90c283f11463d77daa4e83aeeac088ec6a0bda52 \ 301 | --hash=sha256:a55e4d81c4260386f71d22294795c87609164e22b28ba0d435850fbdf82fc0c5 \ 302 | --hash=sha256:426a00b68b0d21f2deb2ace3c6d677e611ad5a612d2c76494e24a562a930c254 \ 303 | --hash=sha256:298156f4d3d46815eaf0fcf0a03f9625fc7631692bd1ad851517ab93c3168fc6 \ 304 | --hash=sha256:09858463db6dd9f78b2a1a05c93f3b33d4f65975771e90d2cf7aadb7c2f66edf \ 305 | --hash=sha256:805459ad8baaf815883d0d6f86e45b3b0b67d823a8f3fa39b1ed9c45eaf5edf1 \ 306 | --hash=sha256:f545c082eeb09ae678dd451a1b1dbf17babd8a0d7adea02897a76e639afca310 \ 307 | --hash=sha256:b160b9a99ecc6559d9e6d461b95c8eec21461b332f80267ad2c10394b9503496 \ 308 | --hash=sha256:a5109345f5ce7ddb3840f5970de71c34a0ff7fceb133c9441283bb8250f532a3 \ 309 | --hash=sha256:209666ce9d4a817e8a4597cd475b71b4878a85fa4b8db41d79fdb4fdee01dde2 \ 310 | --hash=sha256:c01b59b33c7c3ba90744f2c695be571a3bd40ab2ba7f3d169ffa6db3cfba614f \ 311 | --hash=sha256:e42029e184008a5fd3d819323345e25e2337b0ac7f5c135b7623308530209d57 \ 312 | --hash=sha256:7fdc7689daf3b845934d67cb221ba8d250fdca20ac0334fea32f7091b93f00d3 \ 313 | --hash=sha256:550564024dc5ceee9421a86fc0fb378aa9d222d4d0f858f6669eff7410c89bef \ 314 | --hash=sha256:bf75d5825ef47aa51d669b03ce635ecb84d69311e05eccea083f31c7570c9931 \ 315 | --hash=sha256:a9da45b748caad72ea4a4ed57e9cd382089f33c5ec330a804eb420a496fa760f \ 316 | --hash=sha256:e167b9805de54367dcb2043519382be541117503ce99e3291cc9b41ca0a83557 \ 317 | --hash=sha256:466e682264b14982012887e90346d33435c984b7fead7b85e634903795c8fdb0 \ 318 | --hash=sha256:dd0e3651d210068d13e18503d75aaa45656eef51ef0b261f891788589db2cc38 \ 319 | --hash=sha256:92a0ab128b07799dd5b9077a9af075a63467d03ebac6f8a93e6440abfea4120d \ 320 | --hash=sha256:fde50062d67d805bc96f1a9ecc0d37bfc2a8f02b937d2c50824d186aa91f2419 \ 321 | --hash=sha256:640c1ccfd56724f2955c237b6ccce2e5b8607c3bc1cc51d3933b8c48d1da3723 \ 322 | --hash=sha256:5de64950137f3a50b76ce93556db392e8f1f954c2d8207f78a92d1f79aa9f737 \ 323 | --hash=sha256:b342064e647d099ca765f19672696ad50c953cac95b566af1492fd142283580f \ 324 | --hash=sha256:30fc68307c0155d2a75ad19844224be0f2c6f06572d958db4e2053f816b859ad \ 325 | --hash=sha256:b5e8590b9245803c849e09bae070a8e1ff444f45e3f0bed558dd722119eea724 \ 326 | --hash=sha256:d96a6a7d74af56feb11e9a443150216578ea07b7450f7c05df40eec90af7f4a7 \ 327 | --hash=sha256:423216d8afc5923b15df86037c6053bf030d15cc9e3224206ef868c2d63dd6dc 328 | packaging==21.0; python_version >= "3.7" \ 329 | --hash=sha256:c86254f9220d55e31cc94d69bade760f0847da8000def4dfe1c6b872fd14ff14 \ 330 | --hash=sha256:7dc96269f53a4ccec5c0670940a4281106dd0bb343f47b7471f779df49c2fbe7 331 | pandocfilters==1.5.0; python_version >= "3.7" and python_full_version < "3.0.0" or python_full_version >= "3.4.0" and python_version >= "3.7" \ 332 | --hash=sha256:33aae3f25fd1a026079f5d27bdd52496f0e0803b3469282162bafdcbdf6ef14f \ 333 | --hash=sha256:0b679503337d233b4339a817bfc8c50064e2eff681314376a47cb582305a7a38 334 | parso==0.8.2; python_version >= "3.7" \ 335 | --hash=sha256:a8c4922db71e4fdb90e0d0bc6e50f9b273d3397925e5e60a717e719201778d22 \ 336 | --hash=sha256:12b83492c6239ce32ff5eed6d3639d6a536170723c6f3f1506869f1ace413398 337 | pexpect==4.8.0; sys_platform != "win32" and python_version >= "3.7" \ 338 | --hash=sha256:0b48a55dcb3c05f3329815901ea4fc1537514d6ba867a152b581d69ae3710937 \ 339 | --hash=sha256:fc65a43959d153d0114afe13997d439c22823a27cefceb5ff35c2178c6784c0c 340 | pickleshare==0.7.5; python_version >= "3.7" \ 341 | --hash=sha256:9649af414d74d4df115d5d718f82acb59c9d418196b7b4290ed47a12ce62df56 \ 342 | --hash=sha256:87683d47965c1da65cdacaf31c8441d12b8044cdec9aca500cd78fc2c683afca 343 | prometheus-client==0.11.0; python_version >= "3.6" and python_full_version < "3.0.0" or python_full_version >= "3.4.0" and python_version >= "3.6" \ 344 | --hash=sha256:b014bc76815eb1399da8ce5fc84b7717a3e63652b0c0f8804092c9363acab1b2 \ 345 | --hash=sha256:3a8baade6cb80bcfe43297e33e7623f3118d660d41387593758e2fb1ea173a86 346 | prompt-toolkit==3.0.20; python_full_version >= "3.6.2" and python_version >= "3.7" \ 347 | --hash=sha256:6076e46efae19b1e0ca1ec003ed37a933dc94b4d20f486235d436e64771dcd5c \ 348 | --hash=sha256:eb71d5a6b72ce6db177af4a7d4d7085b99756bf656d98ffcc4fecd36850eea6c 349 | ptyprocess==0.7.0; sys_platform != "win32" and python_version >= "3.7" and os_name != "nt" \ 350 | --hash=sha256:4b41f3967fce3af57cc7e94b888626c18bf37a083e3651ca8feeb66d492fef35 \ 351 | --hash=sha256:5c5d0a3b48ceee0b48485e0c26037c0acd7d29765ca3fbb5cb3831d347423220 352 | py==1.10.0; python_version >= "3.6" and python_full_version < "3.0.0" and implementation_name == "pypy" or implementation_name == "pypy" and python_version >= "3.6" and python_full_version >= "3.4.0" \ 353 | --hash=sha256:3b80836aa6d1feeaa108e046da6423ab8f6ceda6468545ae8d02d9d58d18818a \ 354 | --hash=sha256:21b81bda15b66ef5e1a777a21c4dcd9c20ad3efd0b3f817e7a809035269e1bd3 355 | pybind11==2.7.1; python_version >= "3.8" \ 356 | --hash=sha256:34663b2a16e7ac6ae8b77fef13e2b135e9fbc5ec13d2505d34bd35b3a41b9d82 \ 357 | --hash=sha256:8950aac5e5f4d505f7a0f067c5cb3893dcf098ff29cedfcb4ccf1e9e44d0bd9a 358 | pycparser==2.20; python_version >= "3.6" and python_full_version < "3.0.0" or python_full_version >= "3.4.0" and python_version >= "3.6" \ 359 | --hash=sha256:7582ad22678f0fcd81102833f60ef8d0e57288b6b5fb00323d101be910e35705 \ 360 | --hash=sha256:2d475327684562c3a96cc71adf7dc8c4f0565175cf86b6d7a404ff4c771f15f0 361 | pygments==2.10.0; python_version >= "3.7" \ 362 | --hash=sha256:b8e67fe6af78f492b3c4b3e2970c0624cbf08beb1e493b2c99b9fa1b67a20380 \ 363 | --hash=sha256:f398865f7eb6874156579fdf36bc840a03cab64d1cde9e93d68f46a425ec52c6 364 | pyminizip==0.2.4 \ 365 | --hash=sha256:b001a5d0383fad73646b2d9db891f42e025c17f43d82ba1d7b75cae7c1ff4360 \ 366 | --hash=sha256:347be4c47d7390fc3265a3ce774fd036d0c85cf1efc9bd1ba5a3b3d28e89b255 367 | pyparsing==2.4.7; python_version >= "3.7" and python_full_version < "3.0.0" or python_full_version >= "3.3.0" and python_version >= "3.7" \ 368 | --hash=sha256:ef9d7589ef3c200abe66653d3f1ab1033c3c419ae9b9bdb1240a85b024efc88b \ 369 | --hash=sha256:c203ec8783bf771a155b207279b9bccb8dea02d8f0c9e5f8ead507bc3246ecc1 370 | pyrsistent==0.18.0; python_version >= "3.6" \ 371 | --hash=sha256:f4c8cabb46ff8e5d61f56a037974228e978f26bfefce4f61a4b1ac0ba7a2ab72 \ 372 | --hash=sha256:da6e5e818d18459fa46fac0a4a4e543507fe1110e808101277c5a2b5bab0cd2d \ 373 | --hash=sha256:5e4395bbf841693eaebaa5bb5c8f5cdbb1d139e07c975c682ec4e4f8126e03d2 \ 374 | --hash=sha256:527be2bfa8dc80f6f8ddd65242ba476a6c4fb4e3aedbf281dfbac1b1ed4165b1 \ 375 | --hash=sha256:2aaf19dc8ce517a8653746d98e962ef480ff34b6bc563fc067be6401ffb457c7 \ 376 | --hash=sha256:58a70d93fb79dc585b21f9d72487b929a6fe58da0754fa4cb9f279bb92369396 \ 377 | --hash=sha256:4916c10896721e472ee12c95cdc2891ce5890898d2f9907b1b4ae0f53588b710 \ 378 | --hash=sha256:73ff61b1411e3fb0ba144b8f08d6749749775fe89688093e1efef9839d2dcc35 \ 379 | --hash=sha256:b29b869cf58412ca5738d23691e96d8aff535e17390128a1a52717c9a109da4f \ 380 | --hash=sha256:097b96f129dd36a8c9e33594e7ebb151b1515eb52cceb08474c10a5479e799f2 \ 381 | --hash=sha256:772e94c2c6864f2cd2ffbe58bb3bdefbe2a32afa0acb1a77e472aac831f83427 \ 382 | --hash=sha256:c1a9ff320fa699337e05edcaae79ef8c2880b52720bc031b219e5b5008ebbdef \ 383 | --hash=sha256:cd3caef37a415fd0dae6148a1b6957a8c5f275a62cca02e18474608cb263640c \ 384 | --hash=sha256:e79d94ca58fcafef6395f6352383fa1a76922268fa02caa2272fff501c2fdc78 \ 385 | --hash=sha256:a0c772d791c38bbc77be659af29bb14c38ced151433592e326361610250c605b \ 386 | --hash=sha256:d5ec194c9c573aafaceebf05fc400656722793dac57f254cd4741f3c27ae57b4 \ 387 | --hash=sha256:6b5eed00e597b5b5773b4ca30bd48a5774ef1e96f2a45d105db5b4ebb4bca680 \ 388 | --hash=sha256:48578680353f41dca1ca3dc48629fb77dfc745128b56fc01096b2530c13fd426 \ 389 | --hash=sha256:f3ef98d7b76da5eb19c37fda834d50262ff9167c65658d1d8f974d2e4d90676b \ 390 | --hash=sha256:404e1f1d254d314d55adb8d87f4f465c8693d6f902f67eb6ef5b4526dc58e6ea \ 391 | --hash=sha256:773c781216f8c2900b42a7b638d5b517bb134ae1acbebe4d1e8f1f41ea60eb4b 392 | python-dateutil==2.8.2; python_full_version >= "3.6.1" and python_version >= "3.7" \ 393 | --hash=sha256:0123cacc1627ae19ddf3c27a5de5bd67ee4586fbdd6440d9748f8abb483d3e86 \ 394 | --hash=sha256:961d03dc3453ebbc59dbdea9e4e11c5651520a876d0f4db161e8674aae935da9 395 | python-evtx==0.7.4 \ 396 | --hash=sha256:693d441a2d9744c5d8d502f2bdeee468e087ea362ac8c8934b4187fb75e9ec14 \ 397 | --hash=sha256:60ed71185750e9d64830b3bead48ad543242a6287781368e6bc11a32ef49ac46 398 | pywin32==301; sys_platform == "win32" and platform_python_implementation != "PyPy" and python_version >= "3.6" \ 399 | --hash=sha256:93367c96e3a76dfe5003d8291ae16454ca7d84bb24d721e0b74a07610b7be4a7 \ 400 | --hash=sha256:9635df6998a70282bd36e7ac2a5cef9ead1627b0a63b17c731312c7a0daebb72 \ 401 | --hash=sha256:c866f04a182a8cb9b7855de065113bbd2e40524f570db73ef1ee99ff0a5cc2f0 \ 402 | --hash=sha256:dafa18e95bf2a92f298fe9c582b0e205aca45c55f989937c52c454ce65b93c78 \ 403 | --hash=sha256:98f62a3f60aa64894a290fb7494bfa0bfa0a199e9e052e1ac293b2ad3cd2818b \ 404 | --hash=sha256:fb3b4933e0382ba49305cc6cd3fb18525df7fd96aa434de19ce0878133bf8e4a \ 405 | --hash=sha256:88981dd3cfb07432625b180f49bf4e179fb8cbb5704cd512e38dd63636af7a17 \ 406 | --hash=sha256:8c9d33968aa7fcddf44e47750e18f3d034c3e443a707688a008a2e52bbef7e96 \ 407 | --hash=sha256:595d397df65f1b2e0beaca63a883ae6d8b6df1cdea85c16ae85f6d2e648133fe \ 408 | --hash=sha256:87604a4087434cd814ad8973bd47d6524bd1fa9e971ce428e76b62a5e0860fdf 409 | pywinpty==1.1.4; os_name == "nt" and python_version >= "3.6" \ 410 | --hash=sha256:fb975976ad92be44801de95fdf2b0366747767cb0528478553aff85dd63ebb09 \ 411 | --hash=sha256:5d25b30a2f87105778bc2f57cb1271f58aaa25568921ef042faf001b3b0a7307 \ 412 | --hash=sha256:c5c3550100689632f6663f39865ef8716835dab1838a9eb9b472644af92673f8 \ 413 | --hash=sha256:ad60a336d92ac38e2159320db6d5999c4c2726a141c3ed3f9694021feb6a234e \ 414 | --hash=sha256:cc700c9d5a9fcebf677ac93a4943ca9a24db6e2f11a5f0e7e8e226184c5036f7 415 | pyzmq==22.3.0; python_full_version >= "3.6.1" and python_version >= "3.7" \ 416 | --hash=sha256:6b217b8f9dfb6628f74b94bdaf9f7408708cb02167d644edca33f38746ca12dd \ 417 | --hash=sha256:2841997a0d85b998cbafecb4183caf51fd19c4357075dfd33eb7efea57e4c149 \ 418 | --hash=sha256:f89468059ebc519a7acde1ee50b779019535db8dcf9b8c162ef669257fef7a93 \ 419 | --hash=sha256:ea12133df25e3a6918718fbb9a510c6ee5d3fdd5a346320421aac3882f4feeea \ 420 | --hash=sha256:76c532fd68b93998aab92356be280deec5de8f8fe59cd28763d2cc8a58747b7f \ 421 | --hash=sha256:67db33bea0a29d03e6eeec55a8190e033318cee3cbc732ba8fd939617cbf762d \ 422 | --hash=sha256:7661fc1d5cb73481cf710a1418a4e1e301ed7d5d924f91c67ba84b2a1b89defd \ 423 | --hash=sha256:79244b9e97948eaf38695f4b8e6fc63b14b78cc37f403c6642ba555517ac1268 \ 424 | --hash=sha256:ab888624ed68930442a3f3b0b921ad7439c51ba122dbc8c386e6487a658e4a4e \ 425 | --hash=sha256:18cd854b423fce44951c3a4d3e686bac8f1243d954f579e120a1714096637cc0 \ 426 | --hash=sha256:de8df0684398bd74ad160afdc2a118ca28384ac6f5e234eb0508858d8d2d9364 \ 427 | --hash=sha256:3c1895c95be92600233e476fe283f042e71cf8f0b938aabf21b7aafa62a8dac9 \ 428 | --hash=sha256:851977788b9caa8ed011f5f643d3ee8653af02c5fc723fa350db5125abf2be7b \ 429 | --hash=sha256:b4ebed0977f92320f6686c96e9e8dd29eed199eb8d066936bac991afc37cbb70 \ 430 | --hash=sha256:42abddebe2c6a35180ca549fadc7228d23c1e1f76167c5ebc8a936b5804ea2df \ 431 | --hash=sha256:c1e41b32d6f7f9c26bc731a8b529ff592f31fc8b6ef2be9fa74abd05c8a342d7 \ 432 | --hash=sha256:be4e0f229cf3a71f9ecd633566bd6f80d9fa6afaaff5489492be63fe459ef98c \ 433 | --hash=sha256:7c58f598d9fcc52772b89a92d72bf8829c12d09746a6d2c724c5b30076c1f11d \ 434 | --hash=sha256:2b97502c16a5ec611cd52410bdfaab264997c627a46b0f98d3f666227fd1ea2d \ 435 | --hash=sha256:d728b08448e5ac3e4d886b165385a262883c34b84a7fe1166277fe675e1c197a \ 436 | --hash=sha256:480b9931bfb08bf8b094edd4836271d4d6b44150da051547d8c7113bf947a8b0 \ 437 | --hash=sha256:7dc09198e4073e6015d9a8ea093fc348d4e59de49382476940c3dd9ae156fba8 \ 438 | --hash=sha256:0ca6cd58f62a2751728016d40082008d3b3412a7f28ddfb4a2f0d3c130f69e74 \ 439 | --hash=sha256:c0f84360dcca3481e8674393bdf931f9f10470988f87311b19d23cda869bb6b7 \ 440 | --hash=sha256:f762442bab706fd874064ca218b33a1d8e40d4938e96c24dafd9b12e28017f45 \ 441 | --hash=sha256:954e73c9cd4d6ae319f1c936ad159072b6d356a92dcbbabfd6e6204b9a79d356 \ 442 | --hash=sha256:f43b4a2e6218371dd4f41e547bd919ceeb6ebf4abf31a7a0669cd11cd91ea973 \ 443 | --hash=sha256:acebba1a23fb9d72b42471c3771b6f2f18dcd46df77482612054bd45c07dfa36 \ 444 | --hash=sha256:cf98fd7a6c8aaa08dbc699ffae33fd71175696d78028281bc7b832b26f00ca57 \ 445 | --hash=sha256:d072f7dfbdb184f0786d63bda26e8a0882041b1e393fbe98940395f7fab4c5e2 \ 446 | --hash=sha256:e6a02cf7271ee94674a44f4e62aa061d2d049001c844657740e156596298b70b \ 447 | --hash=sha256:d3dcb5548ead4f1123851a5ced467791f6986d68c656bc63bfff1bf9e36671e2 \ 448 | --hash=sha256:3a4c9886d61d386b2b493377d980f502186cd71d501fffdba52bd2a0880cef4f \ 449 | --hash=sha256:80e043a89c6cadefd3a0712f8a1322038e819ebe9dbac7eca3bce1721bcb63bf \ 450 | --hash=sha256:1621e7a2af72cced1f6ec8ca8ca91d0f76ac236ab2e8828ac8fe909512d566cb \ 451 | --hash=sha256:d6157793719de168b199194f6b6173f0ccd3bf3499e6870fac17086072e39115 \ 452 | --hash=sha256:8eddc033e716f8c91c6a2112f0a8ebc5e00532b4a6ae1eb0ccc48e027f9c671c 453 | requests==2.26.0; python_version >= "2.7" and python_full_version < "3.0.0" or python_full_version >= "3.6.0" \ 454 | --hash=sha256:6c1246513ecd5ecd4528a0906f910e8f0f9c6b8ec72030dc9fd154dc1a6efd24 \ 455 | --hash=sha256:b8aa58f8cf793ffd8782d3d8cb19e66ef36f7aba4353eec859e74678b01b07a7 456 | scikit-learn==0.23.2; python_version >= "3.8" \ 457 | --hash=sha256:20766f515e6cd6f954554387dfae705d93c7b544ec0e6c6a5d8e006f6f7ef480 \ 458 | --hash=sha256:98508723f44c61896a4e15894b2016762a55555fbf09365a0bb1870ecbd442de \ 459 | --hash=sha256:a64817b050efd50f9abcfd311870073e500ae11b299683a519fbb52d85e08d25 \ 460 | --hash=sha256:daf276c465c38ef736a79bd79fc80a249f746bcbcae50c40945428f7ece074f8 \ 461 | --hash=sha256:cb3e76380312e1f86abd20340ab1d5b3cc46a26f6593d3c33c9ea3e4c7134028 \ 462 | --hash=sha256:0a127cc70990d4c15b1019680bfedc7fec6c23d14d3719fdf9b64b22d37cdeca \ 463 | --hash=sha256:2aa95c2f17d2f80534156215c87bee72b6aa314a7f8b8fe92a2d71f47280570d \ 464 | --hash=sha256:6c28a1d00aae7c3c9568f61aafeaad813f0f01c729bee4fd9479e2132b215c1d \ 465 | --hash=sha256:da8e7c302003dd765d92a5616678e591f347460ac7b53e53d667be7dfe6d1b10 \ 466 | --hash=sha256:d9a1ce5f099f29c7c33181cc4386660e0ba891b21a60dc036bf369e3a3ee3aec \ 467 | --hash=sha256:914ac2b45a058d3f1338d7736200f7f3b094857758895f8667be8a81ff443b5b \ 468 | --hash=sha256:7671bbeddd7f4f9a6968f3b5442dac5f22bf1ba06709ef888cc9132ad354a9ab \ 469 | --hash=sha256:d0dcaa54263307075cb93d0bee3ceb02821093b1b3d25f66021987d305d01dce \ 470 | --hash=sha256:5ce7a8021c9defc2b75620571b350acc4a7d9763c25b7593621ef50f3bd019a2 \ 471 | --hash=sha256:0d39748e7c9669ba648acf40fb3ce96b8a07b240db6888563a7cb76e05e0d9cc \ 472 | --hash=sha256:1b8a391de95f6285a2f9adffb7db0892718950954b7149a70c783dc848f104ea 473 | scipy==1.6.1; python_version >= "3.8" \ 474 | --hash=sha256:a15a1f3fc0abff33e792d6049161b7795909b40b97c6cc2934ed54384017ab76 \ 475 | --hash=sha256:e79570979ccdc3d165456dd62041d9556fb9733b86b4b6d818af7a0afc15f092 \ 476 | --hash=sha256:a423533c55fec61456dedee7b6ee7dce0bb6bfa395424ea374d25afa262be261 \ 477 | --hash=sha256:33d6b7df40d197bdd3049d64e8e680227151673465e5d85723b3b8f6b15a6ced \ 478 | --hash=sha256:6725e3fbb47da428794f243864f2297462e9ee448297c93ed1dcbc44335feb78 \ 479 | --hash=sha256:5fa9c6530b1661f1370bcd332a1e62ca7881785cc0f80c0d559b636567fab63c \ 480 | --hash=sha256:bd50daf727f7c195e26f27467c85ce653d41df4358a25b32434a50d8870fc519 \ 481 | --hash=sha256:f46dd15335e8a320b0fb4685f58b7471702234cba8bb3442b69a3e1dc329c345 \ 482 | --hash=sha256:0e5b0ccf63155d90da576edd2768b66fb276446c371b73841e3503be1d63fb5d \ 483 | --hash=sha256:2481efbb3740977e3c831edfd0bd9867be26387cacf24eb5e366a6a374d3d00d \ 484 | --hash=sha256:68cb4c424112cd4be886b4d979c5497fba190714085f46b8ae67a5e4416c32b4 \ 485 | --hash=sha256:5f331eeed0297232d2e6eea51b54e8278ed8bb10b099f69c44e2558c090d06bf \ 486 | --hash=sha256:0c8a51d33556bf70367452d4d601d1742c0e806cd0194785914daf19775f0e67 \ 487 | --hash=sha256:83bf7c16245c15bc58ee76c5418e46ea1811edcc2e2b03041b804e46084ab627 \ 488 | --hash=sha256:794e768cc5f779736593046c9714e0f3a5940bc6dcc1dba885ad64cbfb28e9f0 \ 489 | --hash=sha256:5da5471aed911fe7e52b86bf9ea32fb55ae93e2f0fac66c32e58897cfb02fa07 \ 490 | --hash=sha256:8e403a337749ed40af60e537cc4d4c03febddcc56cd26e774c9b1b600a70d3e4 \ 491 | --hash=sha256:a5193a098ae9f29af283dcf0041f762601faf2e595c0db1da929875b7570353f \ 492 | --hash=sha256:c4fceb864890b6168e79b0e714c585dbe2fd4222768ee90bc1aa0f8218691b11 493 | send2trash==1.8.0; python_version >= "3.6" \ 494 | --hash=sha256:f20eaadfdb517eaca5ce077640cb261c7d2698385a6a0f072a4a5447fd49fa08 \ 495 | --hash=sha256:d2c24762fd3759860a0aff155e45871447ea58d2be6bdd39b5c8f966a0c99c2d 496 | six==1.16.0; python_full_version >= "3.6.1" and python_version >= "3.7" and (python_version >= "3.7" and python_full_version < "3.0.0" or python_full_version >= "3.3.0" and python_version >= "3.7") \ 497 | --hash=sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254 \ 498 | --hash=sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926 499 | soupsieve==2.2.1; python_version >= "3.6" and python_full_version > "3.0.0" \ 500 | --hash=sha256:c2c1c2d44f158cdbddab7824a9af8c4f83c76b1e23e049479aa432feb6c4c23b \ 501 | --hash=sha256:052774848f448cf19c7e959adf5566904d525f33a3f8b6ba6f6f8f26ec7de0cc 502 | stringsifter==2.20201202; python_version >= "3.8" \ 503 | --hash=sha256:ea0f52cfaacd64ec28fb538ee38cf59d59aa7f12ee3f7abe80208de44e2fb269 \ 504 | --hash=sha256:464d8b96f870fffd8283f3228586feccc7a570763033cf896bddbfb4d98b3273 505 | terminado==0.12.1; python_version >= "3.6" \ 506 | --hash=sha256:09fdde344324a1c9c6e610ee4ca165c4bb7f5bbf982fceeeb38998a988ef8452 \ 507 | --hash=sha256:b20fd93cc57c1678c799799d117874367cc07a3d2d55be95205b1a88fa08393f 508 | testpath==0.5.0; python_version >= "3.7" \ 509 | --hash=sha256:8044f9a0bab6567fc644a3593164e872543bb44225b0e24846e2c89237937589 \ 510 | --hash=sha256:1acf7a0bcd3004ae8357409fc33751e16d37ccc650921da1094a86581ad1e417 511 | threadpoolctl==2.2.0; python_version >= "3.8" \ 512 | --hash=sha256:e5a995e3ffae202758fa8a90082e35783b9370699627ae2733cd1c3a73553616 \ 513 | --hash=sha256:86d4b6801456d780e94681d155779058759eaef3c3564758b17b6c99db5f81cb 514 | tornado==6.1; python_full_version >= "3.6.1" and python_version >= "3.7" \ 515 | --hash=sha256:d371e811d6b156d82aa5f9a4e08b58debf97c302a35714f6f45e35139c332e32 \ 516 | --hash=sha256:0d321a39c36e5f2c4ff12b4ed58d41390460f798422c4504e09eb5678e09998c \ 517 | --hash=sha256:9de9e5188a782be6b1ce866e8a51bc76a0fbaa0e16613823fc38e4fc2556ad05 \ 518 | --hash=sha256:61b32d06ae8a036a6607805e6720ef00a3c98207038444ba7fd3d169cd998910 \ 519 | --hash=sha256:3e63498f680547ed24d2c71e6497f24bca791aca2fe116dbc2bd0ac7f191691b \ 520 | --hash=sha256:6c77c9937962577a6a76917845d06af6ab9197702a42e1346d8ae2e76b5e3675 \ 521 | --hash=sha256:6286efab1ed6e74b7028327365cf7346b1d777d63ab30e21a0f4d5b275fc17d5 \ 522 | --hash=sha256:fa2ba70284fa42c2a5ecb35e322e68823288a4251f9ba9cc77be04ae15eada68 \ 523 | --hash=sha256:0a00ff4561e2929a2c37ce706cb8233b7907e0cdc22eab98888aca5dd3775feb \ 524 | --hash=sha256:748290bf9112b581c525e6e6d3820621ff020ed95af6f17fedef416b27ed564c \ 525 | --hash=sha256:e385b637ac3acaae8022e7e47dfa7b83d3620e432e3ecb9a3f7f58f150e50921 \ 526 | --hash=sha256:25ad220258349a12ae87ede08a7b04aca51237721f63b1808d39bdb4b2164558 \ 527 | --hash=sha256:65d98939f1a2e74b58839f8c4dab3b6b3c1ce84972ae712be02845e65391ac7c \ 528 | --hash=sha256:e519d64089b0876c7b467274468709dadf11e41d65f63bba207e04217f47c085 \ 529 | --hash=sha256:b87936fd2c317b6ee08a5741ea06b9d11a6074ef4cc42e031bc6403f82a32575 \ 530 | --hash=sha256:cc0ee35043162abbf717b7df924597ade8e5395e7b66d18270116f8745ceb795 \ 531 | --hash=sha256:7250a3fa399f08ec9cb3f7b1b987955d17e044f1ade821b32e5f435130250d7f \ 532 | --hash=sha256:ed3ad863b1b40cd1d4bd21e7498329ccaece75db5a5bf58cd3c9f130843e7102 \ 533 | --hash=sha256:dcef026f608f678c118779cd6591c8af6e9b4155c44e0d1bc0c87c036fb8c8c4 \ 534 | --hash=sha256:70dec29e8ac485dbf57481baee40781c63e381bebea080991893cd297742b8fd \ 535 | --hash=sha256:d3f7594930c423fd9f5d1a76bee85a2c36fd8b4b16921cae7e965f22575e9c01 \ 536 | --hash=sha256:3447475585bae2e77ecb832fc0300c3695516a47d46cefa0528181a34c5b9d3d \ 537 | --hash=sha256:e7229e60ac41a1202444497ddde70a48d33909e484f96eb0da9baf8dc68541df \ 538 | --hash=sha256:cb5ec8eead331e3bb4ce8066cf06d2dfef1bfb1b2a73082dfe8a161301b76e37 \ 539 | --hash=sha256:20241b3cb4f425e971cb0a8e4ffc9b0a861530ae3c52f2b0434e6c1b57e9fd95 \ 540 | --hash=sha256:c77da1263aa361938476f04c4b6c8916001b90b2c2fdd92d8d535e1af48fba5a \ 541 | --hash=sha256:fba85b6cd9c39be262fcd23865652920832b61583de2a2ca907dbd8e8a8c81e5 \ 542 | --hash=sha256:1e8225a1070cd8eec59a996c43229fe8f95689cb16e552d130b9793cb570a288 \ 543 | --hash=sha256:d14d30e7f46a0476efb0deb5b61343b1526f73ebb5ed84f23dc794bdb88f9d9f \ 544 | --hash=sha256:8f959b26f2634a091bb42241c3ed8d3cedb506e7c27b8dd5c7b9f745318ddbb6 \ 545 | --hash=sha256:34ca2dac9e4d7afb0bed4677512e36a52f09caa6fded70b4e3e1c89dbd92c326 \ 546 | --hash=sha256:6196a5c39286cc37c024cd78834fb9345e464525d8991c21e908cc046d1cc02c \ 547 | --hash=sha256:f0ba29bafd8e7e22920567ce0d232c26d4d47c8b5cf4ed7b562b5db39fa199c5 \ 548 | --hash=sha256:33892118b165401f291070100d6d09359ca74addda679b60390b09f8ef325ffe \ 549 | --hash=sha256:7da13da6f985aab7f6f28debab00c67ff9cbacd588e8477034c0652ac141feea \ 550 | --hash=sha256:e0791ac58d91ac58f694d8d2957884df8e4e2f6687cdf367ef7eb7497f79eaa2 \ 551 | --hash=sha256:66324e4e1beede9ac79e60f88de548da58b1f8ab4b2f1354d8375774f997e6c0 \ 552 | --hash=sha256:a48900ecea1cbb71b8c71c620dee15b62f85f7c14189bdeee54966fbd9a0c5bd \ 553 | --hash=sha256:d3d20ea5782ba63ed13bc2b8c291a053c8d807a8fa927d941bd718468f7b950c \ 554 | --hash=sha256:548430be2740e327b3fe0201abe471f314741efcb0067ec4f2d7dcfb4825f3e4 \ 555 | --hash=sha256:33c6e81d7bd55b468d2e793517c909b139960b6c790a60b7991b9b6b76fb9791 556 | traitlets==5.1.0; python_full_version >= "3.6.1" and python_version >= "3.7" \ 557 | --hash=sha256:03f172516916220b58c9f19d7f854734136dd9528103d04e9bf139a92c9f54c4 \ 558 | --hash=sha256:bd382d7ea181fbbcce157c133db9a829ce06edffe097bcf3ab945b435452b46d 559 | urllib3==1.26.7; python_version >= "2.7" and python_full_version < "3.0.0" or python_full_version >= "3.6.0" and python_version < "4" \ 560 | --hash=sha256:c4fdf4019605b6e5423637e01bc9fe4daef873709a7973e195ceba0a62bbc844 \ 561 | --hash=sha256:4987c65554f7a2dbf30c18fd48778ef124af6fab771a377103da0585e2336ece 562 | virustotal-api==1.1.11 \ 563 | --hash=sha256:9f1d783a848e928a78aa168372645c6899cbbd6b888951e1d6335e5b87de1c3d \ 564 | --hash=sha256:d238603aafa9d6229394f4df26fb076eb0f5ddf4b60672cf0fd1b7f2608a8b29 565 | wcwidth==0.2.5; python_full_version >= "3.6.2" and python_version >= "3.7" \ 566 | --hash=sha256:beb4802a9cebb9144e99086eff703a642a13d6a0052920003a230f3294bbe784 \ 567 | --hash=sha256:c4d647b99872929fdb7bdcaa4fbe7f01413ed3d98077df798530e5b04f116c83 568 | webencodings==0.5.1; python_version >= "3.7" \ 569 | --hash=sha256:a0af1213f3c2226497a97e2b3aa01a7e4bee4f403f95be16fc9acd2947514a78 \ 570 | --hash=sha256:b36a1c245f2d304965eb4e0a82848379241dc04b865afcc4aab16748587e1923 571 | widgetsnbextension==3.5.1 \ 572 | --hash=sha256:bd314f8ceb488571a5ffea6cc5b9fc6cba0adaf88a9d2386b93a489751938bcd \ 573 | --hash=sha256:079f87d87270bce047512400efd70238820751a11d2d8cb137a5a5bdbaf255c7 574 | zipp==1.0.0; python_version >= "2.7" \ 575 | --hash=sha256:8dda78f06bd1674bd8720df8a50bb47b6e1233c503a4eed8e7810686bde37656 \ 576 | --hash=sha256:d38fbe01bbf7a3593a32bc35a9c4453c32bc42b98c377f9bff7e9f8da157786c 577 | -------------------------------------------------------------------------------- /utils/__init__.py: -------------------------------------------------------------------------------- 1 | from malware import * 2 | from colors import * 3 | -------------------------------------------------------------------------------- /utils/colors.py: -------------------------------------------------------------------------------- 1 | from colorama import * 2 | 3 | # Print statement colors 4 | info = (Fore.BLUE + "[*]" + Fore.RESET + " ") 5 | recc = (Fore.YELLOW + "[*]" + Fore.RESET + " ") 6 | good = (Fore.GREEN + "[+]" + Fore.RESET + " ") 7 | important = (Fore.CYAN + "[!]" + Fore.RESET + " ") 8 | printError = (Fore.RED + "[X]" + Fore.RESET + " ") 9 | 10 | # Confidence interval colors 11 | none = (Fore.WHITE + "[*]" + Fore.RESET + " ") 12 | low = (Fore.CYAN + "[*]" + Fore.RESET + " ") 13 | med = (Fore.YELLOW + "[*]" + Fore.RESET + " ") 14 | high = (Fore.MAGENTA + "[*]" + Fore.RESET + " ") 15 | crit = (Fore.RED + "[*]" + Fore.RESET + " ") -------------------------------------------------------------------------------- /utils/malware.py: -------------------------------------------------------------------------------- 1 | from colors import * 2 | 3 | """ 4 | For Malware-related utilities across notebooks 5 | """ 6 | 7 | 8 | def malicious_confidence(vt_results): 9 | """ 10 | Determine malicious confidence from a VT API Report 11 | """ 12 | try: 13 | dispositions = [r["result"] for r in vt_results["results"]["scans"].values()] 14 | malicious = list(filter(lambda d: d != None, dispositions)) 15 | return round(len(malicious) / len(dispositions) * 100, 2) 16 | except KeyError: 17 | return None 18 | 19 | 20 | def determine_criticality(score): 21 | """ 22 | Maps confidence level of VT analysis to criticality 23 | """ 24 | if score: 25 | if score >= 90: 26 | print(r" \\--> " + crit + "Criticality Level: Critical") 27 | return "Critical" 28 | elif score >= 70: 29 | print(r" \\--> " + high + "Criticality Level: High") 30 | return "High" 31 | elif score >= 50: 32 | print(r" \\--> " + med + "Criticality Level: Medium") 33 | return "Medium" 34 | elif score >= 20: 35 | print(r" \\--> " + low + "Criticality Level: Low") 36 | return "Low" 37 | else: 38 | print(r" \\--> " + none + "Criticality Level: None") 39 | return "None" 40 | else: 41 | print(r" \\--> " + none + "Criticality Level: None") 42 | return "None" 43 | --------------------------------------------------------------------------------