So I've been suspecting that my computer has some advanced malware attacking it for the past few days. Today my computer told me my pin was incorrect multiple times despite it being the correct pin, then the challenge code pops up and before I can type in anything my computer bluescreens.
Microsoft (R) Windows Debugger Version 10.0.22415.1003 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 19041 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff80326200000 PsLoadedModuleList = 0xfffff803
26e2a270
Debug session time: Tue Oct 26 12:43:25.468 2021 (UTC - 5:00)
System Uptime: 1 days 22:03:27.576
Loading Kernel Symbols
...............................................................
................................................................
................................................................
.........
Loading User Symbols
PEB is paged out (Peb.Ldr = 000000df90862018). Type ".hh dbgerr001" for details Loading unloaded module list .................................................. For analysis of this file, run !analyze -v nt!KeBugCheckEx: fffff803
265f71b0 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:fffff883`e3bd7020=0000000000000139
3: kd> !analyze -v
KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: fffff883e3bd7340, Address of the trap frame for the exception that caused the BugCheck
Arg3: fffff883e3bd7298, Address of the exception record for the exception that caused the BugCheck
Arg4: 0000000000000000, Reserved
Debugging Details:
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 2296
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 3323
Key : Analysis.Init.CPU.mSec
Value: 2686
Key : Analysis.Init.Elapsed.mSec
Value: 70753
Key : Analysis.Memory.CommitPeak.Mb
Value: 87
Key : FailFast.Name
Value: CORRUPT_LIST_ENTRY
Key : FailFast.Type
Value: 3
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
BUGCHECK_CODE: 139
BUGCHECK_P1: 3
BUGCHECK_P2: fffff883e3bd7340
BUGCHECK_P3: fffff883e3bd7298
BUGCHECK_P4: 0
TRAP_FRAME: fffff883e3bd7340 -- (.trap 0xfffff883e3bd7340)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000001 rbx=0000000000000000 rcx=0000000000000003
rdx=fffff80340d94310 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80340d796ba rsp=fffff883e3bd74d0 rbp=ffffffffffffffff
r8=00000000615333e3 r9=00000000000000be r10=ffffc1010020b100
r11=ffffc1010020b1be r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe cy
mbamswissarmy+0x196ba:
fffff803`40d796ba cd29 int 29h
Resetting default scope
EXCEPTION_RECORD: fffff883e3bd7298 -- (.exr 0xfffff883e3bd7298)
ExceptionAddress: fffff80340d796ba (mbamswissarmy+0x00000000000196ba)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000003
Subcode: 0x3 FAST_FAIL_CORRUPT_LIST_ENTRY
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
PROCESS_NAME: MBAMService.exe
ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_CODE_STR: c0000409
EXCEPTION_PARAMETER1: 0000000000000003
EXCEPTION_STR: 0xc0000409
STACK_TEXT:
fffff883e3bd7018 fffff803
26609169 : 0000000000000139 00000000
00000003 fffff883e3bd7340 fffff883
e3bd7298 : nt!KeBugCheckEx
fffff883e3bd7020 fffff803
26609590 : 0000000000001001 00000000
00000fff 000000000010019f 00000000
00020000 : nt!KiBugCheckDispatch+0x69
fffff883e3bd7160 fffff803
26607923 : 0000000000000f6e ffffd88d
00000000 0000000000001001 00000000
00000fff : nt!KiFastFailDispatch+0xd0
fffff883e3bd7340 fffff803
40d796ba : 0000000000000002 00000000
00000000 0000000000000000 ffffc100
eb0c1060 : nt!KiRaiseSecurityCheckFailure+0x323
fffff883e3bd74d0 fffff803
40d77d5a : 0000000000000002 00000000
000000c0 0000000000000000 ffffc100
e7201c00 : mbamswissarmy+0x196ba
fffff883e3bd7510 fffff803
40d77b9b : ffffc100eb0c1060 fffff883
e3bd7620 0000000000000000 00000000
00000000 : mbamswissarmy+0x17d5a
fffff883e3bd7570 fffff803
40d78737 : 0000000000000000 ffffc100
eb0c1060 fffff883e3bd7630 ffffd88d
ca5ca0c0 : mbamswissarmy+0x17b9b
fffff883e3bd75d0 fffff803
40d69c9c : ffffd88dcf4f9410 fffff883
e3bd76b8 0000000000000000 ffffc100
eb0c1060 : mbamswissarmy+0x18737
fffff883e3bd7650 fffff803
40d98648 : ffffd88dcf4f94e0 00000000
00000000 0000000000000000 00000000
00000000 : mbamswissarmy+0x9c9c
fffff883e3bd76b0 fffff803
2648f6f5 : ffffd88dcf4f9410 00000000
00000002 0000000000000000 ffffd88d
d06862b0 : mbamswissarmy+0x38648
fffff883e3bd7700 fffff803
268758f8 : ffffd88dcf4f9410 00000000
00000000 0000000000000000 ffffd88d
ca5ca0c0 : nt!IofCallDriver+0x55
fffff883e3bd7740 fffff803
268751c5 : 0000000000222406 fffff883
e3bd7a80 0000000000040005 fffff883
e3bd7a80 : nt!IopSynchronousServiceTail+0x1a8
fffff883e3bd77e0 fffff803
26874bc6 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : nt!IopXxxControlFile+0x5e5
fffff883e3bd7920 fffff803
26608bb5 : fffff883e3bd7a18 00000000
00000000 0000000000000000 ffffd88d
cb0dabf0 : nt!NtDeviceIoControlFile+0x56
fffff883e3bd7990 00007ffe
308cce54 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : nt!KiSystemServiceCopyEnd+0x25
000000df981ff198 00000000
00000000 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : 0x00007ffe`308cce54
SYMBOL_NAME: mbamswissarmy+196ba
MODULE_NAME: mbamswissarmy
IMAGE_NAME: mbamswissarmy.sys
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 196ba
FAILURE_BUCKET_ID: 0x139_3_CORRUPT_LIST_ENTRY_mbamswissarmy!unknown_function
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {21b9e1f3-0f98-f424-a649-bfe9ada02f6f}
Followup: MachineOwner