Summary : Chaplin.exe runs which disable all network adapters and look for screen.exe then executes it. Screen.exe will delete the lsa registry key. Start the video and open the registry, which stops the administrator from redo changes to the registry value.
Initial Detail insight :
Disabling All Network Adapter
Deleting lsa entry will make the computer unusable after a force reboot (windows will be in a boot loop and will not be able to get to the login screen)
Stop Administrator from modifying registry value because RegeCloseKey function is never called after calling RegFlushKey
More Detail on RegFlushKey ()
This function is Running “Video.wav”
Screen Shot of the video
IOCs: 837e9bb07d884385d077d4ea77797df8 94c2aa418ae356820ee15efc7bfeb923 b86678403d77efbdba3d2b1c93500dfc