| BH12142 | Attempts to brute-force passwords. | |
| BH12159 | Changes printing mode to large bitmap. | |
| BH12169 | Changes the way PowerShell console reads input. | |
| BH12185 | Contains blocks used in SHA-1 collision attacks. | |
| BH12188 | Calls a function through the Execute() function, commonly used for obfuscation. | |
| BH12189 | Contains executable filenames resembling the Service Host Process executable. | |
| BH12190 | Contains executable filenames resembling the Windows Explorer executable. | |
| BH12192 | Contains double encoded hexadecimal representation of the BinaryToString() function, commonly used for obfuscation. | |
| BH12193 | Contains cryptocurrency wallet addresses associated with ransomware. | |
| BH12366 | Imports command aliases from file. | |
| BH12405 | Loads a trusted execution enclave with data. | |
| BH12410 | Manipulates default macro code in the normal template document. | |
| BH12411 | Manipulates macro code in the currently active document. | |
| BH12412 | Manipulates macro code in the currently active workbook. | |
| BH12770 | Tampers with Windows Deployment Services. | |
| BH12825 | Removes a trusted execution enclave from a process. | |
| BH12851 | Suppresses ILDASM disassembly. | |
| BH13249 | Contains a list of default passwords for various services and devices. | |
| BH13302 | Contains prefix trie tables used for string obfuscation in the XZ Utils software compromise. | |
| BH15156 | Decrypts data within a trusted execution enclave. | |
| BH15184 | Uses unusually long variable names, commonly used for obfuscation. | |
| BH15218 | Contains the RLO (right-to-left override) Unicode character, commonly used with bidirectional text. | |
| BH15219 | Contains the LRI (left-to-right isolate) Unicode character, commonly used with bidirectional text. | |
| BH15220 | Contains the PDI (pop directional isolate) Unicode character, commonly used with bidirectional text. | |
| BH15221 | Contains the LRE (left-to-right embedding) Unicode character, commonly used with bidirectional text. | |
| BH15222 | Contains the RLE (right-to-left embedding) Unicode character, commonly used with bidirectional text. | |
| BH15223 | Contains the PDF (pop directional formatting) Unicode character, commonly used with bidirectional text. | |
| BH15224 | Contains the LRO (left-to-right override) Unicode character, commonly used with bidirectional text. | |
| BH15225 | Contains the RLI (right-to-left isolate) Unicode character, commonly used with bidirectional text. | |
| BH15226 | Contains the FSI (first strong isolate) Unicode character, commonly used with bidirectional text. | |
| BH15227 | Contains the ZWSP (zero width space) Unicode character. | |
| BH15228 | Contains the ZWNJ (zero width non-joiner) Unicode character. | |
| BH16138 | Contains e-mail addresses associated with ransomware. | |
| BH16139 | Contains domains associated with ransomware. | |
| BH16319 | Contains Base64-encoded URLs. | |
| BH17117 | Collects credit card cardholder's name from Track 1 data. | |
| BH17118 | Collects credit card information. | |
| BH17119 | Collects credit card PAN number from Track 1 data. | |
| BH17120 | Collects credit card PAN number from Track 2 data. | |
| BH17121 | Collects credit card service code and discretionary data from Track 1 or Track 2 data. | |
| BH17122 | Collects information about credit card management devices. | |
| BH17123 | Contains a regex that's commonly used to validate American Express credit card numbers. | |
| BH17124 | Contains a regex that's commonly used to validate BCGlobal credit card numbers. | |
| BH17125 | Contains a regex that's commonly used to validate credit card cardholder's name from Track 1 data. | |
| BH17126 | Contains a regex that's commonly used to validate credit card PAN numbers from Track 1 data. | |
| BH17127 | Contains a regex that's commonly used to validate credit card PAN numbers from Track 2 data. | |
| BH17128 | Contains a regex that's commonly used to validate credit card service code and discretionary data from Track 1 or Track 2 data. | |
| BH17129 | Contains a regex that's commonly used to validate Diners Club credit card numbers. | |
| BH17130 | Contains a regex that's commonly used to validate Discover credit card numbers. | |
| BH17131 | Contains a regex that's commonly used to validate Insta Payment credit card numbers. | |
| BH17132 | Contains a regex that's commonly used to validate JCB credit card numbers. | |
| BH17133 | Contains a regex that's commonly used to validate Laser credit card numbers. | |
| BH17134 | Contains a regex that's commonly used to validate Maestro credit card numbers. | |
| BH17135 | Contains a regex that's commonly used to validate Mastercard credit card numbers. | |
| BH17136 | Contains a regex that's commonly used to validate Solo credit card numbers. | |
| BH17137 | Contains a regex that's commonly used to validate Switch credit card numbers. | |
| BH17138 | Contains a regex that's commonly used to validate the type or name of credit card management devices. | |
| BH17139 | Contains a regex that's commonly used to validate Union Pay credit card numbers. | |
| BH17140 | Contains a regex that's commonly used to validate Visa credit card numbers. | |
| BH17143 | Contains format strings related to Bitcoin prices. | |
| BH17176 | Reads data from icon stream object. | |
| BH17436 | Contains regular expressions used to detect presence of common crypto tokens. | |
| BH20169 | Uses PowerSploit/Empire command to cause the blue screen upon exiting PowerShell. | |
| BH20243 | Uses PowerSploit/Empire command to overwrite the Master Boot Record. | |
