Behavioral Analysis not Available.

[ColeNorthway]

About accounts on capesandbox.com

• Issues isn't the way to ask for account activation. Ping capesandbox in Twitter with your username

This is open source and you are getting free support so be friendly!

Prerequisites

Please answer the following questions for yourself before submitting an issue.

• [ x] I am running the latest version
• [ x] I did read the README!
• [ x] I checked the documentation and found no answer
• [ x] I checked to make sure that this issue has not already been filed
• I'm reporting the issue to the correct repository (for multi-repository projects)
• [ x] I have read and checked all configs (with all optional parts)
• [ x] Asked and no solution about my issue with deepwiki

Expected Behavior

Please describe the behavior you are expecting. If your samples(x64) stuck in pending ensure that you set tags=x64 in hypervisor conf for x64 vms

The behavioral analysis should load the process information, etc...

Current Behavior

What is the current behavior?

Currently I am having an issue with the behavioral analysis showing on the web interface. I have the behavioral analysis information enabled in the processing.conf. My logs directory however is completely empty as well as my cuckoo.log. The log information seems a ok from the cuckoo.py feedback after a submission. The agent is up, and I am getting static information from strings, yara rules, etc.. However the only kind of clue that I have is that the analysis.log is showing that after restarting the process post injection the process will fail to open and get the exit code. I have debloated my windows vm instance as well as disabled UAC, defender, etc... Some information is below.

Failure Information (for bugs)

Please help provide information about the failure if this is a bug. If it is not a bug, please remove the rest of this template.

THE ANALYSIS LOG

2026-01-29 02:14:49,023 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable
2026-01-29 02:14:49,116 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Directory Service Replication" /success:disable /failure:enable
2026-01-29 02:14:49,179 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Detailed Directory Service Replication" /success:disable /failure:disable
2026-01-29 02:14:49,319 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable
2026-01-29 02:14:49,429 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable
2026-01-29 02:14:49,491 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Account Logon Events" /success:enable /failure:enable
2026-01-29 02:14:49,554 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable
2026-01-29 02:14:49,601 [modules.auxiliary.evtx] DEBUG: Wiping Application 
2026-01-29 02:14:49,679 [modules.auxiliary.evtx] DEBUG: Wiping HardwareEvents 
2026-01-29 02:14:49,741 [modules.auxiliary.evtx] DEBUG: Wiping Internet Explorer 
2026-01-29 02:14:49,819 [root] INFO: Restarting WMI Service 
2026-01-29 02:14:49,835 [modules.auxiliary.evtx] DEBUG: Wiping Key Management Service 
2026-01-29 02:14:49,913 [modules.auxiliary.evtx] DEBUG: Wiping OAlerts 
2026-01-29 02:14:49,929 [root] DEBUG: package modules.packages.exe does not support configure, ignoring 
2026-01-29 02:14:49,929 [root] WARNING: configuration error for package modules.packages.exe: error importing data.packages.exe: No module named 'data.packages' 
2026-01-29 02:14:49,929 [lib.core.compound] INFO: C:\Users\cape\AppData\Local\Temp already exists, skipping creation 
2026-01-29 02:14:49,944 [lib.api.process] INFO: Successfully executed process from path "C:\Users\cape\AppData\Local\Temp\Stealer.exe" with arguments "" with pid 3080 
2026-01-29 02:14:49,944 [lib.api.process] INFO: Monitor config for <Process 3080 Stealer.exe>: C:\g98nejrp\dll\3080.ini 
2026-01-29 02:14:49,960 [lib.api.process] INFO: 64-bit DLL to inject is C:\g98nejrp\dll\mlUnNWv.dll, loader C:\g98nejrp\bin\lXIDDCwu.exe 
2026-01-29 02:14:49,976 [root] DEBUG: Loader: Injecting process 3080 (thread 3252) with C:\g98nejrp\dll\mlUnNWv.dll. 
2026-01-29 02:14:49,976 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT. 
2026-01-29 02:14:49,976 [root] DEBUG: Successfully injected DLL C:\g98nejrp\dll\mlUnNWv.dll. 
2026-01-29 02:14:49,976 [lib.api.process] INFO: Injected into 64-bit <Process 3080 Stealer.exe> 
2026-01-29 02:14:49,991 [modules.auxiliary.evtx] DEBUG: Wiping Security 
2026-01-29 02:14:50,054 [modules.auxiliary.evtx] DEBUG: Wiping Setup 
2026-01-29 02:14:50,116 [modules.auxiliary.evtx] DEBUG: Wiping System 
2026-01-29 02:14:50,179 [modules.auxiliary.evtx] DEBUG: Wiping Windows PowerShell 
2026-01-29 02:14:50,288 [modules.auxiliary.evtx] DEBUG: Wiping Microsoft-Windows-Sysmon/Operational 
2026-01-29 02:14:51,991 [lib.api.process] INFO: Successfully resumed <Process 3080 Stealer.exe> 
2026-01-29 02:14:53,007 [lib.api.process] WARNING: failed to open process 3080 
2026-01-29 02:14:53,007 [lib.api.process] WARNING: failed to open process 3080 
2026-01-29 02:14:53,007 [lib.api.process] DEBUG: Failed getting image name for pid 3080 
2026-01-29 02:14:53,007 [lib.api.process] WARNING: failed to open process 3080 
2026-01-29 02:14:53,007 [lib.api.process] DEBUG: Failed getting image name for pid 3080 
2026-01-29 02:14:53,007 [lib.api.process] DEBUG: Failed getting exit code for <Process 3080 ???> 
2026-01-29 02:14:53,007 [root] INFO: Process with pid 3080 appears to have terminated 
2026-01-29 02:14:58,085 [root] INFO: Process list is empty, terminating analysis 
2026-01-29 02:14:59,101 [root] INFO: Created shutdown mutex 
2026-01-29 02:15:00,116 [root] INFO: Shutting down package 
2026-01-29 02:15:00,116 [root] INFO: Stopping auxiliary modules 
2026-01-29 02:15:00,116 [root] INFO: Stopping auxiliary module: Browser 
2026-01-29 02:15:00,116 [root] INFO: Stopping auxiliary module: Curtain 
2026-01-29 02:15:00,163 [lib.common.results] INFO: Uploading file C:\curtain.log to curtain/1769681700.1636283.curtain.log; Size is 36; Max size: 100000000 
2026-01-29 02:15:00,179 [root] INFO: Stopping auxiliary module: Evtx 
2026-01-29 02:15:00,179 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Application.evtx to zip dump 
2026-01-29 02:15:00,194 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\HardwareEvents.evtx to zip dump 
2026-01-29 02:15:00,194 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Internet Explorer.evtx to zip dump 
2026-01-29 02:15:00,194 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Key Management Service.evtx to zip dump 
2026-01-29 02:15:00,194 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Security.evtx to zip dump 
2026-01-29 02:15:00,194 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Setup.evtx to zip dump 
2026-01-29 02:15:00,194 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\System.evtx to zip dump 
2026-01-29 02:15:00,194 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Windows PowerShell.evtx to zip dump 
2026-01-29 02:15:00,382 [modules.auxiliary.evtx] DEBUG: Uploading evtx.zip to host 
2026-01-29 02:15:00,382 [lib.common.results] INFO: Uploading file evtx.zip to evtx/evtx.zip; Size is 163658; Max size: 100000000 
2026-01-29 02:15:00,398 [root] INFO: Stopping auxiliary module: Human 
2026-01-29 02:15:02,929 [root] INFO: Stopping auxiliary module: Procmon 
2026-01-29 02:15:04,413 [lib.common.results] INFO: Uploading file C:\g98nejrp\bin\procmon.xml to aux/procmon.xml; Size is 30062719; Max size: 100000000 
2026-01-29 02:15:04,476 [root] INFO: Stopping auxiliary module: Screenshots 
2026-01-29 02:15:04,476 [root] INFO: Finishing auxiliary modules 
2026-01-29 02:15:04,476 [root] INFO: Shutting down pipe server and dumping dropped files 
2026-01-29 02:15:04,476 [root] WARNING: Folder at path "C:\BkxcTZdb\debugger" does not exist, skipping 
2026-01-29 02:15:04,476 [root] WARNING: Folder at path "C:\BkxcTZdb\tlsdump" does not exist, skipping 
2026-01-29 02:15:04,476 [root] INFO: Analysis completed 

THE CUCKOO.py LOG

```text
poetry run python cuckoo.py 

  .-----------------. 
  | Cuckoo Sandbox? | 
  |      OH NOES!    |\  '-.__.-' 
  '-----------------' \  /oo |--.--,--,--. 
                         \_.-'._i__i__i_.' 
                               """"""""" 

 Cuckoo Sandbox 2.5 
 www.cuckoosandbox.org 
 Copyright (c) 2010-2015 

 CAPE: Config and Payload Extraction 
 github.com/kevoreilly/CAPEv2 

 pip3 install certvalidator asn1crypto mscerts 
 OPTIONAL! Missed dependency: poetry run pip install -U git+https://github.com/DissectMalware/batch_deobfuscator 

 2026-01-28 20:49:36,708 [modules.processing.network] ERROR: OPTIONAL! Missed dependency: poetry run pip install -U git+https://github.com/CAPESandbox/httpreplay 
 /usr/bin/tcpdump 
 2026-01-28 20:49:36,921 [lib.cuckoo.core.machinery_manager] INFO: Using MachineryManager[kvm] with max_machines_count=10 
 2026-01-28 20:49:36,921 [lib.cuckoo.core.scheduler] INFO: Creating scheduler with max_analysis_count=unlimited 
 2026-01-28 20:49:36,943 [lib.cuckoo.core.machinery_manager] INFO: Loaded 1 machine 
 2026-01-28 20:49:36,957 [lib.cuckoo.core.machinery_manager] INFO: max_vmstartup_count for BoundedSemaphore = 5 
 2026-01-28 20:49:36,960 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks 

 2026-01-28 20:49:52,057 [lib.cuckoo.core.machinery_manager] INFO: Task #3: found useable machine win10_0 (arch=x64, platform=windows) 
 2026-01-28 20:49:52,057 [lib.cuckoo.core.scheduler] INFO: Task #3: Processing task 

 2026-01-28 20:49:52,085 [lib.cuckoo.core.analysis_manager] INFO: Task #3: File already exists at '/opt/CAPEv2/storage/binaries/66ce62a3cacca59a5c7dfc1d184d0a85641a285a372543ab8cfc646dbba7aa62' 

 2026-01-28 20:49:52,086 [lib.cuckoo.core.analysis_manager] INFO: Task #3: Starting analysis of FILE '/tmp/cuckoo-tmp/upload_xaa9axbb/Stealer.exe' 
 2026-01-28 20:49:58,426 [lib.cuckoo.core.analysis_manager] INFO: Task #3: Enabled route 'internet'. 
 2026-01-28 20:49:58,429 [modules.auxiliary.Mitmdump] INFO: Mitmdump module loaded 
 2026-01-28 20:49:58,429 [modules.auxiliary.PolarProxy] INFO: PolarProxy module loaded 
 2026-01-28 20:49:58,430 [modules.auxiliary.QemuScreenshots] INFO: QEMU screenshots module loaded 
 /usr/bin/tcpdump 

 2026-01-28 20:49:58,438 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 17283 (interface=virbr1, host=192.168.55.2, dump path=/opt/CAPEv2/storage/analyses/3/dump.pcap) 
 2026-01-28 20:49:58,566 [lib.cuckoo.core.guest] INFO: Task #3: Starting analysis on guest (id=win10_0, ip=192.168.55.2) 
 2026-01-28 20:49:58,572 [lib.cuckoo.core.guest] INFO: Task #3: Guest is running CAPE Agent 0.20 (id=win10_0, ip=192.168.55.2) 
 2026-01-28 20:49:59,483 [lib.cuckoo.core.guest] INFO: Task #3: Uploading script files to guest (id=win10_0, ip=192.168.55.2) 
 2026-01-28 20:50:20,696 [lib.cuckoo.core.guest] INFO: Task #3: Analysis completed successfully (id=win10_0, ip=192.168.55.2) 
 2026-01-28 20:50:20,790 [lib.cuckoo.core.analysis_manager] INFO: Task #3: Disabled route 'internet' 
 2026-01-28 20:50:24,303 [lib.cuckoo.core.analysis_manager] INFO: Task #3: Completed analysis successfully. 
 2026-01-28 20:50:24,309 [lib.cuckoo.core.analysis_manager] INFO: Task #3: analysis procedure completed 

PROCESSING.CONF

```ini
[behavior] 
enabled = yes 
anomaly = yes 
processtree = yes 
summary = yes 
enhanced = yes 
encryptedbuffers = yes 
loop_detection = no 
analysis_call_limit = 0 
ram_boost = no 
replace_patterns = yes 
file_activities = yes 

ram_mmap = no 

[tracee] 
enabled = no 

[strace] 
enabled = no 
processtree = no 
platform = linux 
update_file_descriptors = yes 

[debug] 
enabled = yes 
buffer = 0 

[detections] 
enabled = yes 
behavior = yes 
yara = yes 
suricata = yes 
virustotal = no 
clamav = no 

[procmemory] 
enabled = yes 
strings = yes 

[procmon] 
enabled = yes 

Steps to Reproduce

Please provide detailed steps for reproducing the issue.

1. step 1
2. step 2
3. you get it...

Context

Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions. Operating system version, bitness, installed software versions, test sample details/hash/binary (if applicable).

Kali linux running the host on hyperv

The analysis is a nested kvm windows 10 21H2 vm that has been debloated with several scripts as well as manually with no Defender or UAC. 32 bit python was installed as well.

Question	Answer
Git commit	Type `$ git log
OS version	Ubuntu 16.04, Windows 10, macOS 10.12.3

Failure Logs

Please include any relevant log snippets or files here.

[doomedraven]

hm the unique what comes to my mind is that agent is not running properly, not having system right, can you restore VM snapshot, and run curl 192.168.55.2:8000 to see admin? also what edition is your win10, as if is not win10 21h2 it won't work neither https://capev2.readthedocs.io/en/latest/installation/guest/creation.html

[ColeNorthway]

Ok sounds good. Ill give that a try right now. If it still fails after any second further recommendations if this fails then i will reinstall on ubuntu 22.04 as currently the host is on kali 25.3. But im thinking that its an analysis problem as the analysis.log shows the failure after the injection with the process. I have tried with a few different samples as well and they get the same thing. Static analysis without the behavioral.

Here is the KVM conf

[kvm]
# Specify a comma-separated list of available machines to be used. For each
# specified ID you have to define a dedicated section containing the details
# on the respective machine. (E.g. cuckoo1,cuckoo2,cuckoo3)
machines = win10_0

interface = virbr1
# To connect to local or remote host
dsn = qemu:///system

# To allow copy & paste. For details see example below
[win10_0]
label = win10_0
platform = windows
ip = 192.168.55.2
resultserver_ip = 192.168.55.1
resultserver_port = 2042
arch = x64
# tags = winxp,acrobat_reader_6
snapshot = initialState3
tags = win10,office2019
# reserved = no

And now im going to restore initialState3 snapshot from kvm and curl the agent

~ 
 virsh -c qemu:///system snapshot-list "win10_0"                                     
 Name                   Creation Time               State
-------------------------------------------------------------
 1769476752             2026-01-26 19:19:12 -0600   shutoff
 initialAnalyzerState   2026-01-26 19:19:51 -0600   shutoff
 initialState           2026-01-26 20:02:35 -0600   running
 initialState2          2026-01-28 20:45:03 -0600   running
 initialState3          2026-01-28 20:45:29 -0600   running

                                                                                                                 
~ 
 virsh -c qemu:///system snapshot-revert "win10_0" "initialState3"
Domain snapshot initialState3 reverted

                                                                                                                 
~ 
 virsh -c qemu:///system domstate "win10_0"                       
running

                                                                                                                 
~ 
 virt-manager                              
                                                                                                                 
~ 
 curl 192.168.55.2:8000                            
{"message": "CAPE Agent!", "version": "0.20", "features": ["execpy", "execute", "pinning", "logs", "largefile", "unicodepath", "mutex", "browser_extension"], "is_user_admin": true}

ok it does seem like the vm agent is running. Now its time to check the version!

PS C:\Users\cape> (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion").DisplayVersion
21H2
PS C:\Users\cape>

One last try to see if behavioral analysis can function

/usr/bin/tcpdump
2026-01-29 18:25:31,001 [lib.cuckoo.core.machinery_manager] INFO: Using MachineryManager[kvm] with max_machines_count=10
2026-01-29 18:25:31,001 [lib.cuckoo.core.scheduler] INFO: Creating scheduler with max_analysis_count=unlimited
2026-01-29 18:25:31,024 [lib.cuckoo.core.machinery_manager] INFO: Loaded 1 machine
2026-01-29 18:25:31,036 [lib.cuckoo.core.machinery_manager] INFO: max_vmstartup_count for BoundedSemaphore = 5
2026-01-29 18:25:31,038 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks
2026-01-29 18:25:49,133 [lib.cuckoo.core.machinery_manager] INFO: Task #4: found useable machine win10_0 (arch=x64, platform=windows)
2026-01-29 18:25:49,133 [lib.cuckoo.core.scheduler] INFO: Task #4: Processing task
2026-01-29 18:25:49,157 [lib.cuckoo.core.analysis_manager] INFO: Task #4: File already exists at '/opt/CAPEv2/storage/binaries/66ce62a3cacca59a5c7dfc1d184d0a85641a285a372543ab8cfc646dbba7aa62'
2026-01-29 18:25:49,158 [lib.cuckoo.core.analysis_manager] INFO: Task #4: Starting analysis of FILE '/tmp/cuckoo-tmp/upload_o_zfak13/Stealer.exe'
2026-01-29 18:25:54,426 [lib.cuckoo.core.analysis_manager] INFO: Task #4: Enabled route 'internet'.
2026-01-29 18:25:54,429 [modules.auxiliary.Mitmdump] INFO: Mitmdump module loaded
2026-01-29 18:25:54,429 [modules.auxiliary.PolarProxy] INFO: PolarProxy module loaded
2026-01-29 18:25:54,429 [modules.auxiliary.QemuScreenshots] INFO: QEMU screenshots module loaded
/usr/bin/tcpdump
2026-01-29 18:25:54,436 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 5962 (interface=virbr1, host=192.168.55.2, dump path=/opt/CAPEv2/storage/analyses/4/dump.pcap)
2026-01-29 18:25:54,541 [lib.cuckoo.core.guest] INFO: Task #4: Starting analysis on guest (id=win10_0, ip=192.168.55.2)
2026-01-29 18:25:54,549 [lib.cuckoo.core.guest] INFO: Task #4: Guest is running CAPE Agent 0.20 (id=win10_0, ip=192.168.55.2)
2026-01-29 18:25:55,191 [lib.cuckoo.core.guest] INFO: Task #4: Uploading script files to guest (id=win10_0, ip=192.168.55.2)
2026-01-29 18:26:19,365 [lib.cuckoo.core.guest] INFO: Task #4: Analysis completed successfully (id=win10_0, ip=192.168.55.2)
2026-01-29 18:26:19,449 [lib.cuckoo.core.analysis_manager] INFO: Task #4: Disabled route 'internet'
2026-01-29 18:26:26,108 [lib.cuckoo.core.analysis_manager] INFO: Task #4: Completed analysis successfully.
2026-01-29 18:26:26,163 [lib.cuckoo.core.analysis_manager] INFO: Task #4: analysis procedure completed

THat was cuckoo.py output now time for the analysis.log and ill send the storage tree for that analysis i just did

2026-01-30 00:25:59,838 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Account Logon Events" /success:enable /failure:enable
2026-01-30 00:25:59,854 [lib.api.process] INFO: 64-bit DLL to inject is C:\ddadr3q0\dll\gczvlWnO.dll, loader C:\ddadr3q0\bin\gdXHFpHe.exe
2026-01-30 00:25:59,870 [root] DEBUG: Loader: Injecting process 6404 (thread 3976) with C:\ddadr3q0\dll\gczvlWnO.dll.
2026-01-30 00:25:59,885 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-01-30 00:25:59,885 [root] DEBUG: Successfully injected DLL C:\ddadr3q0\dll\gczvlWnO.dll.
2026-01-30 00:25:59,901 [lib.api.process] INFO: Injected into 64-bit <Process 6404 Stealer.exe>
2026-01-30 00:25:59,916 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable
2026-01-30 00:25:59,979 [modules.auxiliary.evtx] DEBUG: Wiping Application
2026-01-30 00:26:00,041 [modules.auxiliary.evtx] DEBUG: Wiping HardwareEvents
2026-01-30 00:26:00,104 [modules.auxiliary.evtx] DEBUG: Wiping Internet Explorer
2026-01-30 00:26:00,151 [modules.auxiliary.evtx] DEBUG: Wiping Key Management Service
2026-01-30 00:26:00,198 [modules.auxiliary.evtx] DEBUG: Wiping OAlerts
2026-01-30 00:26:00,245 [modules.auxiliary.evtx] DEBUG: Wiping Security
2026-01-30 00:26:00,323 [modules.auxiliary.evtx] DEBUG: Wiping Setup
2026-01-30 00:26:00,370 [modules.auxiliary.evtx] DEBUG: Wiping System
2026-01-30 00:26:00,432 [modules.auxiliary.evtx] DEBUG: Wiping Windows PowerShell
2026-01-30 00:26:00,479 [modules.auxiliary.evtx] DEBUG: Wiping Microsoft-Windows-Sysmon/Operational
2026-01-30 00:26:01,916 [lib.api.process] INFO: Successfully resumed <Process 6404 Stealer.exe>
2026-01-30 00:26:02,932 [lib.api.process] WARNING: failed to open process 6404
2026-01-30 00:26:02,932 [lib.api.process] WARNING: failed to open process 6404
2026-01-30 00:26:02,932 [lib.api.process] DEBUG: Failed getting image name for pid 6404
2026-01-30 00:26:02,932 [lib.api.process] WARNING: failed to open process 6404
2026-01-30 00:26:02,932 [lib.api.process] DEBUG: Failed getting image name for pid 6404
2026-01-30 00:26:02,932 [lib.api.process] DEBUG: Failed getting exit code for <Process 6404 ???>
2026-01-30 00:26:02,932 [root] INFO: Process with pid 6404 appears to have terminated
2026-01-30 00:26:08,010 [root] INFO: Process list is empty, terminating analysis
2026-01-30 00:26:09,026 [root] INFO: Created shutdown mutex
2026-01-30 00:26:10,042 [root] INFO: Shutting down package
2026-01-30 00:26:10,042 [root] INFO: Stopping auxiliary modules
2026-01-30 00:26:10,042 [root] INFO: Stopping auxiliary module: Browser
2026-01-30 00:26:10,042 [root] INFO: Stopping auxiliary module: Curtain
2026-01-30 00:26:10,073 [lib.common.results] INFO: Uploading file C:\curtain.log to curtain/1769761570.0732603.curtain.log; Size is 36; Max size: 100000000
2026-01-30 00:26:10,073 [root] INFO: Stopping auxiliary module: Evtx
2026-01-30 00:26:10,104 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Application.evtx to zip dump
2026-01-30 00:26:10,120 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\HardwareEvents.evtx to zip dump
2026-01-30 00:26:10,120 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Internet Explorer.evtx to zip dump

.
├── analysis.log
├── aux
│   ├── amsi
│   ├── DigiSig.json
│   └── procmon.xml
├── binary -> /opt/CAPEv2/storage/binaries/66ce62a3cacca59a5c7dfc1d184d0a85641a285a372543ab8cfc646dbba7aa62
├── browser
├── CAPE
├── cuckoo.log
├── curtain
│   └── 1769761570.0732603.curtain.log
├── debugger
├── dump.pcap
├── evtx
│   └── evtx.zip
├── files
├── htmldump
├── logs
├── memory
├── memory.dmp
├── procdump
├── reports
│   └── report.json
├── scripts
├── selfextracted
├── shots
├── sysmon
├── tlsdump
└── tracee

The procmon xml didn't pop up either on the dashboard under behavioral analysis and it is full of data. Cuckoo.log is still empty. Let me know what you come up with then ill give it another shot. If not again then i will reinstall on ubuntu 22.04 and retry again.

[doomedraven]

procmon is not integrated into webgui reporting. is just raw data. this issue is for @kevoreilly

[ColeNorthway]

Ok sounds good

[kevoreilly]

No idea what is going on here. My first suggestion is to restore the configuration to the default with the bare minimum changes necessary for your infrastructure to see if there is a core issue without noise or interference from additional modules.

I would also suggest not nesting your target vms, particularly as here you are cross-nesting two distinct hypervisors. There is a Hyper-V machinery module which you can use to have native target vms: https://github.com/kevoreilly/CAPEv2/blob/master/modules/machinery/hyperv.py and for an example CAPE vm which has been tested on Hyper-V in this way please check out https://github.com/CAPESandbox/CAPEvm