Analyze Malware and Phishing in a safe environment

Easy to use. Configurable. Quick to deliver the verdict. ANY.RUN sandbox accelerates your malware research. Now with AI.

Interactivity in safe environment

Interact with the VM in your browser. Click on files, open archives or browse websites.

Fast access to knowledge

Our VMs start in under 10s. And it takes just 40s until the report.

Windows, Linux, Android Support

Analyze in Windows 7, 10, and 11, Linux Ubuntu, and Android 14 VMs.

Multiple report formats

View MITRE ATT&CK TTPs, IOCs, process graphs, and customizable text reports.

Benefits of cloud interactivity

• Easy to use, even for beginners, lowering the learning curve and streamlining onboarding.
• Quickly delivers IOCs during live analysis sessions, saving time when it's critical.
• Cuts costs and boosts security across the organization by reducing dependency on hardware malware labs.

Understand everything the malware is doing

Get clear, immediate indicators of malware behaviour

Monitor processes in real time with tree view See system processes live, organized in a tree structure. Access detection rules, TTPs, memory dumps, and PE files easily.

• IOCs: Collect IOCs quickly without waiting for a final report.
• Threat names: Identify known malware families by name with tags.
• Detection rules: View triggered detection rules for each process.
• MITRE ATT&CK: Map malicious behaviors to MITRE ATT&CK TTPs. Get a live view of all network activity Monitor HTTP connections, DNS requests and connections with C2 servers to evaluate network threats.
• HTTP requests: See what apps and processes create connections.
• Connections: Break down connections by port, IP, and protocol.
• DNS: Analyze DNS requests by time-shift, status, domain, and detection rules.
• Threats: See network threats identified by Suricata IDS. Understand how malware interacts with the filesystem Examine file modifications and catch suspicious actions like unauthorized file creation or deletion.

Perform deep malware analysis using advanced features and detailed views

Events breakdown for every process

• View event details for each process: file modifications, registry changes, synchronization activities, HTTP requests, network connections and threats, as well as loaded modules.
• Use simple view to browse key events and raw view to see all events. Process memory dumps
• ANY.RUN performs real time process memory analysis, offering options to unload memory or config.
• Memory dumps decode configuration strings for over 40 malware families. Static analysis
• Preview malicious file content without code execution, even through multiple nesting layers.
• Extract PDF headers, HEX values, images, and scripts.
• Pull metadata and IOCs from MSG/Email files
• Analyze hidden content in OneNote, Office files, and archives, including images, headers, and embeds. Packet capture to analyze exfiltrated data View exfiltrated data in HEX, clear-text or side by side with syntactic highlighting. Customizable network settings Customize your VM's network settings by enabling a MITM proxy, TOR routing, a residential proxy, or a custom VPN. Network threat detection even for encrypted traffic with MITM proxy Gain deeper insights into hidden network threats in encrypted traffic with MITM proxy. Built-in debugger for reverse engineering samples Pinpoint the exact operations carried out by malware, making it easier to understand its behavior and purpose.

Analyze and share tasks with powerful reports

MITRE ATT&CK mapping ATT&CK matrix aligns malware behavior with tactics, techniques, and procedures. IOCs report The IOCs report gives instant access to indicators to power your defensive strategy. Visual process graph Graph visualizations show an easy-to-follow chain of events that led to infection. Text reports Text reports offer detailed analysis summaries. Customize, print, and download them as needed — or share via link with your team. Export rules Export triggered detection rules to MISP. Download evidence Collect and share threat intel by downloading the full report in HTML, JSON summary, all data as a ZIP file and the process graph. AI reports AI can summarize analysis sessions and highlight suspicious activity with explanations. API Integrate ANY.RUN into your company’s framework, minimize threat analysis time by automating file and URL submission, and share results with your team. SDK With our software development kit, you can tailor the service to your needs for an even faster and smoother integration. Automate the analysis of files and URLs, as well as report downloading.