Skip to main content

ANY.RUN Cloud Sandbox

This Integration is part of the ANY.RUN Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

ANY.RUN is a cloud-based sandbox with interactive access.

Use Cases#

ANY.RUN Sandbox is an online interactive sandbox for malware analysis, a tool for detection, monitoring, and research of cyber threats in real time.

  1. Submit a file, remote file, or URL to ANY.RUN for analysis using the following OS:
    • Windows
    • Ubuntu
    • Android
  2. Retrieve report details for a given analysis task ID in various formats:
    • Json summary
    • HTML
    • IOCs
  3. View history of analysis tasks.
  4. View personal analysis limits.
  5. Download file submission sample, analysis network traffic dumps

Generate API token#

  • Follow ANY.RUN Sandbox
  • [1] Profile > [2] API and Limits > [3] Generate > [4] Copy

ANY.RUN Generate API KEY

Configure ANY.RUN Sandbox in Cortex#

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for ANY.RUN.
  3. Click Add instance to create and configure a new integration instance.
  4. Insert ANY.RUN API-KEY into the Password parameter
  5. Click Test to validate the URLs, token, and connection.
ParameterDescriptionRequired
PasswordANY.RUN API-KEY without prefixTrue
Server's FQDNGo to Settings & Info โ†’ Settings โ†’ Integrations โ†’ API Keys. Click Copy API URL. Your FQDN is saved in the clipboard. Inline it without http/https protocolTrue
XSOAR API-KEY IDIn the API Keys table, locate the ID field. Note your corresponding ID numberTrue
XSOAR API-KEYXSOAR API-KEYTrue

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

anyrun-detonate-file-windows#

Perform File analysis using Windows VM.

Base Command#

anyrun-detonate-file-windows

Input#

Argument NameDescriptionRequired
fileXSOAR Incident file data.Required
env_versionVersion of OS. Possible values are: 7, 10, 11. Default is 10.Optional
env_bitnessBitness of Operation System. Possible values are: 32, 64. Default is 64.Optional
env_typeEnvironment preset type. You can select development env for OS Windows 10 x64. For all other cases, complete env is required. Possible values are: development, complete. Default is complete.Optional
env_localeOperation system language. Use locale identifier or country name (Ex: "en-US" or "Brazil"). Case insensitive. Default is en-US.Optional
opt_network_connectNetwork connection state. Default is True.Optional
opt_network_fakenetFakeNet feature status. Default is False.Optional
opt_network_torTOR using. Default is False.Optional
opt_network_geoTor geo location option. Example: US, AU. Default is fastest.Optional
opt_network_mitmHTTPS MITM proxy option. Default is False.Optional
opt_network_residential_proxyResidential proxy using. Default is False.Optional
opt_network_residential_proxy_geoResidential proxy geo location option. Example: US, AU. Default is fastest.Optional
opt_privacy_typePrivacy settings. Possible values are: public, bylink, owner, byteam. Default is bylink.Optional
opt_timeoutTimeout option. Size range: 10-660. Default is 240.Optional
obj_ext_startfolderStart file analysis from the specified directory. Possible values are: desktop, home, downloads, appdata, temp, windows, root. Default is temp.Optional
obj_ext_cmdOptional command line.Optional
obj_force_elevationForces the file to execute with elevated privileges and an elevated token (for PE32, PE32+, PE64 files only). Default is False.Optional
obj_ext_extensionChange extension to valid. Default is True.Optional

Context Output#

PathTypeDescription
ANYRUN_DetonateFileWindows.TaskIDStringTask UUID.

anyrun-detonate-url-windows#

Perform URL analysis using Windows VM.

Base Command#

anyrun-detonate-url-windows

Input#

Argument NameDescriptionRequired
obj_urlTarget URL. Size range 5-512. Example: (http/https)://(your-link).Required
env_versionVersion of OS. Possible values are: 7, 10, 11. Default is 10.Optional
env_bitnessBitness of Operation System. Possible values are: 32, 64. Default is 64.Optional
env_typeEnvironment preset type. You can select development env for OS Windows 10 x64. For all other cases, complete env is required. Possible values are: development, complete. Default is complete.Optional
env_localeOperation system language. Use locale identifier or country name (Ex: "en-US" or "Brazil"). Case insensitive. Default is en-US.Optional
opt_network_connectNetwork connection state. Default is True.Optional
opt_network_fakenetFakeNet feature status. Default is False.Optional
opt_network_torTOR using. Default is False.Optional
opt_network_geoTor geo location option. Example: US, AU. Default is fastest.Optional
opt_network_mitmHTTPS MITM proxy option. Default is False.Optional
opt_network_residential_proxyResidential proxy using. Default is False.Optional
opt_network_residential_proxy_geoResidential proxy geo location option. Example: US, AU. Default is fastest.Optional
opt_privacy_typePrivacy settings. Possible values are: public, bylink, owner, byteam. Default is bylink.Optional
opt_timeoutTimeout option. Size range: 10-660. Default is 240.Optional
obj_ext_browserBrowser name. Possible values are: Google Chrome, Mozilla Firefox, Internet Explorer, Microsoft Edge. Default is Google Chrome.Optional
obj_ext_extensionChange extension to valid. Default is True.Optional

Context Output#

PathTypeDescription
ANYRUN_DetonateUrlWindows.TaskIDStringTask UUID.

anyrun-detonate-file-linux#

Perform File analysis using Ubuntu VM.

Base Command#

anyrun-detonate-file-linux

Input#

Argument NameDescriptionRequired
fileXSOAR Incident file data.Required
env_localeOperation system language. Use locale identifier or country name (Ex: "en-US" or "Brazil"). Case insensitive. Default is en-US.Optional
env_osOperation system. Default is ubuntu.Optional
opt_network_connectNetwork connection state. Default is True.Optional
opt_network_fakenetFakeNet feature status. Default is False.Optional
opt_network_torTOR using. Default is False.Optional
opt_network_geoTor geo location option. Example: US, AU. Default is fastest.Optional
opt_network_mitmHTTPS MITM proxy option. Default is False.Optional
opt_network_residential_proxyResidential proxy using. Default is False.Optional
opt_network_residential_proxy_geoResidential proxy geo location option. Example: US, AU. Default is fastest.Optional
opt_privacy_typePrivacy settings. Possible values are: public, bylink, owner, byteam. Default is bylink.Optional
opt_timeoutTimeout option. Size range: 10-660. Default is 240.Optional
obj_ext_startfolderStart file analysis from the specified directory. Possible values are: desktop, home, downloads, appdata, temp, windows, root. Default is temp.Optional
obj_ext_cmdOptional command line.Optional
run_as_rootRun file with superuser privileges. Default is True.Optional
obj_ext_extensionChange extension to valid. Default is True.Optional

Context Output#

PathTypeDescription
ANYRUN_DetonateFileLinux.TaskIDStringTask UUID.

anyrun-detonate-url-linux#

Perform URL analysis using Ubuntu VM.

Base Command#

anyrun-detonate-url-linux

Input#

Argument NameDescriptionRequired
obj_urlTarget URL. Size range 5-512. Example: (http/https)://(your-link).Required
env_localeOperation system language. Use locale identifier or country name (Ex: "en-US" or "Brazil"). Case insensitive. Default is en-US.Optional
env_osOperation system. Default is ubuntu.Optional
opt_network_connectNetwork connection state. Default is True.Optional
opt_network_fakenetFakeNet feature status. Default is False.Optional
opt_network_torTOR using. Default is False.Optional
opt_network_geoTor geo location option. Example: US, AU. Default is fastest.Optional
opt_network_mitmHTTPS MITM proxy option. Default is False.Optional
opt_network_residential_proxyResidential proxy using. Default is False.Optional
opt_network_residential_proxy_geoResidential proxy geo location option. Example: US, AU. Default is fastest.Optional
opt_privacy_typePrivacy settings. Possible values are: public, bylink, owner, byteam. Default is bylink.Optional
opt_timeoutTimeout option. Size range: 10-660. Default is 120.Optional
obj_ext_browserBrowser name. Possible values are: Google Chrome, Mozilla Firefox. Default is Google Chrome.Optional
obj_ext_extensionChange extension to valid. Default is True.Optional

Context Output#

PathTypeDescription
ANYRUN_DetonateUrlLinux.TaskIDStringTask UUID.

anyrun-detonate-file-android#

Perform File analysis using Android VM.

Base Command#

anyrun-detonate-file-android

Input#

Argument NameDescriptionRequired
fileXSOAR Entry ID.Required
env_localeOperation system language. Use locale identifier or country name (Ex: "en-US" or "Brazil"). Case insensitive. Default is en-US.Optional
opt_network_connectNetwork connection state. Default is True.Optional
opt_network_fakenetFakeNet feature status. Default is False.Optional
opt_network_torTOR using. Default is False.Optional
opt_network_geoTor geo location option. Example: US, AU. Default is fastest.Optional
opt_network_mitmHTTPS MITM proxy option. Default is False.Optional
opt_network_residential_proxyResidential proxy using. Default is False.Optional
opt_network_residential_proxy_geoResidential proxy geo location option. Example: US, AU. Default is fastest.Optional
opt_privacy_typePrivacy settings. Possible values are: public, bylink, owner, byteam. Default is bylink.Optional
opt_timeoutTimeout option. Size range: 10-660. Default is 120.Optional
obj_ext_cmdOptional command line.Optional

Context Output#

PathTypeDescription
ANYRUN_DetonateFileAndroid.TaskIDStringTask UUID.

anyrun-detonate-url-android#

Perform URL analysis using Android VM.

Base Command#

anyrun-detonate-url-android

Input#

Argument NameDescriptionRequired
obj_urlTarget URL. Size range 5-512. Example: (http/https)://(your-link).Required
env_localeOperation system language. Use locale identifier or country name (Ex: "en-US" or "Brazil"). Case insensitive. Default is en-US.Optional
opt_network_connectNetwork connection state. Default is True.Optional
opt_network_fakenetFakeNet feature status. Default is False.Optional
opt_network_torTOR using. Default is False.Optional
opt_network_geoTor geo location option. Example: US, AU. Default is fastest.Optional
opt_network_mitmHTTPS MITM proxy option. Default is False.Optional
opt_network_residential_proxyResidential proxy using. Default is False.Optional
opt_network_residential_proxy_geoResidential proxy geo location option. Example: US, AU. Default is fastest.Optional
opt_privacy_typePrivacy settings. Possible values are: public, bylink, owner, byteam. Default is bylink.Optional
opt_timeoutTimeout option. Size range: 10-660. Default is 120.Optional
obj_ext_browserBrowser name. Possible values are: Google Chrome, Mozilla Firefox. Default is Google Chrome.Optional

Context Output#

PathTypeDescription
ANYRUN_DetonateUrlAndroid.TaskIDStringTask UUID.

anyrun-get-user-limits#

Get user available limits to perform the Sandbox analysis.

Base Command#

anyrun-get-user-limits

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
ANYRUN.SandboxLimits.web.minuteStringDefines limits for interactive usage. Value of -1 indicates unlimited usage.
ANYRUN.SandboxLimits.web.hourStringDefines limits for interactive usage. Value of -1 indicates unlimited usage.
ANYRUN.SandboxLimits.web.dayStringDefines limits for interactive usage. Value of -1 indicates unlimited usage.
ANYRUN.SandboxLimits.web.monthStringDefines limits for interactive usage. Value of -1 indicates unlimited usage.
ANYRUN.SandboxLimits.api.minuteStringDefines limits for API usage. Value of -1 indicates unlimited usage.
ANYRUN.SandboxLimits.api.hourStringDefines limits for API usage. Value of -1 indicates unlimited usage.
ANYRUN.SandboxLimits.api.dayStringDefines limits for API usage. Value of -1 indicates unlimited usage.
ANYRUN.SandboxLimits.api.monthStringDefines limits for API usage. Value of -1 indicates unlimited usage.
ANYRUN.SandboxLimits.parallels.totalStringDefines limits for parallel runs.
ANYRUN.SandboxLimits.parallels.availableStringDefines limits for parallel runs.

anyrun-get-analysis-history#

Get analysis history.

Base Command#

anyrun-get-analysis-history

Input#

Argument NameDescriptionRequired
teamLeave this field blank to get your history or specify to get team history. Default is False..Optional
skipSkip the specified number of tasks. Default is 0.Optional
limitSpecify the number of tasks in the result set (not more than 100). Default is 25.Optional

Context Output#

PathTypeDescription
ANYRUN.SandboxHistory.tasks.uuidStringTask UUID.
ANYRUN.SandboxHistory.tasks.verdictStringANY.RUN verdict for the submitted file status.
ANYRUN.SandboxHistory.tasks.nameStringTask name.
ANYRUN.SandboxHistory.tasks.relatedStringANY.RUN link to a related file.
ANYRUN.SandboxHistory.tasks.pcapStringANY.RUN link to the network traffic dump.
ANYRUN.SandboxHistory.tasks.fileStringANY.RUN link to the file sample.
ANYRUN.SandboxHistory.tasks.jsonStringANY.RUN link to json summary.
ANYRUN.SandboxHistory.tasks.mispStringANY.RUN link to misp report.
ANYRUN.SandboxHistory.tasks.tagsStringANY.RUN related tags array.
ANYRUN.SandboxHistory.tasks.dateDateThe date that the file was submitted for analysis.
ANYRUN.SandboxHistory.tasks.hashes.md5StringMD5 hash of the submitted file.
ANYRUN.SandboxHistory.tasks.hashes.sha1StringSHA1 hash of the submitted file.
ANYRUN.SandboxHistory.tasks.hashes.sha256StringSHA256 hash of the submitted file.
ANYRUN.SandboxHistory.tasks.hashes.ssdeepStringSSDeep hash of the submitted file.

anyrun-delete-task#

Deletes analysis task according to specified task uuid.

Base Command#

anyrun-delete-task

Input#

Argument NameDescriptionRequired
task_uuidSandbox task uuid.Required

Context Output#

There is no context output for this command.

anyrun-get-analysis-report#

Returns the analysis report summary.

Base Command#

anyrun-get-analysis-report

Input#

Argument NameDescriptionRequired
task_uuidSandbox task uuid.Required
report_formatReport format. Possible values are: summary, html, ioc. Default is summary.Optional
incident_infoXSOAR Related incident info.Required

Context Output#

PathTypeDescription
ANYRUN.SandboxAnalysis.mitre.nameStringMITRE Technic text description.
ANYRUN.SandboxAnalysis.mitre.phasesStringMITRE Technic phases.
ANYRUN.SandboxAnalysis.mitre.idStringMITRE Technic identifier.
ANYRUN.SandboxAnalysis.debugStringsUnknownAnalysis debug information.
ANYRUN.SandboxAnalysis.incidents.processStringAnalysis process.
ANYRUN.SandboxAnalysis.incidents.events.timeDateEvent time.
ANYRUN.SandboxAnalysis.incidents.events.cmdlineStringEvent command line.
ANYRUN.SandboxAnalysis.incidents.events.imageStringEvent image.
ANYRUN.SandboxAnalysis.incidents.mitre.vStringMITRE version.
ANYRUN.SandboxAnalysis.incidents.mitre.sidStringSID.
ANYRUN.SandboxAnalysis.incidents.mitre.tidStringTID.
ANYRUN.SandboxAnalysis.incidents.countStringCount of related incidents.
ANYRUN.SandboxAnalysis.incidents.firstSeenDateIncident first seen date.
ANYRUN.SandboxAnalysis.incidents.sourceStringIncident source.
ANYRUN.SandboxAnalysis.incidents.descStringIncident description.
ANYRUN.SandboxAnalysis.incidents.titleStringIncident title.
ANYRUN.SandboxAnalysis.incidents.threatLevelStringIncident threat level.
ANYRUN.SandboxAnalysis.incidents.events.typeValueStringEvent type value.
ANYRUN.SandboxAnalysis.incidents.events.keyStringEvent key.
ANYRUN.SandboxAnalysis.incidents.events.valueStringEvent value.
ANYRUN.SandboxAnalysis.incidents.events.nameStringEvent name.
ANYRUN.SandboxAnalysis.incidents.events.operationStringEven operation.
ANYRUN.SandboxAnalysis.incidents.events.cmdParentStringEvent parent cmd.
ANYRUN.SandboxAnalysis.incidents.events.cmdChildStringEvent child cmd.
ANYRUN.SandboxAnalysis.modified.registry.timeDateRegistry time.
ANYRUN.SandboxAnalysis.modified.registry.processStringRegistry process.
ANYRUN.SandboxAnalysis.modified.registry.operationStringRegistry operation.
ANYRUN.SandboxAnalysis.modified.registry.valueStringRegistry value.
ANYRUN.SandboxAnalysis.modified.registry.nameStringRegistry name.
ANYRUN.SandboxAnalysis.modified.registry.keyStringRegistry key.
ANYRUN.SandboxAnalysis.modified.files.processStringFile process.
ANYRUN.SandboxAnalysis.modified.files.sizeStringFile size.
ANYRUN.SandboxAnalysis.modified.files.filenameStringFilename.
ANYRUN.SandboxAnalysis.modified.files.timeDateFile creating time.
ANYRUN.SandboxAnalysis.modified.files.info.mimeStringFile MIME type.
ANYRUN.SandboxAnalysis.modified.files.info.fileStringFile content.
ANYRUN.SandboxAnalysis.modified.files.permanentUrlStringFile url.
ANYRUN.SandboxAnalysis.modified.files.hashes.ssdeepStringFile SSDeep.
ANYRUN.SandboxAnalysis.modified.files.hashes.sha256StringFile sha256 hash.
ANYRUN.SandboxAnalysis.modified.files.hashes.sha1StringFile sha1 hash.
ANYRUN.SandboxAnalysis.modified.files.hashes.md5StringFile md5 hash.
ANYRUN.SandboxAnalysis.modified.files.threatLevelStringFile threat level.
ANYRUN.SandboxAnalysis.modified.files.typeStringFile type.
ANYRUN.SandboxAnalysis.network.threatsUnknownAnalysis network threats.
ANYRUN.SandboxAnalysis.network.connections.reputationStringNetwork connection reputation.
ANYRUN.SandboxAnalysis.network.connections.tlsFingerprint.ja3SFullstringStringNetwork connection ja3S.
ANYRUN.SandboxAnalysis.network.connections.tlsFingerprint.ja3SStringNetwork connection ja3S.
ANYRUN.SandboxAnalysis.network.connections.tlsFingerprint.ja3FullstringStringNetwork connection ja3F.
ANYRUN.SandboxAnalysis.network.connections.tlsFingerprint.ja3StringNetwork connection ja3F.
ANYRUN.SandboxAnalysis.network.connections.timeDateNetwork connection time.
ANYRUN.SandboxAnalysis.network.connections.asnStringNetwork connection ASN.
ANYRUN.SandboxAnalysis.network.connections.countryStringNetwork connection country.
ANYRUN.SandboxAnalysis.network.connections.protocolStringNetwork connection protocol.
ANYRUN.SandboxAnalysis.network.connections.portStringNetwork connection port.
ANYRUN.SandboxAnalysis.network.connections.ipStringNetwork connection ip.
ANYRUN.SandboxAnalysis.network.connections.processStringNetwork connection processes.
ANYRUN.SandboxAnalysis.network.connections.tlsFingerprint.jarmStringNetwork connection jarm.
ANYRUN.SandboxAnalysis.network.httpRequests.countryStringHTTP Request country.
ANYRUN.SandboxAnalysis.network.httpRequests.reputationStringHTTP Request reputation.
ANYRUN.SandboxAnalysis.network.httpRequests.processStringHTTP Request related process.
ANYRUN.SandboxAnalysis.network.httpRequests.httpCodeStringHTTP Request status code.
ANYRUN.SandboxAnalysis.network.httpRequests.statusStringHTTP Request status.
ANYRUN.SandboxAnalysis.network.httpRequests.user-agentStringHTTP Request User-Agent header value.
ANYRUN.SandboxAnalysis.network.httpRequests.proxyDetectedStringHTTP Request is proxy detected.
ANYRUN.SandboxAnalysis.network.httpRequests.portStringHTTP Request port.
ANYRUN.SandboxAnalysis.network.httpRequests.ipStringHTTP Request ip.
ANYRUN.SandboxAnalysis.network.httpRequests.urlStringHTTP Request url.
ANYRUN.SandboxAnalysis.network.httpRequests.hostStringHTTP Request host.
ANYRUN.SandboxAnalysis.network.httpRequests.methodStringHTTP Request method.
ANYRUN.SandboxAnalysis.network.httpRequests.timeDateHTTP Request time estimate.
ANYRUN.SandboxAnalysis.network.dnsRequests.reputationNumberStringDNS Request reputation number.
ANYRUN.SandboxAnalysis.network.dnsRequests.reputationStringDNS Request reputation.
ANYRUN.SandboxAnalysis.network.dnsRequests.ipsStringDNS Request IPs.
ANYRUN.SandboxAnalysis.network.dnsRequests.domainStringDNS Request domain.
ANYRUN.SandboxAnalysis.network.dnsRequests.timeDateDNS Request time estimate.
ANYRUN.SandboxAnalysis.malconfUnknownAnalysis malconf.
ANYRUN.SandboxAnalysis.processes.synchronizationUnknownAnalysis processes synchronization.
ANYRUN.SandboxAnalysis.processes.modulesUnknownAnalysis processes modules.
ANYRUN.SandboxAnalysis.processes.hasMalwareConfigStringProcess has malware config.
ANYRUN.SandboxAnalysis.processes.parentUUIDStringProcess parent UUID.
ANYRUN.SandboxAnalysis.processes.statusStringProcess status.
ANYRUN.SandboxAnalysis.processes.scores.specs.malwareConfigStringProcess malware config.
ANYRUN.SandboxAnalysis.processes.scores.specs.privEscalationStringProcess priv escalation.
ANYRUN.SandboxAnalysis.processes.scores.specs.stealingStringProcess stealing.
ANYRUN.SandboxAnalysis.processes.scores.specs.networkLoaderStringProcess network loader.
ANYRUN.SandboxAnalysis.processes.scores.specs.networkStringProcess network.
ANYRUN.SandboxAnalysis.processes.scores.specs.lowAccessStringProcess low access.
ANYRUN.SandboxAnalysis.processes.scores.specs.knownThreatStringProcess known threat.
ANYRUN.SandboxAnalysis.processes.scores.specs.injectsStringProcess inject.
ANYRUN.SandboxAnalysis.processes.scores.specs.exploitableStringProcess exploitable.
ANYRUN.SandboxAnalysis.processes.scores.specs.executableDroppedStringProcess executable dropped.
ANYRUN.SandboxAnalysis.processes.scores.specs.debugOutputStringProcess debug output.
ANYRUN.SandboxAnalysis.processes.scores.specs.crashedAppsStringProcess crashed apps.
ANYRUN.SandboxAnalysis.processes.scores.specs.autoStartStringProcess auto start.
ANYRUN.SandboxAnalysis.processes.scores.loadsSuspStringProcess loads susp.
ANYRUN.SandboxAnalysis.processes.scores.injectedStringProcess injected.
ANYRUN.SandboxAnalysis.processes.scores.droppedStringProcess dropped.
ANYRUN.SandboxAnalysis.processes.scores.verdict.threatLevelTextStringProcess threat level text.
ANYRUN.SandboxAnalysis.processes.scores.verdict.threatLevelStringProcess threat level.
ANYRUN.SandboxAnalysis.processes.scores.verdict.scoreStringProcess score.
ANYRUN.SandboxAnalysis.processes.context.userNameStringProcess context username.
ANYRUN.SandboxAnalysis.processes.context.integrityLevelStringProcess context integrity level.
ANYRUN.SandboxAnalysis.processes.context.rebootNumberStringProcess context reboot number.
ANYRUN.SandboxAnalysis.processes.versionInfo.versionStringProcess version.
ANYRUN.SandboxAnalysis.processes.versionInfo.descriptionStringProcess description.
ANYRUN.SandboxAnalysis.processes.versionInfo.companyStringProcess company.
ANYRUN.SandboxAnalysis.processes.mainProcessStringProcess main process.
ANYRUN.SandboxAnalysis.processes.fileTypeStringProcess file type.
ANYRUN.SandboxAnalysis.processes.fileNameStringProcess filename.
ANYRUN.SandboxAnalysis.processes.commandLineStringProcess cmd.
ANYRUN.SandboxAnalysis.processes.imageStringProcess image.
ANYRUN.SandboxAnalysis.processes.uuidStringProcess uuid.
ANYRUN.SandboxAnalysis.processes.ppidStringProcess PPID.
ANYRUN.SandboxAnalysis.processes.importantStringProcess important.
ANYRUN.SandboxAnalysis.processes.pidStringProcess PID.
ANYRUN.SandboxAnalysis.processes.exitCodeStringProcess exit code.
ANYRUN.SandboxAnalysis.processes.times.terminateDateProcess time terminate.
ANYRUN.SandboxAnalysis.processes.times.startDateProcess time start.
ANYRUN.SandboxAnalysis.processes.resolvedCOM.titleStringProcess resolved COM title.
ANYRUN.SandboxAnalysis.processes.synchronization.operationStringProcess sync operation.
ANYRUN.SandboxAnalysis.processes.synchronization.typeStringProcess sync type.
ANYRUN.SandboxAnalysis.processes.synchronization.nameStringProcess sync name.
ANYRUN.SandboxAnalysis.processes.synchronization.timeDateProcess sync time.
ANYRUN.SandboxAnalysis.processes.modules.imageStringProcess module image.
ANYRUN.SandboxAnalysis.processes.modules.timeDateProcess module time.
ANYRUN.SandboxAnalysis.processes.scores.monitoringReasonStringProcess monitoring reason.
ANYRUN.SandboxAnalysis.processes.times.monitoringSinceDateProcess monitoring since.
ANYRUN.SandboxAnalysis.counters.synchronization.type.eventStringProcess sync event.
ANYRUN.SandboxAnalysis.counters.synchronization.type.mutexStringProcess sync mutex.
ANYRUN.SandboxAnalysis.counters.synchronization.operation.createStringProcess sync operation create.
ANYRUN.SandboxAnalysis.counters.synchronization.operation.openStringProcess sync operation open.
ANYRUN.SandboxAnalysis.counters.synchronization.totalStringProcess sync total.
ANYRUN.SandboxAnalysis.counters.registry.deleteStringRegistry delete.
ANYRUN.SandboxAnalysis.counters.registry.writeStringRegistry write.
ANYRUN.SandboxAnalysis.counters.registry.readStringRegistry reed.
ANYRUN.SandboxAnalysis.counters.registry.totalStringRegistry total.
ANYRUN.SandboxAnalysis.counters.files.maliciousStringFile malicious count.
ANYRUN.SandboxAnalysis.counters.files.suspiciousStringFile suspicious count.
ANYRUN.SandboxAnalysis.counters.files.textStringFile text.
ANYRUN.SandboxAnalysis.counters.files.unknownStringFile unknown count.
ANYRUN.SandboxAnalysis.counters.network.threatsStringNetwork threats count.
ANYRUN.SandboxAnalysis.counters.network.dnsStringNetwork dns count.
ANYRUN.SandboxAnalysis.counters.network.connectionsStringNetwork connections count.
ANYRUN.SandboxAnalysis.counters.network.httpStringNetwork networks count.
ANYRUN.SandboxAnalysis.counters.processes.maliciousStringMalicious processes count.
ANYRUN.SandboxAnalysis.counters.processes.suspiciousStringSuspicious processes count.
ANYRUN.SandboxAnalysis.counters.processes.monitoredStringMonitored processes count.
ANYRUN.SandboxAnalysis.counters.processes.totalStringTotal processes count.
ANYRUN.SandboxAnalysis.environments.hotfixes.titleStringEnvironment hotfixes title.
ANYRUN.SandboxAnalysis.environments.software.versionStringEnvironment software version.
ANYRUN.SandboxAnalysis.environments.software.titleStringEnvironment software title.
ANYRUN.SandboxAnalysis.environments.internetExplorer.kbnumStringEnvironment Internet Explorer KBNUM.
ANYRUN.SandboxAnalysis.environments.internetExplorer.versionStringEnvironment Internet Explorer version.
ANYRUN.SandboxAnalysis.environments.os.bitnessStringEnvironment OS version.
ANYRUN.SandboxAnalysis.environments.os.softSetStringEnvironment OS software set.
ANYRUN.SandboxAnalysis.environments.os.servicePackStringEnvironment OS service pack.
ANYRUN.SandboxAnalysis.environments.os.majorStringEnvironment OS major version.
ANYRUN.SandboxAnalysis.environments.os.productTypeStringEnvironment OS product type.
ANYRUN.SandboxAnalysis.environments.os.variantStringEnvironment OS variant.
ANYRUN.SandboxAnalysis.environments.os.productStringEnvironment OS product.
ANYRUN.SandboxAnalysis.environments.os.buildStringEnvironment OS build.
ANYRUN.SandboxAnalysis.environments.os.titleStringEnvironment OS title.
ANYRUN.SandboxAnalysis.analysis.content.dumpsUnknownContent dumps.
ANYRUN.SandboxAnalysis.analysis.content.screenshots.thumbnailUrlStringScreenshots thumbnail url.
ANYRUN.SandboxAnalysis.analysis.content.screenshots.permanentUrlStringScreenshots permanent url.
ANYRUN.SandboxAnalysis.analysis.content.screenshots.timeStringScreenshots time.
ANYRUN.SandboxAnalysis.analysis.content.screenshots.uuidStringScreenshots uuid.
ANYRUN.SandboxAnalysis.analysis.content.sslkeys.presentStringSSL keys present.
ANYRUN.SandboxAnalysis.analysis.content.pcap.permanentUrlStringPcap dump permanent url.
ANYRUN.SandboxAnalysis.analysis.content.pcap.presentStringPcap present.
ANYRUN.SandboxAnalysis.analysis.content.video.permanentUrlStringVideo permanent url.
ANYRUN.SandboxAnalysis.analysis.content.video.presentStringVideo present.
ANYRUN.SandboxAnalysis.analysis.content.mainObject.hashes.ssdeepStringMain object ssdeep.
ANYRUN.SandboxAnalysis.analysis.content.mainObject.hashes.sha256StringMain object sha256.
ANYRUN.SandboxAnalysis.analysis.content.mainObject.hashes.sha1StringMain object sha1.
ANYRUN.SandboxAnalysis.analysis.content.mainObject.hashes.md5StringMain object md5.
ANYRUN.SandboxAnalysis.analysis.content.mainObject.urlStringMain object url.
ANYRUN.SandboxAnalysis.analysis.content.mainObject.typeStringMain object type.
ANYRUN.SandboxAnalysis.analysis.scores.specs.knownThreatStringSpecs known threat.
ANYRUN.SandboxAnalysis.analysis.scores.specs.malwareConfigStringSpecs malware Config.
ANYRUN.SandboxAnalysis.analysis.scores.specs.notStartedStringSpecs not started.
ANYRUN.SandboxAnalysis.analysis.scores.specs.privEscalationStringSpecs priv escalation.
ANYRUN.SandboxAnalysis.analysis.scores.specs.torUsedStringSpecs TOR used.
ANYRUN.SandboxAnalysis.analysis.scores.specs.suspStructStringSpecs susp structure.
ANYRUN.SandboxAnalysis.analysis.scores.specs.stealingStringSpecs stealing.
ANYRUN.SandboxAnalysis.analysis.scores.specs.staticDetectionsStringSpecs static detections.
ANYRUN.SandboxAnalysis.analysis.scores.specs.spamStringSpecs spam.
ANYRUN.SandboxAnalysis.analysis.scores.specs.serviceLauncherStringSpecs service launcher.
ANYRUN.SandboxAnalysis.analysis.scores.specs.rebootedStringSpecs rebooted.
ANYRUN.SandboxAnalysis.analysis.scores.specs.networkThreatsStringSpecs network threats.
ANYRUN.SandboxAnalysis.analysis.scores.specs.networkLoaderStringSpecs network loader.
ANYRUN.SandboxAnalysis.analysis.scores.specs.multiprocessingStringSpecs multiprocessing.
ANYRUN.SandboxAnalysis.analysis.scores.specs.memOverrunStringSpecs memory overrun.
ANYRUN.SandboxAnalysis.analysis.scores.specs.lowAccessStringSpecs low access.
ANYRUN.SandboxAnalysis.analysis.scores.specs.exploitableStringSpecs exploitable.
ANYRUN.SandboxAnalysis.analysis.scores.specs.executableDroppedStringSpecs executable dropped.
ANYRUN.SandboxAnalysis.analysis.scores.specs.debugOutputStringSpecs debug output.
ANYRUN.SandboxAnalysis.analysis.scores.specs.crashedTaskStringSpecs crashed task.
ANYRUN.SandboxAnalysis.analysis.scores.specs.crashedAppsStringSpecs crashed apps.
ANYRUN.SandboxAnalysis.analysis.scores.specs.cpuOverrunStringSpecs CPU overrun.
ANYRUN.SandboxAnalysis.analysis.scores.specs.autoStartStringSpecs suto start.
ANYRUN.SandboxAnalysis.analysis.scores.specs.injectsStringSpecs injects.
ANYRUN.SandboxAnalysis.analysis.scores.verdict.threatLevelTextStringVerdict threat level text.
ANYRUN.SandboxAnalysis.analysis.scores.verdict.threatLevelStringVerdict threat level.
ANYRUN.SandboxAnalysis.analysis.scores.verdict.scoreStringVerdict score.
ANYRUN.SandboxAnalysis.analysis.options.automatization.uacStringOptions automatization UAC.
ANYRUN.SandboxAnalysis.analysis.options.privateSampleStringOptions private sample.
ANYRUN.SandboxAnalysis.analysis.options.privacyStringOptions privacy.
ANYRUN.SandboxAnalysis.analysis.options.networkStringOptions network.
ANYRUN.SandboxAnalysis.analysis.options.hideSourceStringOptions hide source.
ANYRUN.SandboxAnalysis.analysis.options.videoStringOptions video.
ANYRUN.SandboxAnalysis.analysis.options.presentationStringOptions presentation.
ANYRUN.SandboxAnalysis.analysis.options.tor.usedStringOptions tor used.
ANYRUN.SandboxAnalysis.analysis.options.mitmStringOptions MITM proxy.
ANYRUN.SandboxAnalysis.analysis.options.heavyEvasionStringOptions kernel heavy evasion.
ANYRUN.SandboxAnalysis.analysis.options.fakeNetStringOptions fake network.
ANYRUN.SandboxAnalysis.analysis.options.additionalTimeStringOptions additions time.
ANYRUN.SandboxAnalysis.analysis.options.timeoutStringOptions timeout.
ANYRUN.SandboxAnalysis.analysis.tagsUnknownAnalysis tags.
ANYRUN.SandboxAnalysis.analysis.stopExecTextDateAnalysis stopExecText.
ANYRUN.SandboxAnalysis.analysis.stopExecDateAnalysis creation stopExec.
ANYRUN.SandboxAnalysis.analysis.creationTextDateAnalysis creation creation text.
ANYRUN.SandboxAnalysis.analysis.creationDateAnalysis creation date.
ANYRUN.SandboxAnalysis.analysis.durationStringAnalysis duration.
ANYRUN.SandboxAnalysis.analysis.sandbox.plan.nameStringAnalysis sandbox user plan name.
ANYRUN.SandboxAnalysis.analysis.sandbox.nameStringAnalysis sandbox name.
ANYRUN.SandboxAnalysis.analysis.reports.graphStringAnalysis reports graph.
ANYRUN.SandboxAnalysis.analysis.reports.STIXStringAnalysis STIX report url.
ANYRUN.SandboxAnalysis.analysis.reports.HTMLStringAnalysis HTML report url.
ANYRUN.SandboxAnalysis.analysis.reports.MISPStringAnalysis MISP report url.
ANYRUN.SandboxAnalysis.analysis.reports.IOCStringAnalysis IOC report url.
ANYRUN.SandboxAnalysis.analysis.permanentUrlStringAnalysis permanent url.
ANYRUN.SandboxAnalysis.analysis.uuidStringAnalysis uuid.
ANYRUN.SandboxAnalysis.statusStringAnalysis status.

anyrun-download-analysis-pcap#

Returns the analysis network traffic dump.

Base Command#

anyrun-download-analysis-pcap

Input#

Argument NameDescriptionRequired
task_uuidSandbox task uuid.Required

Context Output#

There is no context output for this command.

anyrun-download-analysis-sample#

Returns the analysis file in zip archive. Archive password: infected.

Base Command#

anyrun-download-analysis-sample

Input#

Argument NameDescriptionRequired
task_uuidSandbox task uuid.Required

Context Output#

There is no context output for this command.

anyrun-get-analysis-verdict#

Returns a threat level text. Possible values: No threats detected, Suspicious activity, Malicious activity.

Base Command#

anyrun-get-analysis-verdict

Input#

Argument NameDescriptionRequired
task_uuidSandbox task uuid.Required

Context Output#

PathTypeDescription
ANYRUN.SandboxAnalysisReportVerdictStringThe analysis verdict.
Edit this page
Report an Issue