# speakeasy
> Windows binary emulator — emulates API calls to analyze malware behavior without native execution

**Category:** [[categories/statically-analyze-code-pe-files|Statically Analyze Code > PE Files]] | **Tier:** Rich (FOR610)
**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/pe-files](https://docs.remnux.org/discover-the-tools/statically+analyze+code/pe-files)

## Usage
```bash
speakeasy -t specimen.exe -o report.json 2> report.txt
speakeasy -t shellcode.bin -r -a x86
```

## Recipes
- [[recipes/speakeasy-emulation-with-json|Emulate Malware and Extract API Calls]]

## Workflows
- [[workflows/behavioral-analysis-workflow|Behavioral Analysis]] — Step 4: Emulation (Safe Alternative)
- [[workflows/unpacking-workflow|Unpacking Packed Executables]] — Step 3: Emulation-Based Unpacking
- [[workflows/shellcode-analysis-workflow|Shellcode Analysis]] — Step 3: Emulation

## Related Tools
- [[tools/binee-binary-emulation-environment|binee (Binary Emulation Environment)]] — Analyze I/O operations of a suspicious PE file by emulating 
- [[tools/capa|capa]] — Identify malware capabilities mapped to MITRE ATT&CK framewo
- [[tools/mbcscan|mbcscan]] — Scan a PE file to list the associated Malware Behavior Catal

## FOR610
**Labs:** 1.4
**Sections:** 1

#emulation #api-calls #behavioral-analysis