+
+
+
+
+ | Option | Description |
|---|
+
+ filename | Rename the sample file |
+ name | Force family extractor to run (e.g., name=trickbot) |
+ curdir | Execution directory (default %TEMP%) |
+ executiondir | Directory to launch file from (default %TEMP%) |
+ arguments | Arguments for the executable or exported function |
+ appdata | Run executable from AppData instead of Temp |
+ pwsh | Prefer PowerShell Core (pwsh.exe) |
+ free | Run without monitoring (disables many capabilities) |
+ ignore_size_check | Allow ignore file size (must be enabled in conf) |
+ check_shellcode | Disable shellcode check during package ID (check_shellcode=0) |
+ function | Exported function/ordinal to execute (DLL) |
+ dllloader | Process loading the DLL (default rundll32.exe) |
+ file | Name of file to execute (Zip/Rar) |
+ password | Password for extraction/Office |
+ startbrowser | Launch browser 30s into analysis |
+ browserdelay | Seconds to wait before starting browser |
+ url | URL for started browser |
+ servicedesc | Service description (Service package) |
+ pre_script_args | Args for pre_script |
+ during_script_args | Args for during_script |
+ lang | Override system language (LCID) |
+ standalone | Run in standalone mode (no pipe) |
+ monitor | Inject monitor into PID/Explorer |
+ shutdown-mutex | Mutex name for shutdown signal |
+ terminate-event | Event name for termination signal |
+ terminate-processes | Terminate processes on event |
+ first-process | (Internal) First process in tree |
+ startup-time | MS since system startup |
+
+
-
-
-
-
-
-
- | Option |
- Description |
-
-
-
-
- no-stealth |
- Disable anti-anti-VM/sandbox tricks |
-
-
- force-sleepskip |
- 1 = Skip all sleeps, 0 = Disable sleep skipping |
-
-
- serial |
- Spoof the system volume serial number |
-
-
- single-process |
- Limit monitoring to initial process only |
-
-
- interactive |
- Enable interactive desktop mode |
-
-
- referrer |
- Fake referrer for URL analysis |
-
-
- norefer |
- Disable fake referrer |
-
-
- file-of-interest |
- Specific file or URL being analyzed |
-
-
- pdf |
- Adobe Reader specific hooks/behavior |
-
-
- sysvol_ctimelow/high |
- Spoof creation time of system volume |
-
-
- fake-rdtsc |
- Enable fake RDTSC results |
-
-
- ntdll-protect |
- Enable write protection on ntdll.dll code |
-
-
- ntdll-unhook |
- Enable protection against ntdll unhooking |
-
-
- protected-pids |
- Enable protection for critical PIDs |
-
-
-
-
+
+
+
+
+
+ | Option | Description |
|---|
+
+ no-stealth | Disable anti-anti-VM/sandbox tricks |
+ force-sleepskip | 1 = Skip all sleeps, 0 = Disable sleep skipping |
+ serial | Spoof the system volume serial number |
+ single-process | Limit monitoring to initial process only |
+ interactive | Enable interactive desktop mode |
+ referrer | Fake referrer for URL analysis |
+ norefer | Disable fake referrer |
+ file-of-interest | Specific file or URL being analyzed |
+ pdf | Adobe Reader specific hooks/behavior |
+ sysvol_ctimelow/high | Spoof creation time of system volume |
+ fake-rdtsc | Enable fake RDTSC results |
+ ntdll-protect | Enable write protection on ntdll.dll code |
+ ntdll-unhook | Enable protection against ntdll unhooking |
+ protected-pids | Enable protection for critical PIDs |
+
+
-
-
-
-
-
-
- | Option |
- Description |
-
-
-
-
- full-logs |
- Disable log suppression |
-
-
- force-flush |
- 1 = Flush after non-duplicate API, 2 = Force flush every log |
-
-
- buffer-max |
- Max size for log buffer |
-
-
- large-buffer-max |
- Max size for large log buffers |
-
-
- api-rate-cap |
- Limit rate of API logging |
-
-
- api-cap |
- Limit total number of API logs |
-
-
- hook-type |
- Hook type: direct, indirect, or safe (32-bit only) |
-
-
- syscall |
- Enable syscall hooks (Win10+) |
-
-
- disable-hook-content |
- 1 = Remove payload of non-critical hooks, 2 = All hooks |
-
-
- exclude-apis |
- Colon-separated list of APIs to exclude from hooking |
-
-
- exclude-dlls |
- Colon-separated list of DLLs to exclude from hooking |
-
-
- unhook-apis |
- Dynamically unhook functions (colon-separated) |
-
-
- coverage-modules |
- Colon-separated list of DLLs to include in monitoring (exclude from 'dll range' filtering) |
-
-
- zerohook |
- Disable all hooks except essential |
-
-
- hook-protect |
- Enable write protection on hook pages |
-
-
- log-exceptions |
- Enable logging of exceptions |
-
-
-
-
+
+
+
+
+
+ | Option | Description |
|---|
+
+ full-logs | Disable log suppression |
+ force-flush | 1 = Flush after non-duplicate API, 2 = Force flush every log |
+ buffer-max | Max size for log buffer |
+ large-buffer-max | Max size for large log buffers |
+ api-rate-cap | Limit rate of API logging |
+ api-cap | Limit total number of API logs |
+ hook-type | Hook type: direct, indirect, or safe (32-bit only) |
+ syscall | Enable syscall hooks (Win10+) |
+ disable-hook-content | 1 = Remove payload of non-critical hooks, 2 = All hooks |
+ exclude-apis | Colon-separated list of APIs to exclude from hooking |
+ exclude-dlls | Colon-separated list of DLLs to exclude from hooking |
+ unhook-apis | Dynamically unhook functions (colon-separated) |
+ coverage-modules | Colon-separated list of DLLs to include in monitoring (exclude from 'dll range' filtering) |
+ zerohook | Disable all hooks except essential |
+ hook-protect | Enable write protection on hook pages |
+ log-exceptions | Enable logging of exceptions |
+
+
-
-
-
-
-
-
- | Option |
- Description |
-
-
-
-
- procdump |
- Enable process memory dumping on exit/timeout |
-
-
- procmemdump |
- Enable full process memory dumping |
-
-
- dump-on-api |
- Dump calling module when specific APIs are called (colon-separated) |
-
-
- dump-config-region |
- Dump memory regions suspected to contain C2 config |
-
-
- dump-crypto |
- Dump buffers from Crypto APIs |
-
-
- dump-keys |
- Dump keys from CryptImportKey |
-
-
- amsidump |
- Enable AMSI buffer dumping (Win10+) |
-
-
- tlsdump |
- Enable dumping of TLS secrets |
-
-
- dropped-limit |
- Override default dropped file limit (100) |
-
-
- compression |
- Enable CAPE's extraction of compressed payloads |
-
-
- extraction |
- Enable CAPE's extraction of payloads from within process |
-
-
- injection |
- Enable CAPE's capture of injected payloads |
-
-
- combo |
- Combine compression, injection, and extraction |
-
-
- unpacker |
- 1 = Passive unpacking, 2 = Active unpacking |
-
-
- import-reconstruction |
- Attempt import reconstruction on dumps |
-
-
- store_memdump |
- Force STORE memdump (submit to analyzer directly) |
-
-
-
-
+
+
+
+
+
+ | Option | Description |
|---|
+
+ procdump | Enable process memory dumping on exit/timeout |
+ procmemdump | Enable full process memory dumping |
+ dump-on-api | Dump calling module when specific APIs are called (colon-separated) |
+ dump-config-region | Dump memory regions suspected to contain C2 config |
+ dump-crypto | Dump buffers from Crypto APIs |
+ dump-keys | Dump keys from CryptImportKey |
+ amsidump | Enable AMSI buffer dumping (Win10+) |
+ tlsdump | Enable dumping of TLS secrets |
+ dropped-limit | Override default dropped file limit (100) |
+ compression | Enable CAPE's extraction of compressed payloads |
+ extraction | Enable CAPE's extraction of payloads from within process |
+ injection | Enable CAPE's capture of injected payloads |
+ combo | Combine compression, injection, and extraction |
+ unpacker | 1 = Passive unpacking, 2 = Active unpacking |
+ import-reconstruction | Attempt import reconstruction on dumps |
+ store_memdump | Force STORE memdump (submit to analyzer directly) |
+
+
-
-
-
-
-
-
- | Option |
- Description |
-
-
-
-
- debugger |
- Enable internal debugger engine |
-
-
- debug |
- 1 = Report critical exceptions, 2 = All exceptions |
-
-
- bp0...bp3 |
- Hardware breakpoints (Address or Module:Export) |
-
-
- bp |
- Software breakpoints (colon-separated addresses) |
-
-
- break-on-return |
- Break on return from specific APIs |
-
-
- base-on-api |
- Set base address for breakpoints based on API |
-
-
- file-offsets |
- Interpret breakpoints as file offsets |
-
-
- trace-all |
- Enable full execution tracing |
-
-
- depth |
- Trace depth limit (default 0) |
-
-
- count |
- Trace instruction count limit (default 128) |
-
-
- loop_detection |
- Enable loop detection (compress call logs) |
-
-
- ttd |
- Time Travel Debugging (ttd=1) |
-
-
- polarproxy |
- Run PolarProxy (TLS PCAP) |
-
-
- mitmdump |
- Run mitmdump (TLS HAR) |
-
-
-
-
+
+
+
+
+
+ | Option | Description |
|---|
+
+ debugger | Enable internal debugger engine |
+ debug | 1 = Report critical exceptions, 2 = All exceptions |
+ bp0...bp3 | Hardware breakpoints (Address or Module:Export) |
+ bp | Software breakpoints (colon-separated addresses) |
+ break-on-return | Break on return from specific APIs |
+ base-on-api | Set base address for breakpoints based on API |
+ file-offsets | Interpret breakpoints as file offsets |
+ trace-all | Enable full execution tracing |
+ depth | Trace depth limit (default 0) |
+ count | Trace instruction count limit (default 128) |
+ loop_detection | Enable loop detection (compress call logs) |
+ ttd | Time Travel Debugging (ttd=1) |
+ polarproxy | Run PolarProxy (TLS PCAP) |
+ mitmdump | Run mitmdump (TLS HAR) |
+
+
-
-
+ }
+
+
+
+
+
+
+
+
+ {% if config.tlp %}
+
+
+
+
+ {% endif %}
+
-
+
+
-
-
-
- {% if config.pre_script %}
-
-
-
-
- {% endif %}
+ {% if config.pre_script %}
+
+
+
+
+ {% endif %}
- {% if config.during_script %}
-
-
-
-
- {% endif %}
-
-
-
-
+ {% if config.during_script %}
+
+
+
+
+ {% endif %}
+
+
+
+
-
-
-
-
-
-
-
-
-
-
- {% if config.procmemory %}
-
-
-
-
- {% endif %}
- {% if config.amsidump %}
-
-
-
-
- {% endif %}
-
-
-
-
- {% if config.memory %}
-
-
-
-
- {% endif %}
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
-
-
-
+
+
@@ -1006,6 +679,7 @@
Options
+