SYMBOLCOMMON_NAMEaka. SYNONYMS
win.dreambot (Back to overview)

DreamBot

URLhaus    

2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)
2014 Dreambot (Gozi ISFB variant)

In 2014, a variant of Gozi ISFB was developed. Mainly, the dropper performs additional anti-vm checks (vmware, vbox, qemu), while the actual bot-dll remains unchanged in most parts. New functionality, such as TOR support, was added though and often, the Fluxxy fast-flux network is used.

See win.gozi for additional historical information.

References
2021-01-28Youtube (Virus Bulletin)Benoît Ancel
@online{ancel:20210128:bagsu:7de60de, author = {Benoît Ancel}, title = {{The Bagsu banker case}}, date = {2021-01-28}, organization = {Youtube (Virus Bulletin)}, url = {https://www.youtube.com/watch?v=EyDiIAt__dI}, language = {English}, urldate = {2021-02-01} } The Bagsu banker case
Azorult DreamBot Emotet Pony TrickBot ZeusAction
2020-09-02RiskIQJordan Herman
@online{herman:20200902:inter:93b8c50, author = {Jordan Herman}, title = {{The Inter Skimmer Kit}}, date = {2020-09-02}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/30f22a00}, language = {English}, urldate = {2020-09-04} } The Inter Skimmer Kit
magecart DreamBot TeslaCrypt
2020-08-28CheckpointCheck Point Research
@online{research:20200828:gozi:944c005, author = {Check Point Research}, title = {{Gozi: The Malware with a Thousand Faces}}, date = {2020-08-28}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/}, language = {English}, urldate = {2020-09-01} } Gozi: The Malware with a Thousand Faces
DreamBot ISFB LOLSnif SaiGon
2020-05-01CSISBenoît Ancel
@online{ancel:20200501:end:939414e, author = {Benoît Ancel}, title = {{The end of Dreambot? Obituary for a loved piece of Gozi.}}, date = {2020-05-01}, organization = {CSIS}, url = {https://medium.com/csis-techblog/the-end-of-dreambot-a-loved-piece-of-gozi-24cc9bfc8122}, language = {English}, urldate = {2020-05-05} } The end of Dreambot? Obituary for a loved piece of Gozi.
DreamBot
2020-02-07Medium CSIS TechblogBenoît Ancel
@online{ancel:20200207:installcapital:23b3760, author = {Benoît Ancel}, title = {{InstallCapital — When AdWare Becomes Pay-per-Install Cyber-Crime}}, date = {2020-02-07}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/installcapital-when-adware-becomes-pay-per-install-cyber-crime-15516249a451}, language = {English}, urldate = {2020-02-09} } InstallCapital — When AdWare Becomes Pay-per-Install Cyber-Crime
DreamBot Glupteba
2017-05-29Lokalhost.plMaciej Kotowicz
@online{kotowicz:20170529:gozi:96e962d, author = {Maciej Kotowicz}, title = {{Gozi Tree}}, date = {2017-05-29}, organization = {Lokalhost.pl}, url = {https://lokalhost.pl/gozi_tree.txt}, language = {English}, urldate = {2020-01-08} } Gozi Tree
DreamBot Gozi ISFB Powersniff
2016-08-29ProofpointProofpoint Staff
@online{staff:20160829:nightmare:2268343, author = {Proofpoint Staff}, title = {{Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality}}, date = {2016-08-29}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality}, language = {English}, urldate = {2019-12-20} } Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality
DreamBot
Yara Rules
[TLP:WHITE] win_dreambot_auto (20220516 | Detects win.dreambot.)
rule win_dreambot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.dreambot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dreambot"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 894320 8b4730 a802 7410 8b4730 }
            // n = 5, score = 700
            //   894320               | mov                 dword ptr [ebx + 0x20], eax
            //   8b4730               | mov                 eax, dword ptr [edi + 0x30]
            //   a802                 | test                al, 2
            //   7410                 | je                  0x12
            //   8b4730               | mov                 eax, dword ptr [edi + 0x30]

        $sequence_1 = { ff7320 e8???????? 8bf8 85ff 7410 }
            // n = 5, score = 700
            //   ff7320               | push                dword ptr [ebx + 0x20]
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   85ff                 | test                edi, edi
            //   7410                 | je                  0x12

        $sequence_2 = { 0f8483000000 837d1c00 7504 834e2801 ff7518 53 ff7510 }
            // n = 7, score = 700
            //   0f8483000000         | je                  0x89
            //   837d1c00             | cmp                 dword ptr [ebp + 0x1c], 0
            //   7504                 | jne                 6
            //   834e2801             | or                  dword ptr [esi + 0x28], 1
            //   ff7518               | push                dword ptr [ebp + 0x18]
            //   53                   | push                ebx
            //   ff7510               | push                dword ptr [ebp + 0x10]

        $sequence_3 = { 894724 e8???????? 8b7704 e8???????? }
            // n = 4, score = 700
            //   894724               | mov                 dword ptr [edi + 0x24], eax
            //   e8????????           |                     
            //   8b7704               | mov                 esi, dword ptr [edi + 4]
            //   e8????????           |                     

        $sequence_4 = { 7410 8b4730 a840 7509 83672800 }
            // n = 5, score = 700
            //   7410                 | je                  0x12
            //   8b4730               | mov                 eax, dword ptr [edi + 0x30]
            //   a840                 | test                al, 0x40
            //   7509                 | jne                 0xb
            //   83672800             | and                 dword ptr [edi + 0x28], 0

        $sequence_5 = { ff15???????? 8bf0 85f6 0f84a9000000 e8???????? }
            // n = 5, score = 700
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   0f84a9000000         | je                  0xaf
            //   e8????????           |                     

        $sequence_6 = { ff75f8 e8???????? 8bf8 3bfb 754f ff7618 8b3d???????? }
            // n = 7, score = 700
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   3bfb                 | cmp                 edi, ebx
            //   754f                 | jne                 0x51
            //   ff7618               | push                dword ptr [esi + 0x18]
            //   8b3d????????         |                     

        $sequence_7 = { ff15???????? 85c0 742e 68???????? 68???????? ff7320 }
            // n = 6, score = 700
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   742e                 | je                  0x30
            //   68????????           |                     
            //   68????????           |                     
            //   ff7320               | push                dword ptr [ebx + 0x20]

        $sequence_8 = { 0f8481000000 395d0c 747c 6a03 }
            // n = 4, score = 600
            //   0f8481000000         | mov                 ecx, dword ptr [edi + 0x30]
            //   395d0c               | test                cl, 0x40
            //   747c                 | jne                 0x26
            //   6a03                 | test                eax, eax

        $sequence_9 = { 746f 6a0d ebbf ff7510 53 68???????? }
            // n = 6, score = 600
            //   746f                 | inc                 esp
            //   6a0d                 | mov                 eax, esi
            //   ebbf                 | dec                 eax
            //   ff7510               | mov                 edx, edi
            //   53                   | jmp                 0x31
            //   68????????           |                     

        $sequence_10 = { 68???????? eb54 3bf3 745c 395d0c }
            // n = 5, score = 600
            //   68????????           |                     
            //   eb54                 | je                  0x1a
            //   3bf3                 | mov                 edi, eax
            //   745c                 | mov                 eax, dword ptr [esp + 0xc]
            //   395d0c               | mov                 dword ptr [ebx + 0x20], eax

        $sequence_11 = { 8b7d08 eb24 a1???????? 85c0 7520 3bf3 }
            // n = 6, score = 600
            //   8b7d08               | push                eax
            //   eb24                 | push                esi
            //   a1????????           |                     
            //   85c0                 | call                dword ptr [edx + 0x14]
            //   7520                 | mov                 edi, ebx
            //   3bf3                 | push                dword ptr [ebx + 0x20]

        $sequence_12 = { 3bf3 7474 395d0c 746f 6a0d }
            // n = 5, score = 600
            //   3bf3                 | push                7
            //   7474                 | jmp                 0xffffffdf
            //   395d0c               | cmp                 esi, ebx
            //   746f                 | je                  0x8b
            //   6a0d                 | cmp                 dword ptr [ebp + 0xc], ebx

        $sequence_13 = { 7457 53 ff750c 8bfe }
            // n = 4, score = 600
            //   7457                 | mov                 esi, dword ptr [edi + 4]
            //   53                   | mov                 esi, dword ptr [edi + 8]
            //   ff750c               | push                0
            //   8bfe                 | mov                 dword ptr [edi + 0x30], ecx

        $sequence_14 = { 56 e8???????? e9???????? 3bf3 0f8496000000 }
            // n = 5, score = 600
            //   56                   | mov                 edi, eax
            //   e8????????           |                     
            //   e9????????           |                     
            //   3bf3                 | test                edi, edi
            //   0f8496000000         | je                  0x16

        $sequence_15 = { 837d0c04 7516 ff7510 ff36 68???????? e8???????? }
            // n = 6, score = 600
            //   837d0c04             | je                  0x56
            //   7516                 | push                dword ptr [ebx + 0x20]
            //   ff7510               | push                ecx
            //   ff36                 | xor                 eax, eax
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_16 = { 418d5620 498bcf ff15???????? 4c8bf0 4885c0 }
            // n = 5, score = 500
            //   418d5620             | mov                 dword ptr [ebp - 4], eax
            //   498bcf               | test                eax, eax
            //   ff15????????         |                     
            //   4c8bf0               | je                  0x1e
            //   4885c0               | push                0x104

        $sequence_17 = { 488d5e10 4533f6 488b0b 2580000000 }
            // n = 4, score = 500
            //   488d5e10             | lea                 ecx, [edi + 0x10]
            //   4533f6               | push                ecx
            //   488b0b               | mov                 dword ptr [ebp - 8], eax
            //   2580000000           | test                eax, eax

        $sequence_18 = { bb57000000 e8???????? 413bc5 7446 }
            // n = 4, score = 500
            //   bb57000000           | dec                 ecx
            //   e8????????           |                     
            //   413bc5               | cmp                 edi, ebp
            //   7446                 | je                  0xa4

        $sequence_19 = { 413bf5 747c 41b80d000000 eba7 33d2 }
            // n = 5, score = 500
            //   413bf5               | cmp                 ebx, -1
            //   747c                 | jne                 0xd
            //   41b80d000000         | mov                 ebx, eax
            //   eba7                 | dec                 ecx
            //   33d2                 | cmp                 edi, ebp

        $sequence_20 = { 5f c3 4053 4883ec20 4c8b4108 488bd9 4d85c0 }
            // n = 7, score = 500
            //   5f                   | push                ebx
            //   c3                   | shl                 eax, 0x10
            //   4053                 | push                esi
            //   4883ec20             | lea                 esi, [eax + ecx - 0x124676d0]
            //   4c8b4108             | push                edi
            //   488bd9               | lea                 eax, [ebp - 0xc]
            //   4d85c0               | push                eax

        $sequence_21 = { 488b542460 4533c9 488bc8 41ff5318 }
            // n = 4, score = 500
            //   488b542460           | test                eax, eax
            //   4533c9               | jne                 0x55
            //   488bc8               | push                dword ptr [ebx]
            //   41ff5318             | push                eax

        $sequence_22 = { 8b05???????? 413bc5 7528 493bfd }
            // n = 4, score = 500
            //   8b05????????         |                     
            //   413bc5               | cmp                 eax, ebp
            //   7528                 | je                  0x50
            //   493bfd               | je                  0xa1

        $sequence_23 = { e8???????? 4c8b1d???????? ba0d000000 41834b3401 }
            // n = 4, score = 500
            //   e8????????           |                     
            //   4c8b1d????????       |                     
            //   ba0d000000           | cmp                 dword ptr [edi + 0x4a1c], edx
            //   41834b3401           | mov                 dword ptr [ebp - 4], eax

        $sequence_24 = { 488b9424a8000000 4533c9 4533c0 ff5028 }
            // n = 4, score = 500
            //   488b9424a8000000     | dec                 eax
            //   4533c9               | test                eax, eax
            //   4533c0               | dec                 eax
            //   ff5028               | mov                 esi, eax

        $sequence_25 = { 41b803000000 ebbd 493bfd 0f8481000000 413bf5 }
            // n = 5, score = 500
            //   41b803000000         | inc                 ecx
            //   ebbd                 | mov                 eax, 3
            //   493bfd               | jmp                 0xffffffbf
            //   0f8481000000         | dec                 ecx
            //   413bf5               | cmp                 edi, ebp

        $sequence_26 = { ebd7 493bfd 0f849b000000 413bf5 }
            // n = 4, score = 500
            //   ebd7                 | je                  0x87
            //   493bfd               | inc                 ecx
            //   0f849b000000         | cmp                 esi, ebp
            //   413bf5               | jmp                 0xffffffd9

        $sequence_27 = { 4c896c2420 e8???????? 4c8b442468 488b0d???????? 33d2 }
            // n = 5, score = 500
            //   4c896c2420           | add                 esi, 0x3c6ef35f
            //   e8????????           |                     
            //   4c8b442468           | mov                 dword ptr [ebp + 0xc], esi
            //   488b0d????????       |                     
            //   33d2                 | lea                 esi, [ebp + 0xc]

        $sequence_28 = { 8bd6 488bcf e8???????? e9???????? 493bfd 0f84b5000000 }
            // n = 6, score = 500
            //   8bd6                 | cmp                 edi, ebp
            //   488bcf               | dec                 esp
            //   e8????????           |                     
            //   e9????????           |                     
            //   493bfd               | mov                 eax, ebp
            //   0f84b5000000         | mov                 ebx, eax

        $sequence_29 = { 492bd0 4803542460 41ff5220 4c8b442460 e9???????? }
            // n = 5, score = 500
            //   492bd0               | push                0x410
            //   4803542460           | mov                 eax, dword ptr [edi + 0x4a18]
            //   41ff5220             | push                esi
            //   4c8b442460           | xor                 esi, esi
            //   e9????????           |                     

        $sequence_30 = { 4c8bc5 e8???????? 8bd8 83fbff }
            // n = 4, score = 500
            //   4c8bc5               | mov                 ecx, edi
            //   e8????????           |                     
            //   8bd8                 | mov                 ebx, 0x57
            //   83fbff               | inc                 ecx

        $sequence_31 = { 493bfd 0f84d9000000 413bf5 0f84d0000000 }
            // n = 4, score = 500
            //   493bfd               | jmp                 0xffffffcb
            //   0f84d9000000         | dec                 ecx
            //   413bf5               | cmp                 edi, ebp
            //   0f84d0000000         | dec                 esp

        $sequence_32 = { 4885db 7417 488b0d???????? 4c8bc3 33d2 ff15???????? }
            // n = 6, score = 400
            //   4885db               | mov                 dword ptr [ebp - 8], eax
            //   7417                 | xor                 edi, edi
            //   488b0d????????       |                     
            //   4c8bc3               | jmp                 7
            //   33d2                 | mov                 esi, dword ptr [ebp + 0xc]
            //   ff15????????         |                     

        $sequence_33 = { 3decc7eea6 0f84e8000000 3d0470a8c4 0f8486000000 }
            // n = 4, score = 400
            //   3decc7eea6           | lea                 esi, [eax + ecx - 0x124676d0]
            //   0f84e8000000         | push                edi
            //   3d0470a8c4           | lea                 eax, [ebp - 0xc]
            //   0f8486000000         | push                eax

        $sequence_34 = { 85c0 741a 6804010000 8d4f10 51 6a00 50 }
            // n = 7, score = 400
            //   85c0                 | xor                 esi, esi
            //   741a                 | inc                 esi
            //   6804010000           | mov                 dword ptr [ebp - 8], eax
            //   8d4f10               | test                eax, eax
            //   51                   | jne                 0x59
            //   6a00                 | push                dword ptr [ebx]
            //   50                   | test                eax, eax

        $sequence_35 = { e8???????? 8945f8 33ff eb03 8b750c ff75f8 69f60d661900 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   8945f8               | cmp                 edi, ebp
            //   33ff                 | cmp                 esi, ebx
            //   eb03                 | je                  0xbd
            //   8b750c               | cmp                 esi, ebx
            //   ff75f8               | je                  0x9c
            //   69f60d661900         | cmp                 dword ptr [ebp + 0xc], ebx

        $sequence_36 = { 0f8495feffff 488b8c2498000000 8d50ff e8???????? 3305???????? 3dc126223b }
            // n = 6, score = 400
            //   0f8495feffff         | jmp                 5
            //   488b8c2498000000     | mov                 esi, dword ptr [ebp + 0xc]
            //   8d50ff               | push                dword ptr [ebp - 8]
            //   e8????????           |                     
            //   3305????????         |                     
            //   3dc126223b           | imul                esi, esi, 0x19660d

        $sequence_37 = { 498be9 e8???????? 4885c0 488bf0 0f84a3000000 8b942490000000 4c8b442440 }
            // n = 7, score = 400
            //   498be9               | mov                 esi, dword ptr [ebp + 0xc]
            //   e8????????           |                     
            //   4885c0               | push                dword ptr [ebp - 8]
            //   488bf0               | imul                esi, esi, 0x19660d
            //   0f84a3000000         | mov                 dword ptr [ebp - 4], ebx
            //   8b942490000000       | mov                 dword ptr [ebp - 8], eax
            //   4c8b442440           | xor                 edi, edi

        $sequence_38 = { 8d8718020000 50 ff7310 ff15???????? 33d2 89b7184a0000 39971c4a0000 }
            // n = 7, score = 400
            //   8d8718020000         | ret                 
            //   50                   | inc                 eax
            //   ff7310               | push                ebx
            //   ff15????????         |                     
            //   33d2                 | dec                 eax
            //   89b7184a0000         | sub                 esp, 0x20
            //   39971c4a0000         | dec                 esp

        $sequence_39 = { 4d8bc4 33d2 ff15???????? 488bf8 }
            // n = 4, score = 400
            //   4d8bc4               | dec                 ecx
            //   33d2                 | inc                 edi
            //   ff15????????         |                     
            //   488bf8               | inc                 ecx

        $sequence_40 = { 488bc8 ff15???????? 85c0 7411 8b542438 }
            // n = 5, score = 400
            //   488bc8               | je                  0xaf
            //   ff15????????         |                     
            //   85c0                 | mov                 edx, dword ptr [esp + 0x90]
            //   7411                 | dec                 esp
            //   8b542438             | mov                 eax, dword ptr [esp + 0x40]

        $sequence_41 = { 50 6810040000 ff15???????? 8945fc 85c0 741a 6804010000 }
            // n = 7, score = 400
            //   50                   | mov                 eax, dword ptr [ecx + 8]
            //   6810040000           | dec                 eax
            //   ff15????????         |                     
            //   8945fc               | mov                 ebx, ecx
            //   85c0                 | dec                 ebp
            //   741a                 | test                eax, eax
            //   6804010000           | je                  0x1f

        $sequence_42 = { 48898424d8000000 ff15???????? 448bd8 b8abaaaaaa }
            // n = 4, score = 400
            //   48898424d8000000     | lea                 esi, [ebp + 0xc]
            //   ff15????????         |                     
            //   448bd8               | mov                 dword ptr [ebp + 0xc], esi
            //   b8abaaaaaa           | lea                 esi, [ebp + 0xc]

        $sequence_43 = { c78424a000000001000000 89bc24b0030000 895c2440 eb07 8bbc24b0030000 }
            // n = 5, score = 400
            //   c78424a000000001000000     | call    dword ptr [edx + 0x20]
            //   89bc24b0030000       | dec                 esp
            //   895c2440             | mov                 eax, dword ptr [esp + 0x60]
            //   eb07                 | dec                 ecx
            //   8bbc24b0030000       | mov                 ecx, ebx

        $sequence_44 = { 4c8bc3 33d2 ff15???????? 8364243800 488d542438 33c9 }
            // n = 6, score = 400
            //   4c8bc3               | mov                 ecx, edi
            //   33d2                 | mov                 dword ptr [esp + 0x28], 0xea60
            //   ff15????????         |                     
            //   8364243800           | dec                 eax
            //   488d542438           | mov                 dword ptr [esp + 0x20], ebx
            //   33c9                 | test                eax, eax

        $sequence_45 = { 488b5510 488b4d08 4183e101 4889442420 e8???????? 488b4d08 894548 }
            // n = 7, score = 400
            //   488b5510             | inc                 ebp
            //   488b4d08             | xor                 ecx, ecx
            //   4183e101             | dec                 eax
            //   4889442420           | mov                 dword ptr [esp + 0xd8], eax
            //   e8????????           |                     
            //   488b4d08             | inc                 esp
            //   894548               | mov                 ebx, eax

        $sequence_46 = { 3bc2 7414 8b442444 0fb74c2458 }
            // n = 4, score = 400
            //   3bc2                 | inc                 ecx
            //   7414                 | lea                 edx, [esi + 0x20]
            //   8b442444             | dec                 ecx
            //   0fb74c2458           | mov                 ecx, edi

        $sequence_47 = { 33d2 ff15???????? 4821742428 4c8d8424c8000000 488d542428 488d4c2450 4533c9 }
            // n = 7, score = 400
            //   33d2                 | push                dword ptr [ebp - 0xc]
            //   ff15????????         |                     
            //   4821742428           | add                 esi, 0x3c6ef35f
            //   4c8d8424c8000000     | imul                esi, esi, 0x19660d
            //   488d542428           | push                dword ptr [ebp - 0xc]
            //   488d4c2450           | add                 esi, 0x3c6ef35f
            //   4533c9               | mov                 dword ptr [ebp + 0xc], esi

        $sequence_48 = { ff75f4 81c65ff36e3c 89750c 8d750c e8???????? }
            // n = 5, score = 400
            //   ff75f4               | push                dword ptr [ebp - 8]
            //   81c65ff36e3c         | imul                esi, esi, 0x19660d
            //   89750c               | push                dword ptr [ebp - 0xc]
            //   8d750c               | add                 esi, 0x3c6ef35f
            //   e8????????           |                     

        $sequence_49 = { 48897c2430 4889442428 4c8d4c2444 4c8bc6 }
            // n = 4, score = 400
            //   48897c2430           | mov                 eax, 0xaaaaaaab
            //   4889442428           | inc                 esp
            //   4c8d4c2444           | add                 eax, eax
            //   4c8bc6               | mov                 ecx, 0x102

        $sequence_50 = { 44897630 89464c 8b464c a840 7518 }
            // n = 5, score = 400
            //   44897630             | jmp                 0xffffff8d
            //   89464c               | dec                 eax
            //   8b464c               | test                ebx, ebx
            //   a840                 | mov                 ebx, eax
            //   7518                 | test                ebx, ebx

        $sequence_51 = { 56 8db4083089b9ed 57 8d45f4 50 }
            // n = 5, score = 400
            //   56                   | mov                 edx, esi
            //   8db4083089b9ed       | dec                 eax
            //   57                   | mov                 ecx, edi
            //   8d45f4               | mov                 ebx, 0x57
            //   50                   | inc                 ecx

        $sequence_52 = { 488b542478 894640 33c0 89842484000000 488b03 4533c9 4533c0 }
            // n = 7, score = 400
            //   488b542478           | je                  0x21c
            //   894640               | mov                 eax, dword ptr [ebx + 0x20]
            //   33c0                 | pop                 edi
            //   89842484000000       | ret                 
            //   488b03               | inc                 eax
            //   4533c9               | push                ebx
            //   4533c0               | dec                 eax

        $sequence_53 = { c3 6a00 6800004000 6a00 ff15???????? a3???????? 85c0 }
            // n = 7, score = 400
            //   c3                   | cmp                 esi, dword ptr [eax + 0x1a]
            //   6a00                 | je                  0x27
            //   6800004000           | push                1
            //   6a00                 | push                dword ptr [ebp - 4]
            //   ff15????????         |                     
            //   a3????????           |                     
            //   85c0                 | mov                 dword ptr [ebp - 4], eax

        $sequence_54 = { 8945f8 85c0 7551 ff33 50 6810040000 ff15???????? }
            // n = 7, score = 400
            //   8945f8               | inc                 ebp
            //   85c0                 | xor                 ecx, ecx
            //   7551                 | inc                 ebp
            //   ff33                 | xor                 eax, eax
            //   50                   | call                dword ptr [eax + 0x28]
            //   6810040000           | dec                 eax
            //   ff15????????         |                     

        $sequence_55 = { ff75f8 69f60d661900 ff75f4 81c65ff36e3c }
            // n = 4, score = 400
            //   ff75f8               | dec                 ecx
            //   69f60d661900         | cmp                 edi, ebp
            //   ff75f4               | je                  0x25
            //   81c65ff36e3c         | inc                 ecx

        $sequence_56 = { e8???????? 33d2 3bc2 0f85bd000000 33c0 89942498000000 899424a8000000 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   33d2                 | dec                 ecx
            //   3bc2                 | sub                 edx, eax
            //   0f85bd000000         | dec                 eax
            //   33c0                 | add                 edx, dword ptr [esp + 0x60]
            //   89942498000000       | inc                 ecx
            //   899424a8000000       | call                dword ptr [edx + 0x20]

        $sequence_57 = { 488bcf c744242860ea0000 48895c2420 e8???????? 85c0 8bd8 7567 }
            // n = 7, score = 400
            //   488bcf               | lea                 esi, [eax + ecx - 0x124676d0]
            //   c744242860ea0000     | push                edi
            //   48895c2420           | lea                 eax, [ebp - 0xc]
            //   e8????????           |                     
            //   85c0                 | push                eax
            //   8bd8                 | mov                 eax, dword ptr [ebp + 0xc]
            //   7567                 | xor                 edi, edi

        $sequence_58 = { 817424105085b8ed 33ff 47 57 be???????? 56 8d542418 }
            // n = 7, score = 400
            //   817424105085b8ed     | mov                 esi, dword ptr [ebp + 0xc]
            //   33ff                 | push                dword ptr [ebp - 8]
            //   47                   | lea                 esi, [eax + ecx - 0x124676d0]
            //   57                   | push                edi
            //   be????????           |                     
            //   56                   | lea                 eax, [ebp - 0xc]
            //   8d542418             | push                eax

        $sequence_59 = { 50 8b450c 33db 895dfc e8???????? 8945f8 33ff }
            // n = 7, score = 400
            //   50                   | push                dword ptr [ebp - 0xc]
            //   8b450c               | add                 esi, 0x3c6ef35f
            //   33db                 | mov                 dword ptr [ebp + 0xc], esi
            //   895dfc               | lea                 esi, [ebp + 0xc]
            //   e8????????           |                     
            //   8945f8               | mov                 esi, eax
            //   33ff                 | push                dword ptr [ebp - 8]

        $sequence_60 = { 8d750c e8???????? 8bf0 3bf3 741a }
            // n = 5, score = 400
            //   8d750c               | cmp                 eax, ebp
            //   e8????????           |                     
            //   8bf0                 | dec                 eax
            //   3bf3                 | mov                 ecx, edi
            //   741a                 | dec                 ecx

        $sequence_61 = { 56 33f6 46 8945f8 85c0 7551 }
            // n = 6, score = 400
            //   56                   | inc                 eax
            //   33f6                 | push                ebx
            //   46                   | dec                 eax
            //   8945f8               | sub                 esp, 0x20
            //   85c0                 | dec                 esp
            //   7551                 | mov                 eax, dword ptr [ecx + 8]

        $sequence_62 = { ff15???????? 4883f8ff 488bf8 7445 488d842488000000 }
            // n = 5, score = 400
            //   ff15????????         |                     
            //   4883f8ff             | xor                 edi, edi
            //   488bf8               | jmp                 0xa
            //   7445                 | jmp                 5
            //   488d842488000000     | mov                 esi, dword ptr [ebp + 0xc]

        $sequence_63 = { 8945fc 85c0 7437 8b4df4 50 }
            // n = 5, score = 300
            //   8945fc               | inc                 esi
            //   85c0                 | mov                 dword ptr [ebp - 8], eax
            //   7437                 | test                eax, eax
            //   8b4df4               | jne                 0x59
            //   50                   | push                dword ptr [ebx]

        $sequence_64 = { 8b45fc 0fb700 8bc8 81e100f00000 }
            // n = 4, score = 300
            //   8b45fc               | push                eax
            //   0fb700               | push                dword ptr [ebx + 0x10]
            //   8bc8                 | xor                 edx, edx
            //   81e100f00000         | mov                 dword ptr [edi + 0x4a18], esi

        $sequence_65 = { 4c8bc6 ff15???????? 488bd8 493bc7 }
            // n = 4, score = 300
            //   4c8bc6               | je                  0x1c
            //   ff15????????         |                     
            //   488bd8               | push                0x104
            //   493bc7               | lea                 ecx, [edi + 0x10]

        $sequence_66 = { 740e 44893d???????? 44893d???????? 488d442440 4c8d4c2440 4c8d442440 }
            // n = 6, score = 300
            //   740e                 | mov                 dword ptr [edi + 0x4a18], esi
            //   44893d????????       |                     
            //   44893d????????       |                     
            //   488d442440           | cmp                 dword ptr [edi + 0x4a1c], edx
            //   4c8d4c2440           | push                dword ptr [ebx]
            //   4c8d442440           | push                eax

        $sequence_67 = { 8b750c 83c410 53 ff75fc e8???????? }
            // n = 5, score = 300
            //   8b750c               | push                dword ptr [ebx + 0x10]
            //   83c410               | xor                 edx, edx
            //   53                   | mov                 dword ptr [edi + 0x4a18], esi
            //   ff75fc               | push                0x410
            //   e8????????           |                     

        $sequence_68 = { 8b45f0 40 c745e801000000 3b45f8 7319 ff45f4 }
            // n = 6, score = 300
            //   8b45f0               | lea                 ecx, [edi + 0x10]
            //   40                   | push                ecx
            //   c745e801000000       | push                0
            //   3b45f8               | push                0x400
            //   7319                 | lea                 eax, [edi + 0x218]
            //   ff45f4               | push                eax

        $sequence_69 = { 493bc5 742f 488d4810 ff15???????? }
            // n = 4, score = 300
            //   493bc5               | push                0
            //   742f                 | push                eax
            //   488d4810             | test                eax, eax
            //   ff15????????         |                     

        $sequence_70 = { 4885c9 7405 e8???????? 4883c428 c3 4053 }
            // n = 6, score = 300
            //   4885c9               | test                eax, eax
            //   7405                 | jne                 0x5b
            //   e8????????           |                     
            //   4883c428             | push                dword ptr [ebx]
            //   c3                   | test                eax, eax
            //   4053                 | jne                 0x53

        $sequence_71 = { ff35???????? 33c0 e8???????? 33c9 41 85c0 7406 }
            // n = 7, score = 300
            //   ff35????????         |                     
            //   33c0                 | mov                 dword ptr [ebp - 8], eax
            //   e8????????           |                     
            //   33c9                 | test                eax, eax
            //   41                   | jne                 0x5b
            //   85c0                 | inc                 esi
            //   7406                 | mov                 dword ptr [ebp - 8], eax

        $sequence_72 = { 395d10 0f8402010000 6a03 eb13 3bf3 0f84f6000000 395d10 }
            // n = 7, score = 300
            //   395d10               | je                  0x21
            //   0f8402010000         | push                0x104
            //   6a03                 | test                eax, eax
            //   eb13                 | je                  0x1c
            //   3bf3                 | push                0x104
            //   0f84f6000000         | lea                 ecx, [edi + 0x10]
            //   395d10               | xor                 esi, esi

        $sequence_73 = { 4d3bef 7415 498bd5 4883c9ff ff15???????? 8bc8 }
            // n = 6, score = 300
            //   4d3bef               | push                0x410
            //   7415                 | mov                 dword ptr [ebp - 4], eax
            //   498bd5               | push                eax
            //   4883c9ff             | push                0x410
            //   ff15????????         |                     
            //   8bc8                 | mov                 dword ptr [ebp - 4], eax

        $sequence_74 = { 68???????? e9???????? 3bf3 0f84e5010000 395d14 0f84dc010000 }
            // n = 6, score = 300
            //   68????????           |                     
            //   e9????????           |                     
            //   3bf3                 | push                eax
            //   0f84e5010000         | push                esi
            //   395d14               | xor                 esi, esi
            //   0f84dc010000         | inc                 esi

        $sequence_75 = { 6a01 eb3d 3bf3 0f8420010000 395d10 0f8417010000 }
            // n = 6, score = 300
            //   6a01                 | mov                 dword ptr [ebp - 4], eax
            //   eb3d                 | test                eax, eax
            //   3bf3                 | je                  0x21
            //   0f8420010000         | push                0x410
            //   395d10               | mov                 dword ptr [ebp - 4], eax
            //   0f8417010000         | test                eax, eax

        $sequence_76 = { 5b c9 c20800 55 8bec 81ec1c010000 8d4807 }
            // n = 7, score = 200
            //   5b                   | dec                 esp
            //   c9                   | lea                 eax, [esp + 0x40]
            //   c20800               | dec                 eax
            //   55                   | mov                 dword ptr [esp + 0x30], eax
            //   8bec                 | je                  0x10
            //   81ec1c010000         | dec                 eax
            //   8d4807               | lea                 eax, [esp + 0x40]

        $sequence_77 = { 8b0d???????? 89442414 83c136 83caff f00fc111 }
            // n = 5, score = 200
            //   8b0d????????         |                     
            //   89442414             | mov                 dword ptr [ebp - 4], eax
            //   83c136               | test                eax, eax
            //   83caff               | je                  0x21
            //   f00fc111             | push                0x104

        $sequence_78 = { 5e c9 c21000 a1???????? 83c01e 50 ff15???????? }
            // n = 7, score = 200
            //   5e                   | inc                 esi
            //   c9                   | mov                 dword ptr [ebp - 8], eax
            //   c21000               | test                eax, eax
            //   a1????????           |                     
            //   83c01e               | jne                 0x59
            //   50                   | push                0x410
            //   ff15????????         |                     

        $sequence_79 = { 488b0d???????? 4883c12e ff15???????? 4c8b05???????? 448d7b02 418bd7 33c9 }
            // n = 7, score = 200
            //   488b0d????????       |                     
            //   4883c12e             | push                dword ptr [ebx + 0x20]
            //   ff15????????         |                     
            //   4c8b05????????       |                     
            //   448d7b02             | push                eax
            //   418bd7               | push                dword ptr [ebx + 0x20]
            //   33c9                 | push                esi

        $sequence_80 = { 6a0a ff15???????? a1???????? 8b4036 85c0 75ec a1???????? }
            // n = 7, score = 200
            //   6a0a                 | mov                 ecx, edi
            //   ff15????????         |                     
            //   a1????????           |                     
            //   8b4036               | dec                 esp
            //   85c0                 | mov                 esi, eax
            //   75ec                 | inc                 ebp
            //   a1????????           |                     

        $sequence_81 = { 85ed 0f848d010000 a1???????? 8b35???????? 83c01e 50 }
            // n = 6, score = 200
            //   85ed                 | and                 eax, 0x80
            //   0f848d010000         | inc                 ecx
            //   a1????????           |                     
            //   8b35????????         |                     
            //   83c01e               | lea                 edx, [esi + 0x20]
            //   50                   | dec                 ecx

        $sequence_82 = { 4c8b1d???????? 418b4356 85c0 75e6 8a0f 41b1ff c6442420ff }
            // n = 7, score = 200
            //   4c8b1d????????       |                     
            //   418b4356             | inc                 ecx
            //   85c0                 | lea                 edx, [esi + 0x20]
            //   75e6                 | dec                 ecx
            //   8a0f                 | mov                 ecx, edi
            //   41b1ff               | dec                 esp
            //   c6442420ff           | mov                 esi, eax

        $sequence_83 = { 488b0d???????? 448be0 f0834156ff 85c0 7545 4c8b0d???????? 8b8424c0000000 }
            // n = 7, score = 200
            //   488b0d????????       |                     
            //   448be0               | lea                 ebx, [esi + 0x10]
            //   f0834156ff           | inc                 ebp
            //   85c0                 | xor                 esi, esi
            //   7545                 | dec                 eax
            //   4c8b0d????????       |                     
            //   8b8424c0000000       | mov                 ecx, dword ptr [ebx]

        $sequence_84 = { 83839c000000ff 397818 0f852ffcffff 33c0 }
            // n = 4, score = 200
            //   83839c000000ff       | dec                 ecx
            //   397818               | inc                 edi
            //   0f852ffcffff         | inc                 ecx
            //   33c0                 | lea                 edx, [esi + 0x20]

        $sequence_85 = { 5b 8be5 5d c3 0fb708 6683f902 751c }
            // n = 7, score = 200
            //   5b                   | jle                 0x430
            //   8be5                 | inc                 edx
            //   5d                   | cmp                 byte ptr [ebx + ebp], al
            //   c3                   | jne                 0x23
            //   0fb708               | jle                 0x430
            //   6683f902             | inc                 edx
            //   751c                 | cmp                 byte ptr [ebx + ebp], al

        $sequence_86 = { a1???????? 83c01e 50 ffd6 a1???????? 33c9 83c036 }
            // n = 7, score = 200
            //   a1????????           |                     
            //   83c01e               | xor                 esi, esi
            //   50                   | dec                 eax
            //   ffd6                 | mov                 ecx, dword ptr [ebx]
            //   a1????????           |                     
            //   33c9                 | and                 eax, 0x80
            //   83c036               | inc                 ecx

        $sequence_87 = { e9???????? 83e908 74eb 2bcb 0f84fa000000 }
            // n = 5, score = 200
            //   e9????????           |                     
            //   83e908               | inc                 ecx
            //   74eb                 | mov                 eax, dword ptr [esp + 0x1c]
            //   2bcb                 | dec                 eax
            //   0f84fa000000         | lea                 ebx, [esi + 0x10]

        $sequence_88 = { 488b15???????? 4c8d442468 48c7c101000080 ff15???????? }
            // n = 4, score = 200
            //   488b15????????       |                     
            //   4c8d442468           | xor                 ecx, ecx
            //   48c7c101000080       | dec                 eax
            //   ff15????????         |                     

        $sequence_89 = { 8975f4 ffd7 8b1d???????? 6a3a b8???????? 56 }
            // n = 6, score = 200
            //   8975f4               | inc                 ebp
            //   ffd7                 | xor                 esi, esi
            //   8b1d????????         |                     
            //   6a3a                 | dec                 eax
            //   b8????????           |                     
            //   56                   | mov                 ecx, dword ptr [ebx]

        $sequence_90 = { 4c891d???????? 4c891d???????? 8d7b5b 33d2 }
            // n = 4, score = 200
            //   4c891d????????       |                     
            //   4c891d????????       |                     
            //   8d7b5b               | test                eax, eax
            //   33d2                 | dec                 esp

        $sequence_91 = { 488b05???????? f0834056ff 4885ff 0f8466010000 }
            // n = 4, score = 200
            //   488b05????????       |                     
            //   f0834056ff           | dec                 eax
            //   4885ff               | test                eax, eax
            //   0f8466010000         | dec                 eax

        $sequence_92 = { 89442420 e8???????? 488bf0 eb34 488d0595d6ffff 4885c0 }
            // n = 6, score = 200
            //   89442420             | push                0x104
            //   e8????????           |                     
            //   488bf0               | lea                 ecx, [edi + 0x10]
            //   eb34                 | mov                 dword ptr [ebp - 4], eax
            //   488d0595d6ffff       | test                eax, eax
            //   4885c0               | je                  0x1c

        $sequence_93 = { b8???????? e9???????? ff25???????? ff25???????? 68???????? 64a100000000 50 }
            // n = 7, score = 200
            //   b8????????           |                     
            //   e9????????           |                     
            //   ff25????????         |                     
            //   ff25????????         |                     
            //   68????????           |                     
            //   64a100000000         | xor                 edx, edx
            //   50                   | mov                 dword ptr [edi + 0x4a18], esi

        $sequence_94 = { 88040a 8b9314170000 83432801 b910000000 8d42f3 2aca }
            // n = 6, score = 200
            //   88040a               | xor                 esi, esi
            //   8b9314170000         | dec                 eax
            //   83432801             | mov                 ecx, dword ptr [ebx]
            //   b910000000           | and                 eax, 0x80
            //   8d42f3               | inc                 ecx
            //   2aca                 | lea                 edx, [esi + 0x20]

        $sequence_95 = { 5b c20800 51 53 57 }
            // n = 5, score = 200
            //   5b                   | dec                 esp
            //   c20800               | lea                 ecx, [esp + 0x40]
            //   51                   | je                  0x10
            //   53                   | dec                 eax
            //   57                   | lea                 eax, [esp + 0x40]

        $sequence_96 = { c3 33c0 483bc8 7458 488b5128 483bd0 744f }
            // n = 7, score = 200
            //   c3                   | mov                 ecx, edi
            //   33c0                 | dec                 esp
            //   483bc8               | mov                 esi, eax
            //   7458                 | dec                 eax
            //   488b5128             | test                eax, eax
            //   483bd0               | dec                 ecx
            //   744f                 | inc                 edi

        $sequence_97 = { ffb72c080000 e8???????? 5e 5d 5b c3 eb10 }
            // n = 7, score = 200
            //   ffb72c080000         | jne                 0x23
            //   e8????????           |                     
            //   5e                   | inc                 esp
            //   5d                   | mov                 eax, edx
            //   5b                   | jle                 0x430
            //   c3                   | inc                 edx
            //   eb10                 | cmp                 byte ptr [ebx + ebp], al

        $sequence_98 = { 83a78c00000000 33c0 c3 51 e8???????? 0558020000 83d200 }
            // n = 7, score = 200
            //   83a78c00000000       | inc                 eax
            //   33c0                 | push                ebx
            //   c3                   | dec                 eax
            //   51                   | sub                 esp, 0x20
            //   e8????????           |                     
            //   0558020000           | xor                 ebx, ebx
            //   83d200               | inc                 ecx

        $sequence_99 = { e9???????? 83bbb000000004 0f84b4000000 3bca }
            // n = 4, score = 200
            //   e9????????           |                     
            //   83bbb000000004       | dec                 ecx
            //   0f84b4000000         | mov                 ecx, edi
            //   3bca                 | dec                 eax

        $sequence_100 = { 66b90100 4889442420 e8???????? 3bc3 0f859b000000 }
            // n = 5, score = 200
            //   66b90100             | dec                 esp
            //   4889442420           | mov                 dword ptr [esp + 0x20], ebp
            //   e8????????           |                     
            //   3bc3                 | dec                 esp
            //   0f859b000000         | mov                 eax, dword ptr [esp + 0x68]

        $sequence_101 = { 83c01e 50 ff15???????? a1???????? 6a01 ff30 8d442434 }
            // n = 7, score = 200
            //   83c01e               | dec                 ecx
            //   50                   | inc                 edi
            //   ff15????????         |                     
            //   a1????????           |                     
            //   6a01                 | inc                 ecx
            //   ff30                 | lea                 edx, [esi + 0x20]
            //   8d442434             | dec                 ecx

        $sequence_102 = { 83c40c 8d45fc 50 56 ff15???????? ff15???????? 8945cc }
            // n = 7, score = 200
            //   83c40c               | cmp                 dword ptr [edi + 0x4a1c], edx
            //   8d45fc               | jne                 0x53
            //   50                   | push                dword ptr [ebx]
            //   56                   | push                eax
            //   ff15????????         |                     
            //   ff15????????         |                     
            //   8945cc               | push                0x410

        $sequence_103 = { e8???????? 488bd8 488b05???????? f0834056ff }
            // n = 4, score = 200
            //   e8????????           |                     
            //   488bd8               | mov                 esp, eax
            //   488b05????????       |                     
            //   f0834056ff           | push                0

        $sequence_104 = { ffd7 53 55 ffd7 a1???????? 83c01e 50 }
            // n = 7, score = 200
            //   ffd7                 | lea                 edx, [esi + 0x20]
            //   53                   | inc                 ecx
            //   55                   | lea                 edx, [esi + 0x20]
            //   ffd7                 | dec                 ecx
            //   a1????????           |                     
            //   83c01e               | mov                 ecx, edi
            //   50                   | dec                 esp

        $sequence_105 = { 0f8e2a040000 8a05???????? 4238042b 7521 }
            // n = 4, score = 200
            //   0f8e2a040000         | push                dword ptr [ebx]
            //   8a05????????         |                     
            //   4238042b             | push                eax
            //   7521                 | push                0x410

        $sequence_106 = { 33d2 e8???????? 44892d???????? 33c9 44892d???????? e8???????? 488bcf }
            // n = 7, score = 200
            //   33d2                 | dec                 esp
            //   e8????????           |                     
            //   44892d????????       |                     
            //   33c9                 | mov                 eax, dword ptr [esp + 0x68]
            //   44892d????????       |                     
            //   e8????????           |                     
            //   488bcf               | xor                 edx, edx

        $sequence_107 = { 8d4602 66d3e0 66098310170000 8d4103 }
            // n = 4, score = 200
            //   8d4602               | dec                 ebp
            //   66d3e0               | mov                 eax, esp
            //   66098310170000       | xor                 edx, edx
            //   8d4103               | dec                 eax

        $sequence_108 = { 7cf4 eb0d 893c8dc0330410 ff05???????? 33db }
            // n = 5, score = 100
            //   7cf4                 | mov                 ecx, eax
            //   eb0d                 | inc                 ecx
            //   893c8dc0330410       | call                dword ptr [ebx + 0x18]
            //   ff05????????         |                     
            //   33db                 | dec                 esp

        $sequence_109 = { 57 e8???????? 6a01 8bd8 ffd6 5e }
            // n = 6, score = 100
            //   57                   | dec                 ecx
            //   e8????????           |                     
            //   6a01                 | inc                 edi
            //   8bd8                 | inc                 ecx
            //   ffd6                 | lea                 edx, [esi + 0x20]
            //   5e                   | dec                 ecx

        $sequence_110 = { 894df4 894df8 894dec c745e0e724be03 8945d8 751b }
            // n = 6, score = 100
            //   894df4               | and                 eax, 0x80
            //   894df8               | inc                 ecx
            //   894dec               | mov                 eax, dword ptr [esp + 0x1c]
            //   c745e0e724be03       | dec                 eax
            //   8945d8               | lea                 ebx, [esi + 0x10]
            //   751b                 | inc                 ebp

        $sequence_111 = { 75e5 56 e8???????? c3 8b4604 3bc6 }
            // n = 6, score = 100
            //   75e5                 | mov                 ebx, dword ptr [eax]
            //   56                   | dec                 eax
            //   e8????????           |                     
            //   c3                   | mov                 edx, dword ptr [esp + 0x60]
            //   8b4604               | inc                 ebp
            //   3bc6                 | xor                 ecx, ecx

        $sequence_112 = { 68???????? 8d45fc e8???????? 85c0 a3???????? 745b 8175fceb12d838 }
            // n = 7, score = 100
            //   68????????           |                     
            //   8d45fc               | mov                 ecx, edi
            //   e8????????           |                     
            //   85c0                 | dec                 esp
            //   a3????????           |                     
            //   745b                 | mov                 esi, eax
            //   8175fceb12d838       | inc                 ebp

        $sequence_113 = { 50 8d45fc 50 e8???????? 85c0 7452 }
            // n = 6, score = 100
            //   50                   | xor                 esi, esi
            //   8d45fc               | dec                 eax
            //   50                   | mov                 ecx, dword ptr [ebx]
            //   e8????????           |                     
            //   85c0                 | and                 eax, 0x80
            //   7452                 | inc                 ecx

        $sequence_114 = { ff75fc e8???????? 8bf8 a1???????? 83c058 83c9ff f00fc108 }
            // n = 7, score = 100
            //   ff75fc               | dec                 eax
            //   e8????????           |                     
            //   8bf8                 | mov                 ecx, eax
            //   a1????????           |                     
            //   83c058               | dec                 ecx
            //   83c9ff               | mov                 ecx, ebx
            //   f00fc108             | dec                 ecx

        $sequence_115 = { 8bd8 83fb02 7529 f605????????01 7420 }
            // n = 5, score = 100
            //   8bd8                 | mov                 ecx, edi
            //   83fb02               | inc                 ecx
            //   7529                 | lea                 edx, [esi + 0x20]
            //   f605????????01       |                     
            //   7420                 | dec                 ecx

        $sequence_116 = { 83c418 53 e8???????? 8b7dfc 85f6 c745c03c000000 c745cc6885be03 }
            // n = 7, score = 100
            //   83c418               | and                 eax, 0x80
            //   53                   | inc                 ecx
            //   e8????????           |                     
            //   8b7dfc               | mov                 eax, dword ptr [esp + 0x1c]
            //   85f6                 | dec                 eax
            //   c745c03c000000       | lea                 ebx, [esi + 0x10]
            //   c745cc6885be03       | inc                 ebp

        $sequence_117 = { 85f6 89b31c70be03 740a 83c304 83fb14 72c9 }
            // n = 6, score = 100
            //   85f6                 | dec                 eax
            //   89b31c70be03         | lea                 ebx, [esi + 0x10]
            //   740a                 | inc                 ebp
            //   83c304               | xor                 esi, esi
            //   83fb14               | dec                 eax
            //   72c9                 | mov                 ecx, dword ptr [ebx]

        $sequence_118 = { ff75e8 ffd7 eb08 ff15???????? 8bd8 ff75f8 }
            // n = 6, score = 100
            //   ff75e8               | xor                 esi, esi
            //   ffd7                 | dec                 eax
            //   eb08                 | mov                 ecx, dword ptr [ebx]
            //   ff15????????         |                     
            //   8bd8                 | and                 eax, 0x80
            //   ff75f8               | inc                 ecx

    condition:
        7 of them and filesize < 802816
}
Download all Yara Rules