So I've been suspecting that my computer has some advanced malware attacking it for the past few days. Today my computer told me my pin was incorrect multiple times despite it being the correct pin, then the challenge code pops up and before I can type in anything my computer bluescreens.
Microsoft (R) Windows Debugger Version 10.0.22415.1003 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 19041 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff80326200000 PsLoadedModuleList = 0xfffff80326e2a270
Debug session time: Tue Oct 26 12:43:25.468 2021 (UTC - 5:00)
System Uptime: 1 days 22:03:27.576
Loading Kernel Symbols
...............................................................
................................................................
................................................................
.........
Loading User Symbols
PEB is paged out (Peb.Ldr = 000000df90862018). Type ".hh dbgerr001" for details Loading unloaded module list .................................................. For analysis of this file, run !analyze -v nt!KeBugCheckEx: fffff803265f71b0 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:fffff883`e3bd7020=0000000000000139
3: kd> !analyze -v
KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: fffff883e3bd7340, Address of the trap frame for the exception that caused the BugCheck
Arg3: fffff883e3bd7298, Address of the exception record for the exception that caused the BugCheck
Arg4: 0000000000000000, Reserved
Debugging Details:
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 2296
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 3323
Key : Analysis.Init.CPU.mSec
Value: 2686
Key : Analysis.Init.Elapsed.mSec
Value: 70753
Key : Analysis.Memory.CommitPeak.Mb
Value: 87
Key : FailFast.Name
Value: CORRUPT_LIST_ENTRY
Key : FailFast.Type
Value: 3
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
BUGCHECK_CODE: 139
BUGCHECK_P1: 3
BUGCHECK_P2: fffff883e3bd7340
BUGCHECK_P3: fffff883e3bd7298
BUGCHECK_P4: 0
TRAP_FRAME: fffff883e3bd7340 -- (.trap 0xfffff883e3bd7340)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000001 rbx=0000000000000000 rcx=0000000000000003
rdx=fffff80340d94310 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80340d796ba rsp=fffff883e3bd74d0 rbp=ffffffffffffffff
r8=00000000615333e3 r9=00000000000000be r10=ffffc1010020b100
r11=ffffc1010020b1be r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe cy
mbamswissarmy+0x196ba:
fffff803`40d796ba cd29 int 29h
Resetting default scope
EXCEPTION_RECORD: fffff883e3bd7298 -- (.exr 0xfffff883e3bd7298)
ExceptionAddress: fffff80340d796ba (mbamswissarmy+0x00000000000196ba)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000003
Subcode: 0x3 FAST_FAIL_CORRUPT_LIST_ENTRY
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
PROCESS_NAME: MBAMService.exe
ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_CODE_STR: c0000409
EXCEPTION_PARAMETER1: 0000000000000003
EXCEPTION_STR: 0xc0000409
STACK_TEXT:
fffff883e3bd7018 fffff80326609169 : 0000000000000139 0000000000000003 fffff883e3bd7340 fffff883e3bd7298 : nt!KeBugCheckEx
fffff883e3bd7020 fffff80326609590 : 0000000000001001 0000000000000fff 000000000010019f 0000000000020000 : nt!KiBugCheckDispatch+0x69
fffff883e3bd7160 fffff80326607923 : 0000000000000f6e ffffd88d00000000 0000000000001001 0000000000000fff : nt!KiFastFailDispatch+0xd0
fffff883e3bd7340 fffff80340d796ba : 0000000000000002 0000000000000000 0000000000000000 ffffc100eb0c1060 : nt!KiRaiseSecurityCheckFailure+0x323
fffff883e3bd74d0 fffff80340d77d5a : 0000000000000002 00000000000000c0 0000000000000000 ffffc100e7201c00 : mbamswissarmy+0x196ba
fffff883e3bd7510 fffff80340d77b9b : ffffc100eb0c1060 fffff883e3bd7620 0000000000000000 0000000000000000 : mbamswissarmy+0x17d5a
fffff883e3bd7570 fffff80340d78737 : 0000000000000000 ffffc100eb0c1060 fffff883e3bd7630 ffffd88dca5ca0c0 : mbamswissarmy+0x17b9b
fffff883e3bd75d0 fffff80340d69c9c : ffffd88dcf4f9410 fffff883e3bd76b8 0000000000000000 ffffc100eb0c1060 : mbamswissarmy+0x18737
fffff883e3bd7650 fffff80340d98648 : ffffd88dcf4f94e0 0000000000000000 0000000000000000 0000000000000000 : mbamswissarmy+0x9c9c
fffff883e3bd76b0 fffff8032648f6f5 : ffffd88dcf4f9410 0000000000000002 0000000000000000 ffffd88dd06862b0 : mbamswissarmy+0x38648
fffff883e3bd7700 fffff803268758f8 : ffffd88dcf4f9410 0000000000000000 0000000000000000 ffffd88dca5ca0c0 : nt!IofCallDriver+0x55
fffff883e3bd7740 fffff803268751c5 : 0000000000222406 fffff883e3bd7a80 0000000000040005 fffff883e3bd7a80 : nt!IopSynchronousServiceTail+0x1a8
fffff883e3bd77e0 fffff80326874bc6 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!IopXxxControlFile+0x5e5
fffff883e3bd7920 fffff80326608bb5 : fffff883e3bd7a18 0000000000000000 0000000000000000 ffffd88dcb0dabf0 : nt!NtDeviceIoControlFile+0x56
fffff883e3bd7990 00007ffe308cce54 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x25
000000df981ff198 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x00007ffe`308cce54
SYMBOL_NAME: mbamswissarmy+196ba
MODULE_NAME: mbamswissarmy
IMAGE_NAME: mbamswissarmy.sys
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 196ba
FAILURE_BUCKET_ID: 0x139_3_CORRUPT_LIST_ENTRY_mbamswissarmy!unknown_function
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {21b9e1f3-0f98-f424-a649-bfe9ada02f6f}
Followup: MachineOwner
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 43%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3E2%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 74%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)