We can see that the .cpl is simply a DLL with DllMain function exported:
A quick look at the dissasembly of the dll suggests that rundll32.exe will be spawned, a new thread will be created in suspended mode, which most likely will get injected with our shellcode and eventually resumed to execute that shellcode:
connect to [10.0.0.5] from (UNKNOWN)[10.0.0.2]49346
3
Microsoft Windows [Version 6.1.7601]
4
Copyright (c)2009 Microsoft Corporation. All rights reserved.
Copied!
Observations
Note how rundll32 spawns cmd.exe and establishes a connection back to the attacker - these are signs that should raise your suspicion when investingating a host for a compromise:
As always, sysmon logging can help in finding suspicious commandlines being executed in your environment: