{
	"id": "bf2236c2-0fa4-46e6-822f-c7550a18f920",
	"created_at": "2026-04-06T00:15:49.488077Z",
	"updated_at": "2026-04-10T03:35:21.454256Z",
	"deleted_at": null,
	"sha1_hash": "154c0c09d91cbd49951ad073d88270e94114e804",
	"title": "Cmd",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 89316,
	"plain_text": "Cmd\r\nArchived: 2026-04-05 13:23:44 UTC\r\nStarts a new instance of the command interpreter, Cmd.exe. Used without parameters, cmd displays Windows XP\r\nversion and copyright information.\r\nSyntax\r\ncmd [[{/c|/k}] [/s] [/q] [/d] [{/a|/u}] [/t:fg] [/e:{on|off}] [/f:{on|off}] [/v:{on|off}] string]\r\nParameters\r\n/c   : Carries out the command specified by string and then stops.\r\n/k : Carries out the command specified by string and continues.\r\n/s   : Modifies the treatment of string after /c or /k.\r\n/q : Turns the echo off.\r\n/d   : Disables execution of AutoRun commands.\r\n/a : Creates American National Standards Institute (ANSI) output.\r\n/u : Creates Unicode output.\r\n/t: fg   : Sets the foreground f and background g colors. The following tables lists valid hexadecimal digits that\r\nyou can use as the values for f and g.\r\nValue Color\r\n0 Black\r\n1 Blue\r\n2 Green\r\nhttps://technet.microsoft.com/en-us/library/bb490880.aspx\r\nPage 1 of 8\n\nValue Color\r\n3 Aqua\r\n4 Red\r\n5 Purple\r\n6 Yellow\r\n7 White\r\n8 Gray\r\n9 Light blue\r\nA Light green\r\nB Light aqua\r\nC Light red\r\nD Light purple\r\nE Light yellow\r\nF Bright white\r\n/e:on   : Enables command extensions.\r\nhttps://technet.microsoft.com/en-us/library/bb490880.aspx\r\nPage 2 of 8\n\n/e:off   : Disables commands extensions.\r\n/f:on   : Enables file and directory name completion.\r\n/f:off   : Disables file and directory name completion.\r\n/v:on   : Enables delayed environment variable expansion.\r\n/v:off   : Disables delayed environment variable expansion.\r\nstring   : Specifies the command you want to carry out.\r\n/?   : Displays help at the command prompt.\r\nUsing multiple commands\r\nYou can use multiple commands separated by the command separator \u0026\u0026 for string, but you must enclose\r\nthem in quotation marks (for example, \"command\u0026\u0026command\u0026\u0026command\").\r\nProcessing quotation marks\r\nIf you specify /c or /k, cmd processes the remainder of string and quotation marks are preserved only if all\r\nof the following conditions are met:\r\nYou do not use /s.\r\nYou use exactly one set of quotation marks.\r\nYou do not use any special characters within the quotation marks (for example: \u0026\u003c\u003e( ) @ ^ |).\r\nYou use one or more white-space characters within the quotation marks.\r\nThe string within quotation marks is the name of an executable file.\r\nIf the previous conditions are not met, string is processed by examining the first character to verify whether\r\nor not it is an opening quotation mark. If the first character is an opening quotation mark, it is stripped\r\nalong with the closing quotation mark. Any text following the closing quotation marks is preserved.\r\nExecuting registry subkeys\r\nIf you do not specify /d in string, Cmd.exe looks for the following registry subkeys:\r\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor\\AutoRun\\REG_SZ \r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\AutoRun REG_EXPAND_SZ\r\nIf either one or both registry subkeys are present, they are executed before all other variables.\r\n** Caution**\r\nhttps://technet.microsoft.com/en-us/library/bb490880.aspx\r\nPage 3 of 8\n\nIncorrectly editing the registry may severely damage your system. Before making changes to the\r\nregistry, you should back up any valued data on the computer.\r\nEnabling and disabling command extensions\r\nCommand extensions are enabled by default in Windows XP. You can disable them for a particular process\r\nby using /e:off. You can enable or disable extensions for all cmd command-line options on a computer or\r\nuser session by setting the following REG_DWORD values:\r\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command\r\nProcessor\\EnableExtensions\\REG_DWORD \r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Command\r\nProcessor\\EnableExtensions\\REG_DWORD \r\nSet the REG_DWORD value to either 0×1 (that is, enabled) or 0×0 (that is, disabled) in the registry by\r\nusing Regedit.exe. User-specified settings take precedence over computer settings, and command-line\r\noptions take precedence over registry settings.\r\n** Caution**\r\nIncorrectly editing the registry may severely damage your system. Before making changes to the\r\nregistry, you should back up any valued data on the computer.\r\nWhen you enable command extensions, the following commands are affected:\r\nassoc \r\ncall \r\nchdir (cd)\r\ncolor \r\ndel (erase)\r\nendlocal \r\nfor \r\nftype \r\ngoto \r\nif \r\nmkdir (md)\r\npopd \r\nhttps://technet.microsoft.com/en-us/library/bb490880.aspx\r\nPage 4 of 8\n\nprompt \r\npushd \r\nset \r\nsetlocal \r\nshift \r\nstart (also includes changes to external command processes)\r\nFor more information about these commands, see Related Topics.\r\nEnabling delayed environment variable expansion\r\nIf you enable delayed environment variable expansion, you can use the exclamation character to substitute\r\nthe value of an environment variable at run time.\r\nEnabling file and directory name completion\r\nFile and directory name completion is not enabled by default. You can enable or disable file name\r\ncompletion for a particular process of the cmd command with /f:{on|off}. You can enable or disable file\r\nand directory name completion for all processes of the cmd command on a computer or user logon session\r\nby setting the following REG_DWORD values:\r\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command\r\nProcessor\\CompletionChar\\REG_DWORD \r\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command\r\nProcessor\\PathCompletionChar\\REG_DWORD \r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Command\r\nProcessor\\CompletionChar\\REG_DWORD \r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Command\r\nProcessor\\PathCompletionChar\\REG_DWORD \r\nTo set the REG_DWORD value, run Regedit.exe and use the hexadecimal value of a control character for\r\na particular function (for example, 0×9 is TAB and 0×08 is BACKSPACE). User-specified settings take\r\nprecedence over computer settings, and command-line options take precedence over registry settings.\r\n** Caution**\r\nIncorrectly editing the registry may severely damage your system. Before making changes to the\r\nregistry, you should back up any valued data on the computer.\r\nIf you enable file and directory name completion by using /f:on, use CTRL+D for directory name\r\ncompletion and CTRL+F for file name completion. To disable a particular completion character in the\r\nhttps://technet.microsoft.com/en-us/library/bb490880.aspx\r\nPage 5 of 8\n\nregistry, use the value for white space [0×20] because it is not a valid control character.\r\nWhen you press CTRL+D or CTRL+F, cmd processes file and directory name completion. These key\r\ncombination functions append a wildcard character to string (that is, if one is not present), build a list of\r\npaths that match, and then display the first matching path. If none of the paths match, the file and directory\r\nname completion function beeps and does not change the display. To move through the list of matching\r\npaths, press CTRL+D or CTRL+F repeatedly. To move through the list backwards, press the SHIFT key\r\nand CTRL+D or CTRL+F simultaneously. To discard the saved list of matching paths and generate a new\r\nlist, edit string and press CTRL+D or CTRL+F. If you switch between CTRL+D and CTRL+F, the saved\r\nlist of matching paths is discarded and a new list is generated. The only difference between the key\r\ncombinations CTRL+D and CTRL+F is that CTRL+D only matches directory names and CTRL+F\r\nmatches both file and directory names. If you use file and directory name completion on any of the built-in\r\ndirectory commands (that is, CD, MD, or RD), directory completion is assumed.\r\nFile and directory name completion correctly processes file names that contain white space or special\r\ncharacters if you place quotation marks around the matching path.\r\nThe following special characters require quotation marks: \u0026 \u003c \u003e [ ] { } ^ = ; ! ' + , ` ~ [white space]\r\nIf the information that you supply contains spaces, use quotation marks around the text (for example,\r\n\"Computer Name\").\r\nIf you process file and directory name completion from within string, any part of the [Path] to the right of\r\nthe cursor is discarded (that is, at the point in string where the completion was processed).\r\nFormatting legend\r\nFormat Meaning\r\nItalic Information that the user must supply\r\nBold\r\nElements that the user must type exactly as\r\nshown\r\nEllipsis (...)\r\nParameter that can be repeated several times in a\r\ncommand line\r\nBetween brackets ([]) Optional items\r\nhttps://technet.microsoft.com/en-us/library/bb490880.aspx\r\nPage 6 of 8\n\nFormat Meaning\r\nBetween braces ({}); choices separated by pipe (|).\r\nExample: {even|odd}\r\nSet of choices from which the user must choose\r\nonly one\r\nCourier font Code or program output\r\nAssoc\r\nCall\r\nChdir\r\nColor\r\nDel (erase)\r\nEndlocal\r\nFor\r\nFtype\r\nGoto\r\nIf\r\nMkdir\r\nPopd\r\nPrompt\r\nPushd\r\nSet\r\nSetlocal\r\nShift\r\nStart\r\nCommand-line reference A-Z\r\nCommand shell overview\r\nhttps://technet.microsoft.com/en-us/library/bb490880.aspx\r\nPage 7 of 8\n\nSource: https://technet.microsoft.com/en-us/library/bb490880.aspx\r\nhttps://technet.microsoft.com/en-us/library/bb490880.aspx\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://technet.microsoft.com/en-us/library/bb490880.aspx"
	],
	"report_names": [
		"bb490880.aspx"
	],
	"threat_actors": [
		{
			"id": "2864e40a-f233-4618-ac61-b03760a41cbb",
			"created_at": "2023-12-01T02:02:34.272108Z",
			"updated_at": "2026-04-10T02:00:04.97558Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "ETDA:WildCard",
			"tools": [
				"RustDown",
				"SysJoker"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e",
			"created_at": "2023-11-30T02:00:07.299845Z",
			"updated_at": "2026-04-10T02:00:03.484788Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "MISPGALAXY:WildCard",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434549,
	"ts_updated_at": 1775792121,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/154c0c09d91cbd49951ad073d88270e94114e804.pdf",
		"text": "https://archive.orkl.eu/154c0c09d91cbd49951ad073d88270e94114e804.txt",
		"img": "https://archive.orkl.eu/154c0c09d91cbd49951ad073d88270e94114e804.jpg"
	}
}