| BH12142 | Attempts to brute-force passwords. | |
| BH12159 | Changes printing mode to large bitmap. | |
| BH12169 | Changes the way PowerShell console reads input. | |
| BH12185 | Contains blocks used in SHA-1 collision attacks. | |
| BH12188 | Calls a function through the Execute() function, commonly used for obfuscation. | |
| BH12189 | Contains executable filenames resembling the Service Host Process executable. | |
| BH12190 | Contains executable filenames resembling the Windows Explorer executable. | |
| BH12192 | Contains double encoded hexadecimal representation of the BinaryToString() function, commonly used for obfuscation. | |
| BH12193 | Contains cryptocurrency wallet addresses associated with ransomware. | |
| BH12366 | Imports command aliases from file. | |
| BH12405 | Loads a trusted execution enclave with data. | |
| BH12410 | Manipulates default macro code in the normal template document. | |
| BH12411 | Manipulates macro code in the currently active document. | |
| BH12412 | Manipulates macro code in the currently active workbook. | |
| BH12770 | Tampers with Windows Deployment Services. | |
| BH12825 | Removes a trusted execution enclave from a process. | |
| BH12851 | Suppresses ILDASM disassembly. | |
| BH13249 | Contains a list of default passwords for various services and devices. | |
| BH13302 | Contains prefix trie tables used for string obfuscation in the XZ Utils software compromise. | |
| BH13319 | The software package was developed by a user known for distributing malicious packages on the PyPI repository. | |
| BH13320 | The software package was developed by a user known for distributing malicious packages on the NPM repository. | |
| BH13321 | The software package was developed by a user registered with an email address from a region sanctioned by the United States. | |
| BH13322 | The software package was developed by a user registered with an email address from a region sanctioned by the European Union. | |
| BH13323 | The software package was developed by a user known for distributing destructive protestware packages. | |
| BH13324 | The software package was developed by a user registered with an anonymous email address. | |
| BH13325 | The software package was developed by a user registered with a disposable/temporary email address. | |
| BH13383 | Plays audio streams in WAV format. | |
| BH13393 | Executes an application and sends keystrokes to it. | |
| BH13395 | Contains a reference to ActiveX GUID with the Kill-Bit flag set. | |
| BH13424 | Plays a sound. | |
| BH13429 | Writes text to the clipboard. | |
| BH13448 | Contains parts of the "Lorem Ipsum" dummy text. | |
| BH13478 | Contains Windows file paths. | |
| BH13485 | Contains non-printable ASCII characters in attribute names. | |
| BH13525 | Might evaluate code dynamically. | |
| BH13532 | Creates a pop-up menu. | |
| BH13534 | Uses JavaScript console. | |
| BH13535 | Reads embedded data. | |
| BH13541 | Searches the document or index. | |
| BH13543 | Sends a message through broadcast channel. | |
| BH13548 | Might output messages to console. | |
| BH13553 | Might move through history. | |
| BH13599 | Manipulates macro code in the currently active workbooks. | |
| BH13601 | Declares a Python lambda function in an unusual way. | |
| BH13616 | The software package was developed by a user registered with a bug bounty platform email alias. | |
| BH13776 | Wraps an arbitrary expression as a Keras Layer object. | |
| BH13833 | Overrides the default behavior of Python setuptool commands. | |
| BH13834 | Adds custom functionality to the Python setuptools "install" command. | |
| BH13835 | Imports the "fernet" module, which provides methods for the Fernet symmetric encryption. | |
| BH13836 | The software package impersonates a popular package from a public package repository. | |
| BH13837 | The software package is published with an unusual version number. | |
| BH13838 | The software package manifest executes unusual system commands. | |
| BH13839 | The software package contains remotely hosted binary dependencies. | |
| BH13840 | The software package contains remotely hosted source dependencies. | |
| BH13841 | The software package is hosted on a repository located in a region sanctioned by the United States. | |
| BH13842 | The software package is hosted on a repository located in a region sanctioned by the European Union. | |
| BH13843 | The software package does not declare any source code repository. | |
| BH13844 | The software package manifest declares a localized entry point. | |
| BH13845 | The software package manifest executes a cryptocurrency miner. | |
| BH13846 | The software package manifest executes code written in another programming language. | |
| BH13847 | The software package manifest hijacks common operating system commands. | |
| BH13848 | The software package manifest hijacks common development tools. | |
| BH13849 | The software package manifest collects system information. | |
| BH13850 | The software package manifest accesses sensitive system files. | |
| BH15156 | Decrypts data within a trusted execution enclave. | |
| BH15184 | Uses unusually long variable names, commonly used for obfuscation. | |
| BH15218 | Contains the RLO (right-to-left override) Unicode character, commonly used with bidirectional text. | |
| BH15219 | Contains the LRI (left-to-right isolate) Unicode character, commonly used with bidirectional text. | |
| BH15220 | Contains the PDI (pop directional isolate) Unicode character, commonly used with bidirectional text. | |
| BH15221 | Contains the LRE (left-to-right embedding) Unicode character, commonly used with bidirectional text. | |
| BH15222 | Contains the RLE (right-to-left embedding) Unicode character, commonly used with bidirectional text. | |
| BH15223 | Contains the PDF (pop directional formatting) Unicode character, commonly used with bidirectional text. | |
| BH15224 | Contains the LRO (left-to-right override) Unicode character, commonly used with bidirectional text. | |
| BH15225 | Contains the RLI (right-to-left isolate) Unicode character, commonly used with bidirectional text. | |
| BH15226 | Contains the FSI (first strong isolate) Unicode character, commonly used with bidirectional text. | |
| BH15227 | Contains the ZWSP (zero width space) Unicode character. | |
| BH15228 | Contains the ZWNJ (zero width non-joiner) Unicode character. | |
| BH15321 | Generates cryptographically secure random numbers. | |
| BH15327 | Concatenates an unusual amount of strings or variable values, commonly used for obfuscation. | |
| BH15329 | Concatenates an unusual amount of cells, commonly used for obfuscation. | |
| BH15330 | Concatenates an unusual amount of strings or exact values, commonly used for obfuscation. | |
| BH15332 | Might contain potentially obfuscated code or data. | |
| BH15334 | Generates cryptographically strong random values. | |
| BH15341 | Contains unusually long strings. | |
| BH15342 | Contains unusually long strings for a typical VBA macro. | |
| BH16138 | Contains e-mail addresses associated with ransomware. | |
| BH16139 | Contains domains associated with ransomware. | |
| BH16319 | Contains Base64-encoded URLs. | |
| BH16392 | The software package manifest has networking capabilities. | |
| BH17117 | Collects credit card cardholder's name from Track 1 data. | |
| BH17118 | Collects credit card information. | |
| BH17119 | Collects credit card PAN number from Track 1 data. | |
| BH17120 | Collects credit card PAN number from Track 2 data. | |
| BH17121 | Collects credit card service code and discretionary data from Track 1 or Track 2 data. | |
| BH17122 | Collects information about credit card management devices. | |
| BH17123 | Contains a regex that's commonly used to validate American Express credit card numbers. | |
| BH17124 | Contains a regex that's commonly used to validate BCGlobal credit card numbers. | |
| BH17125 | Contains a regex that's commonly used to validate credit card cardholder's name from Track 1 data. | |
| BH17126 | Contains a regex that's commonly used to validate credit card PAN numbers from Track 1 data. | |
| BH17127 | Contains a regex that's commonly used to validate credit card PAN numbers from Track 2 data. | |
| BH17128 | Contains a regex that's commonly used to validate credit card service code and discretionary data from Track 1 or Track 2 data. | |
| BH17129 | Contains a regex that's commonly used to validate Diners Club credit card numbers. | |
| BH17130 | Contains a regex that's commonly used to validate Discover credit card numbers. | |
| BH17131 | Contains a regex that's commonly used to validate Insta Payment credit card numbers. | |
| BH17132 | Contains a regex that's commonly used to validate JCB credit card numbers. | |
| BH17133 | Contains a regex that's commonly used to validate Laser credit card numbers. | |
| BH17134 | Contains a regex that's commonly used to validate Maestro credit card numbers. | |
| BH17135 | Contains a regex that's commonly used to validate Mastercard credit card numbers. | |
| BH17136 | Contains a regex that's commonly used to validate Solo credit card numbers. | |
| BH17137 | Contains a regex that's commonly used to validate Switch credit card numbers. | |
| BH17138 | Contains a regex that's commonly used to validate the type or name of credit card management devices. | |
| BH17139 | Contains a regex that's commonly used to validate Union Pay credit card numbers. | |
| BH17140 | Contains a regex that's commonly used to validate Visa credit card numbers. | |
| BH17143 | Contains format strings related to Bitcoin prices. | |
| BH17176 | Reads data from icon stream object. | |
| BH17436 | Contains regular expressions used to detect presence of common crypto tokens. | |
| BH20169 | Uses PowerSploit/Empire command to cause the blue screen upon exiting PowerShell. | |
| BH20243 | Uses PowerSploit/Empire command to overwrite the Master Boot Record. | |
