Any run

What is ANY.RUN?

ANY.RUN is an interactive online malware sandbox that lets security analysts execute suspicious files, URLs, and phishing pages inside isolated virtual machines and observe exactly what happens in real time. Unlike traditional automated sandboxes that run a sample and return a static report, ANY.RUN is fully interactive: the analyst controls the environment during execution, can click links, open documents, interact with installers, and trigger deferred payloads that would otherwise remain dormant. Every action taken by the malware is captured and displayed live: process creation, file system changes, registry modifications, network connections, DNS queries, and API calls. The platform also extracts indicators of compromise automatically, generates MITRE ATT&CK mappings, and provides YARA rule matches, making the output immediately usable for detection and hunting. Because it runs in the cloud, no local infrastructure is required, and sessions can be shared with team members for collaborative investigation.

How does ANY.RUN work with Qevlar?

Qevlar integrates with ANY.RUN to analyze suspicious files and URLs encountered during automated investigations. When an alert involves an unknown executable, a suspicious attachment, or a potentially malicious link, Qevlar can submit it to ANY.RUN and retrieve the behavioral verdict, extracted IOCs, and ATT&CK mappings to enrich the investigation before an analyst reviews it.