Skip to main content

Anomaly

IDDescriptionSignificance / Prevalence
BH12142Attempts to brute-force passwords.
BH12159Changes printing mode to large bitmap.
BH12169Changes the way PowerShell console reads input.
BH12185Contains blocks used in SHA-1 collision attacks.
BH12188Calls a function through the Execute() function, commonly used for obfuscation.
BH12189Contains executable filenames resembling the Service Host Process executable.
BH12190Contains executable filenames resembling the Windows Explorer executable.
BH12192Contains double encoded hexadecimal representation of the BinaryToString() function, commonly used for obfuscation.
BH12193Contains cryptocurrency wallet addresses associated with ransomware.
BH12366Imports command aliases from file.
BH12405Loads a trusted execution enclave with data.
BH12410Manipulates default macro code in the normal template document.
BH12411Manipulates macro code in the currently active document.
BH12412Manipulates macro code in the currently active workbook.
BH12770Tampers with Windows Deployment Services.
BH12825Removes a trusted execution enclave from a process.
BH12851Suppresses ILDASM disassembly.
BH13249Contains a list of default passwords for various services and devices.
BH13302Contains prefix trie tables used for string obfuscation in the XZ Utils software compromise.
BH13319The software package was developed by a user known for distributing malicious packages on the PyPI repository.
BH13320The software package was developed by a user known for distributing malicious packages on the NPM repository.
BH13321The software package was developed by a user registered with an email address from a region sanctioned by the United States.
BH13322The software package was developed by a user registered with an email address from a region sanctioned by the European Union.
BH13323The software package was developed by a user known for distributing destructive protestware packages.
BH13324The software package was developed by a user registered with an anonymous email address.
BH13325The software package was developed by a user registered with a disposable/temporary email address.
BH13383Plays audio streams in WAV format.
BH13393Executes an application and sends keystrokes to it.
BH13395Contains a reference to ActiveX GUID with the Kill-Bit flag set.
BH13424Plays a sound.
BH13429Writes text to the clipboard.
BH13448Contains parts of the "Lorem Ipsum" dummy text.
BH13478Contains Windows file paths.
BH13485Contains non-printable ASCII characters in attribute names.
BH13525Might evaluate code dynamically.
BH13532Creates a pop-up menu.
BH13534Uses JavaScript console.
BH13535Reads embedded data.
BH13541Searches the document or index.
BH13543Sends a message through broadcast channel.
BH13548Might output messages to console.
BH13553Might move through history.
BH13599Manipulates macro code in the currently active workbooks.
BH13601Declares a Python lambda function in an unusual way.
BH13616The software package was developed by a user registered with a bug bounty platform email alias.
BH13776Wraps an arbitrary expression as a Keras Layer object.
BH13833Overrides the default behavior of Python setuptool commands.
BH13834Adds custom functionality to the Python setuptools "install" command.
BH13835Imports the "fernet" module, which provides methods for the Fernet symmetric encryption.
BH13836The software package impersonates a popular package from a public package repository.
BH13837The software package is published with an unusual version number.
BH13838The software package manifest executes unusual system commands.
BH13839The software package contains remotely hosted binary dependencies.
BH13840The software package contains remotely hosted source dependencies.
BH13841The software package is hosted on a repository located in a region sanctioned by the United States.
BH13842The software package is hosted on a repository located in a region sanctioned by the European Union.
BH13843The software package does not declare any source code repository.
BH13844The software package manifest declares a localized entry point.
BH13845The software package manifest executes a cryptocurrency miner.
BH13846The software package manifest executes code written in another programming language.
BH13847The software package manifest hijacks common operating system commands.
BH13848The software package manifest hijacks common development tools.
BH13849The software package manifest collects system information.
BH13850The software package manifest accesses sensitive system files.
BH15156Decrypts data within a trusted execution enclave.
BH15184Uses unusually long variable names, commonly used for obfuscation.
BH15218Contains the RLO (right-to-left override) Unicode character, commonly used with bidirectional text.
BH15219Contains the LRI (left-to-right isolate) Unicode character, commonly used with bidirectional text.
BH15220Contains the PDI (pop directional isolate) Unicode character, commonly used with bidirectional text.
BH15221Contains the LRE (left-to-right embedding) Unicode character, commonly used with bidirectional text.
BH15222Contains the RLE (right-to-left embedding) Unicode character, commonly used with bidirectional text.
BH15223Contains the PDF (pop directional formatting) Unicode character, commonly used with bidirectional text.
BH15224Contains the LRO (left-to-right override) Unicode character, commonly used with bidirectional text.
BH15225Contains the RLI (right-to-left isolate) Unicode character, commonly used with bidirectional text.
BH15226Contains the FSI (first strong isolate) Unicode character, commonly used with bidirectional text.
BH15227Contains the ZWSP (zero width space) Unicode character.
BH15228Contains the ZWNJ (zero width non-joiner) Unicode character.
BH15321Generates cryptographically secure random numbers.
BH15327Concatenates an unusual amount of strings or variable values, commonly used for obfuscation.
BH15329Concatenates an unusual amount of cells, commonly used for obfuscation.
BH15330Concatenates an unusual amount of strings or exact values, commonly used for obfuscation.
BH15332Might contain potentially obfuscated code or data.
BH15334Generates cryptographically strong random values.
BH15341Contains unusually long strings.
BH15342Contains unusually long strings for a typical VBA macro.
BH16138Contains e-mail addresses associated with ransomware.
BH16139Contains domains associated with ransomware.
BH16319Contains Base64-encoded URLs.
BH16392The software package manifest has networking capabilities.
BH17117Collects credit card cardholder's name from Track 1 data.
BH17118Collects credit card information.
BH17119Collects credit card PAN number from Track 1 data.
BH17120Collects credit card PAN number from Track 2 data.
BH17121Collects credit card service code and discretionary data from Track 1 or Track 2 data.
BH17122Collects information about credit card management devices.
BH17123Contains a regex that's commonly used to validate American Express credit card numbers.
BH17124Contains a regex that's commonly used to validate BCGlobal credit card numbers.
BH17125Contains a regex that's commonly used to validate credit card cardholder's name from Track 1 data.
BH17126Contains a regex that's commonly used to validate credit card PAN numbers from Track 1 data.
BH17127Contains a regex that's commonly used to validate credit card PAN numbers from Track 2 data.
BH17128Contains a regex that's commonly used to validate credit card service code and discretionary data from Track 1 or Track 2 data.
BH17129Contains a regex that's commonly used to validate Diners Club credit card numbers.
BH17130Contains a regex that's commonly used to validate Discover credit card numbers.
BH17131Contains a regex that's commonly used to validate Insta Payment credit card numbers.
BH17132Contains a regex that's commonly used to validate JCB credit card numbers.
BH17133Contains a regex that's commonly used to validate Laser credit card numbers.
BH17134Contains a regex that's commonly used to validate Maestro credit card numbers.
BH17135Contains a regex that's commonly used to validate Mastercard credit card numbers.
BH17136Contains a regex that's commonly used to validate Solo credit card numbers.
BH17137Contains a regex that's commonly used to validate Switch credit card numbers.
BH17138Contains a regex that's commonly used to validate the type or name of credit card management devices.
BH17139Contains a regex that's commonly used to validate Union Pay credit card numbers.
BH17140Contains a regex that's commonly used to validate Visa credit card numbers.
BH17143Contains format strings related to Bitcoin prices.
BH17176Reads data from icon stream object.
BH17436Contains regular expressions used to detect presence of common crypto tokens.
BH20169Uses PowerSploit/Empire command to cause the blue screen upon exiting PowerShell.
BH20243Uses PowerSploit/Empire command to overwrite the Master Boot Record.