Cuckoo Sandbox

File FCO-Clyde[2).docx

Summary
Download Resubmit sample

Size	210.4KB
Type	Microsoft Word 2007+
MD5	`c347cd5df3c7cfc180d9ab78d970fdcf`
SHA1	`fe4bfae38fa845aff6215c100ba8847cd312ef39`
SHA256	`5bd1f7c91f38ad0597adfe84341b8f1643e25cbbb9e18497149cbba2870e6006`
SHA512	`b0c012d5b0894b76a928f8ac5a253aee442ee304fb8c38ddd95a68f559fdb357ebeb9d69c233f907c561ee0b11671edfca70fe30e5d61db29362f47e09c6b272`
CRC32	`1A8CC74D`
ssdeep	`None`
Yara	None matched

Score

This file shows some signs of potential malicious behavior.

The score of this file is 1.1 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis

Category	Started	Completed	Duration	Routing	Logs
FILE	July 8, 2025, 4:17 p.m.	July 8, 2025, 4:24 p.m.	380 seconds	internet	Show Analyzer Log Show Cuckoo Log

Analyzer Log

2025-07-08 16:17:51,015 [analyzer] DEBUG: Starting analyzer from: C:\tmpzepe2z
2025-07-08 16:17:51,030 [analyzer] DEBUG: Pipe server name: \??\PIPE\dpXNTPIsNXVUNXJxnIaRNKQYwo
2025-07-08 16:17:51,030 [analyzer] DEBUG: Log pipe server name: \??\PIPE\rCPndVQUmWFKPOUfWGqohdSqIjDH
2025-07-08 16:17:51,500 [analyzer] DEBUG: Started auxiliary module Curtain
2025-07-08 16:17:51,500 [analyzer] DEBUG: Started auxiliary module DbgView
2025-07-08 16:17:52,125 [analyzer] DEBUG: Started auxiliary module Disguise
2025-07-08 16:17:52,342 [analyzer] DEBUG: Loaded monitor into process with pid 504
2025-07-08 16:17:52,342 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-07-08 16:17:52,342 [analyzer] DEBUG: Started auxiliary module Human
2025-07-08 16:17:52,342 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-07-08 16:17:52,358 [analyzer] DEBUG: Started auxiliary module Reboot
2025-07-08 16:17:52,421 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-07-08 16:17:52,421 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-07-08 16:17:52,437 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-07-08 16:17:52,437 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-07-08 16:17:52,578 [lib.api.process] INFO: Successfully executed process from path 'C:\\Program Files\\Microsoft Office\\Office14\\WINWORD.EXE' with arguments [u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\FCO-Clyde[2).docx'] and pid 2524
2025-07-08 16:17:52,578 [analyzer] INFO: Enabled timeout enforce, running for the full timeout.
2025-07-08 16:17:52,703 [analyzer] DEBUG: Loaded monitor into process with pid 2524
2025-07-08 16:17:56,312 [analyzer] INFO: Added new file to list with pid 2524 and path C:\Users\Administrator\AppData\Roaming\Microsoft\Office\MSO1033.acl
2025-07-08 16:17:57,858 [analyzer] INFO: Added new file to list with pid 2524 and path C:\Users\Administrator\AppData\Local\Temp\~$O-Clyde[2).docx
2025-07-08 16:17:58,562 [analyzer] INFO: Added new file to list with pid 2524 and path C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5661A746-25D2-41D3-AE63-C015FDA3F806}.tmp
2025-07-08 16:17:59,125 [analyzer] INFO: Added new file to list with pid 2524 and path C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CE442617.png
2025-07-08 16:18:00,342 [analyzer] INFO: Added new file to list with pid 2524 and path C:\Users\Administrator\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\Built-In Building Blocks.dotx
2025-07-08 15:20:57,302 [analyzer] INFO: Added new file to list with pid 2524 and path C:\Users\Administrator\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
2025-07-08 15:22:40,256 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2025-07-08 15:22:40,895 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-07-08 15:22:40,895 [lib.api.process] INFO: Successfully terminated process with pid 2524.
2025-07-08 15:22:40,895 [analyzer] INFO: Error dumping file from path "c:\users\administrator\appdata\local\microsoft\windows\temporary internet files\content.mso\ce442617.png": [Errno 13] Permission denied: u'c:\\users\\administrator\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.mso\\ce442617.png'
2025-07-08 15:22:41,006 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-07-08 16:17:56,728 [cuckoo.core.scheduler] INFO: Task #6689502: acquired machine win7x6417 (label=win7x6417)
2025-07-08 16:17:56,730 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.217 for task #6689502
2025-07-08 16:17:57,031 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 506174 (interface=vboxnet0, host=192.168.168.217)
2025-07-08 16:17:57,092 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x6417
2025-07-08 16:17:57,753 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x6417 to vmcloak
2025-07-08 16:20:31,917 [cuckoo.core.guest] INFO: Starting analysis #6689502 on guest (id=win7x6417, ip=192.168.168.217)
2025-07-08 16:20:32,923 [cuckoo.core.guest] DEBUG: win7x6417: not ready yet
2025-07-08 16:20:38,065 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x6417, ip=192.168.168.217)
2025-07-08 16:20:38,224 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x6417, ip=192.168.168.217, monitor=latest, size=6660546)
2025-07-08 16:20:39,643 [cuckoo.core.resultserver] DEBUG: Task #6689502: live log analysis.log initialized.
2025-07-08 16:20:40,928 [cuckoo.core.resultserver] DEBUG: Task #6689502 is sending a BSON stream
2025-07-08 16:20:41,305 [cuckoo.core.resultserver] DEBUG: Task #6689502 is sending a BSON stream
2025-07-08 16:20:42,158 [cuckoo.core.resultserver] DEBUG: Task #6689502: File upload for 'shots/0001.jpg'
2025-07-08 16:20:42,177 [cuckoo.core.resultserver] DEBUG: Task #6689502 uploaded file length: 133437
2025-07-08 16:20:44,309 [cuckoo.core.resultserver] DEBUG: Task #6689502: File upload for 'shots/0002.jpg'
2025-07-08 16:20:44,330 [cuckoo.core.resultserver] DEBUG: Task #6689502 uploaded file length: 121090
2025-07-08 16:20:45,407 [cuckoo.core.resultserver] DEBUG: Task #6689502: File upload for 'shots/0003.jpg'
2025-07-08 16:20:45,421 [cuckoo.core.resultserver] DEBUG: Task #6689502 uploaded file length: 123557
2025-07-08 16:20:46,510 [cuckoo.core.resultserver] DEBUG: Task #6689502: File upload for 'shots/0004.jpg'
2025-07-08 16:20:46,522 [cuckoo.core.resultserver] DEBUG: Task #6689502 uploaded file length: 123849
2025-07-08 16:20:47,684 [cuckoo.core.resultserver] DEBUG: Task #6689502: File upload for 'shots/0005.jpg'
2025-07-08 16:20:47,704 [cuckoo.core.resultserver] DEBUG: Task #6689502 uploaded file length: 123899
2025-07-08 16:20:48,789 [cuckoo.core.resultserver] DEBUG: Task #6689502: File upload for 'shots/0006.jpg'
2025-07-08 16:20:48,800 [cuckoo.core.resultserver] DEBUG: Task #6689502 uploaded file length: 123723
2025-07-08 16:20:49,878 [cuckoo.core.resultserver] DEBUG: Task #6689502: File upload for 'shots/0007.jpg'
2025-07-08 16:20:49,889 [cuckoo.core.resultserver] DEBUG: Task #6689502 uploaded file length: 123905
2025-07-08 16:20:50,963 [cuckoo.core.resultserver] DEBUG: Task #6689502: File upload for 'shots/0008.jpg'
2025-07-08 16:20:50,974 [cuckoo.core.resultserver] DEBUG: Task #6689502 uploaded file length: 111255
2025-07-08 16:20:54,369 [cuckoo.core.guest] DEBUG: win7x6417: analysis #6689502 still processing
2025-07-08 16:20:57,151 [cuckoo.core.resultserver] DEBUG: Task #6689502: File upload for 'shots/0009.jpg'
2025-07-08 16:20:57,166 [cuckoo.core.resultserver] DEBUG: Task #6689502 uploaded file length: 117500
2025-07-08 16:21:00,271 [cuckoo.core.resultserver] DEBUG: Task #6689502: File upload for 'shots/0010.jpg'
2025-07-08 16:21:00,279 [cuckoo.core.resultserver] DEBUG: Task #6689502 uploaded file length: 93262
2025-07-08 16:21:07,497 [cuckoo.core.resultserver] DEBUG: Task #6689502: File upload for 'shots/0011.jpg'
2025-07-08 16:21:07,507 [cuckoo.core.resultserver] DEBUG: Task #6689502 uploaded file length: 92626
2025-07-08 16:21:09,462 [cuckoo.core.guest] DEBUG: win7x6417: analysis #6689502 still processing
2025-07-08 16:21:24,591 [cuckoo.core.guest] DEBUG: win7x6417: analysis #6689502 still processing
2025-07-08 16:21:39,681 [cuckoo.core.guest] DEBUG: win7x6417: analysis #6689502 still processing
2025-07-08 16:21:54,772 [cuckoo.core.guest] DEBUG: win7x6417: analysis #6689502 still processing
2025-07-08 16:22:09,851 [cuckoo.core.guest] DEBUG: win7x6417: analysis #6689502 still processing
2025-07-08 16:22:24,949 [cuckoo.core.guest] DEBUG: win7x6417: analysis #6689502 still processing
2025-07-08 16:22:40,031 [cuckoo.core.guest] DEBUG: win7x6417: analysis #6689502 still processing
2025-07-08 16:22:40,458 [cuckoo.core.resultserver] DEBUG: Task #6689502: File upload for 'curtain/1751980960.43.curtain.log'
2025-07-08 16:22:40,461 [cuckoo.core.resultserver] DEBUG: Task #6689502 uploaded file length: 36
2025-07-08 16:22:40,869 [cuckoo.core.resultserver] DEBUG: Task #6689502: File upload for 'sysmon/1751980960.79.sysmon.xml'
2025-07-08 16:22:40,913 [cuckoo.core.resultserver] DEBUG: Task #6689502 uploaded file length: 4241528
2025-07-08 16:22:40,923 [cuckoo.core.resultserver] DEBUG: Task #6689502: File upload for 'files/7aea3ff1bfd57255_~$o-clyde[2).docx'
2025-07-08 16:22:40,926 [cuckoo.core.resultserver] DEBUG: Task #6689502 uploaded file length: 162
2025-07-08 16:22:40,928 [cuckoo.core.resultserver] DEBUG: Task #6689502: File upload for 'files/c587288ec12f471f_mso1033.acl'
2025-07-08 16:22:40,930 [cuckoo.core.resultserver] DEBUG: Task #6689502 uploaded file length: 37762
2025-07-08 16:22:40,931 [cuckoo.core.resultserver] DEBUG: Task #6689502: File upload for 'files/b3d510ef04275ca8_custom.dic'
2025-07-08 16:22:40,941 [cuckoo.core.resultserver] DEBUG: Task #6689502 uploaded file length: 2
2025-07-08 16:22:40,948 [cuckoo.core.resultserver] DEBUG: Task #6689502: File upload for 'files/298e75b39865c023_~wrs{5661a746-25d2-41d3-ae63-c015fda3f806}.tmp'
2025-07-08 16:22:40,950 [cuckoo.core.resultserver] DEBUG: Task #6689502 uploaded file length: 11264
2025-07-08 16:22:40,986 [cuckoo.core.resultserver] DEBUG: Task #6689502: File upload for 'files/5e9b4e081abe7439_built-in building blocks.dotx'
2025-07-08 16:22:41,030 [cuckoo.core.resultserver] DEBUG: Task #6689502 uploaded file length: 4187307
2025-07-08 16:22:41,487 [cuckoo.core.resultserver] DEBUG: Task #6689502: File upload for 'shots/0012.jpg'
2025-07-08 16:22:41,500 [cuckoo.core.resultserver] DEBUG: Task #6689502 uploaded file length: 139722
2025-07-08 16:22:41,513 [cuckoo.core.resultserver] DEBUG: Task #6689502 had connection reset for <Context for LOG>
2025-07-08 16:22:43,042 [cuckoo.core.guest] INFO: win7x6417: analysis completed successfully
2025-07-08 16:22:43,058 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-07-08 16:22:43,077 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-07-08 16:22:43,914 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x6417 to path /srv/cuckoo/cwd/storage/analyses/6689502/memory.dmp
2025-07-08 16:22:43,915 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x6417
2025-07-08 16:24:16,658 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.217 for task #6689502
2025-07-08 16:24:17,027 [cuckoo.core.scheduler] DEBUG: Released database task #6689502
2025-07-08 16:24:17,047 [cuckoo.core.scheduler] INFO: Task #6689502: analysis procedure completed

Signatures

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 8, 2025, 5:18 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef4322000 process_handle: 0xffffffffffffffff	1	0	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 8, 2025, 5:18 p.m.	stacktrace: RaiseException+0x3d NlsValidateLocale-0x13 kernelbase+0x9e5d @ 0x7fefd9c9e5d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7feff7a73c3 NdrClientCall2+0x6b3 NdrClearOutParameters-0xf3d rpcrt4+0xe1493 @ 0x7feff871493 NdrClientCall2+0x1d NdrClearOutParameters-0x15d3 rpcrt4+0xe0dfd @ 0x7feff870dfd SLGetEncryptedPIDEx+0xac57 SLCallServer-0x63d osppc+0x1a0af @ 0x749da0af SLpVLActivateProduct+0xe9 SLpGetMSPidInformation-0xcb osppc+0xc7cd @ 0x749cc7cd SLActivateProduct+0x3df SLGetServerStatus-0xca1 osppcext+0x3a48f @ 0x7452a48f ??0OdfStgParams@@QEAA@XZ+0xe6804 mso+0x1013a38 @ 0x7feee2f3a38 MsoCompareStringA+0x145a5a MsoGetTextExtentExPointW-0x1ed15a mso+0x59c84e @ 0x7feed87c84e MsoFreeCvsList+0x18ee2 MsoFreeFlinfo-0x3fc8a mso+0x1d4e1e @ 0x7feed4b4e1e MsoFreeCvsList+0x19202 MsoFreeFlinfo-0x3f96a mso+0x1d513e @ 0x7feed4b513e MsoFreeCvsList+0x18d23 MsoFreeFlinfo-0x3fe49 mso+0x1d4c5f @ 0x7feed4b4c5f MsoFreeCvsList+0x18c9c MsoFreeFlinfo-0x3fed0 mso+0x1d4bd8 @ 0x7feed4b4bd8 MsoFGetButtonSize+0x7e280 MsoPwlfFromFlinfo-0x10af0 mso+0x12511c @ 0x7feed40511c MsoFGetButtonSize+0x7df94 MsoPwlfFromFlinfo-0x10ddc mso+0x124e30 @ 0x7feed404e30 MsoFGetButtonSize+0x7de30 MsoPwlfFromFlinfo-0x10f40 mso+0x124ccc @ 0x7feed404ccc MsoFGetButtonSize+0x7d934 MsoPwlfFromFlinfo-0x1143c mso+0x1247d0 @ 0x7feed4047d0 MsoUninitOffice+0x99d MsoFHideTaiwan-0xf57 mso+0x21c11 @ 0x7feed301c11 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x778a652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c541 @ 0x77adc541 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 90 90 90 90 90 90 90 90 exception.symbol: RaiseException+0x3d NlsValidateLocale-0x13 kernelbase+0x9e5d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x8007007b exception.offset: 40541 exception.address: 0x7fefd9c9e5d registers.r14: 0 registers.r15: 0 registers.rcx: 138471104 registers.rsi: 0 registers.r10: 106001600 registers.rbx: 0 registers.rsp: 138476320 registers.r11: 27 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 2146892971 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

July 8, 2025, 5:18 p.m.

stacktrace:

RaiseException+0x3d NlsValidateLocale-0x13 kernelbase+0x9e5d @ 0x7fefd9c9e5d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7feff7a73c3
NdrClientCall2+0x6b3 NdrClearOutParameters-0xf3d rpcrt4+0xe1493 @ 0x7feff871493
NdrClientCall2+0x1d NdrClearOutParameters-0x15d3 rpcrt4+0xe0dfd @ 0x7feff870dfd
SLGetEncryptedPIDEx+0xac57 SLCallServer-0x63d osppc+0x1a0af @ 0x749da0af
SLpVLActivateProduct+0xe9 SLpGetMSPidInformation-0xcb osppc+0xc7cd @ 0x749cc7cd
SLActivateProduct+0x3df SLGetServerStatus-0xca1 osppcext+0x3a48f @ 0x7452a48f
??0OdfStgParams@@QEAA@XZ+0xe6804 mso+0x1013a38 @ 0x7feee2f3a38
MsoCompareStringA+0x145a5a MsoGetTextExtentExPointW-0x1ed15a mso+0x59c84e @ 0x7feed87c84e
MsoFreeCvsList+0x18ee2 MsoFreeFlinfo-0x3fc8a mso+0x1d4e1e @ 0x7feed4b4e1e
MsoFreeCvsList+0x19202 MsoFreeFlinfo-0x3f96a mso+0x1d513e @ 0x7feed4b513e
MsoFreeCvsList+0x18d23 MsoFreeFlinfo-0x3fe49 mso+0x1d4c5f @ 0x7feed4b4c5f
MsoFreeCvsList+0x18c9c MsoFreeFlinfo-0x3fed0 mso+0x1d4bd8 @ 0x7feed4b4bd8
MsoFGetButtonSize+0x7e280 MsoPwlfFromFlinfo-0x10af0 mso+0x12511c @ 0x7feed40511c
MsoFGetButtonSize+0x7df94 MsoPwlfFromFlinfo-0x10ddc mso+0x124e30 @ 0x7feed404e30
MsoFGetButtonSize+0x7de30 MsoPwlfFromFlinfo-0x10f40 mso+0x124ccc @ 0x7feed404ccc
MsoFGetButtonSize+0x7d934 MsoPwlfFromFlinfo-0x1143c mso+0x1247d0 @ 0x7feed4047d0
MsoUninitOffice+0x99d MsoFHideTaiwan-0xf57 mso+0x21c11 @ 0x7feed301c11
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x778a652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c541 @ 0x77adc541

exception.instruction_r: 48 81 c4 c8 00 00 00 c3 90 90 90 90 90 90 90 90
exception.symbol: RaiseException+0x3d NlsValidateLocale-0x13 kernelbase+0x9e5d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0x8007007b
exception.offset: 40541
exception.address: 0x7fefd9c9e5d
registers.r14: 0
registers.r15: 0
registers.rcx: 138471104
registers.rsi: 0
registers.r10: 106001600
registers.rbx: 0
registers.rsp: 138476320
registers.r11: 27
registers.r8: 0
registers.r9: 0
registers.rdx: 1
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 2146892971
registers.r13: 0

An application raised an exception which may be indicative of an exploit crash (2 events)

Application Crash

Process WINWORD.EXE with pid 2524 crashed

Time & API	Arguments	Status	Return	Repeated
__exception__ July 8, 2025, 5:18 p.m.	stacktrace: RaiseException+0x3d NlsValidateLocale-0x13 kernelbase+0x9e5d @ 0x7fefd9c9e5d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7feff7a73c3 NdrClientCall2+0x6b3 NdrClearOutParameters-0xf3d rpcrt4+0xe1493 @ 0x7feff871493 NdrClientCall2+0x1d NdrClearOutParameters-0x15d3 rpcrt4+0xe0dfd @ 0x7feff870dfd SLGetEncryptedPIDEx+0xac57 SLCallServer-0x63d osppc+0x1a0af @ 0x749da0af SLpVLActivateProduct+0xe9 SLpGetMSPidInformation-0xcb osppc+0xc7cd @ 0x749cc7cd SLActivateProduct+0x3df SLGetServerStatus-0xca1 osppcext+0x3a48f @ 0x7452a48f ??0OdfStgParams@@QEAA@XZ+0xe6804 mso+0x1013a38 @ 0x7feee2f3a38 MsoCompareStringA+0x145a5a MsoGetTextExtentExPointW-0x1ed15a mso+0x59c84e @ 0x7feed87c84e MsoFreeCvsList+0x18ee2 MsoFreeFlinfo-0x3fc8a mso+0x1d4e1e @ 0x7feed4b4e1e MsoFreeCvsList+0x19202 MsoFreeFlinfo-0x3f96a mso+0x1d513e @ 0x7feed4b513e MsoFreeCvsList+0x18d23 MsoFreeFlinfo-0x3fe49 mso+0x1d4c5f @ 0x7feed4b4c5f MsoFreeCvsList+0x18c9c MsoFreeFlinfo-0x3fed0 mso+0x1d4bd8 @ 0x7feed4b4bd8 MsoFGetButtonSize+0x7e280 MsoPwlfFromFlinfo-0x10af0 mso+0x12511c @ 0x7feed40511c MsoFGetButtonSize+0x7df94 MsoPwlfFromFlinfo-0x10ddc mso+0x124e30 @ 0x7feed404e30 MsoFGetButtonSize+0x7de30 MsoPwlfFromFlinfo-0x10f40 mso+0x124ccc @ 0x7feed404ccc MsoFGetButtonSize+0x7d934 MsoPwlfFromFlinfo-0x1143c mso+0x1247d0 @ 0x7feed4047d0 MsoUninitOffice+0x99d MsoFHideTaiwan-0xf57 mso+0x21c11 @ 0x7feed301c11 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x778a652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c541 @ 0x77adc541 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 90 90 90 90 90 90 90 90 exception.symbol: RaiseException+0x3d NlsValidateLocale-0x13 kernelbase+0x9e5d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x8007007b exception.offset: 40541 exception.address: 0x7fefd9c9e5d registers.r14: 0 registers.r15: 0 registers.rcx: 138471104 registers.rsi: 0 registers.r10: 106001600 registers.rbx: 0 registers.rsp: 138476320 registers.r11: 27 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 2146892971 registers.r13: 0	1	0	0