SYMBOLCOMMON_NAMEaka. SYNONYMS
win.dreambot (Back to overview)

DreamBot

URLhaus    

2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)
2014 Dreambot (Gozi ISFB variant)

In 2014, a variant of Gozi ISFB was developed. Mainly, the dropper performs additional anti-vm checks (vmware, vbox, qemu), while the actual bot-dll remains unchanged in most parts. New functionality, such as TOR support, was added though and often, the Fluxxy fast-flux network is used.

See win.gozi for additional historical information.

References
2022-08-08Medium CSIS TechblogBenoît Ancel
@online{ancel:20220808:inside:67ef9a0, author = {Benoît Ancel}, title = {{An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure}}, date = {2022-08-08}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145}, language = {English}, urldate = {2022-08-28} } An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure
Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader
2021-01-28Youtube (Virus Bulletin)Benoît Ancel
@online{ancel:20210128:bagsu:7de60de, author = {Benoît Ancel}, title = {{The Bagsu banker case}}, date = {2021-01-28}, organization = {Youtube (Virus Bulletin)}, url = {https://www.youtube.com/watch?v=EyDiIAt__dI}, language = {English}, urldate = {2021-02-01} } The Bagsu banker case
Azorult DreamBot Emotet Pony TrickBot ZeusAction
2020-09-02RiskIQJordan Herman
@online{herman:20200902:inter:93b8c50, author = {Jordan Herman}, title = {{The Inter Skimmer Kit}}, date = {2020-09-02}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/30f22a00}, language = {English}, urldate = {2020-09-04} } The Inter Skimmer Kit
magecart DreamBot TeslaCrypt
2020-08-28CheckpointCheck Point Research
@online{research:20200828:gozi:944c005, author = {Check Point Research}, title = {{Gozi: The Malware with a Thousand Faces}}, date = {2020-08-28}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/}, language = {English}, urldate = {2020-09-01} } Gozi: The Malware with a Thousand Faces
DreamBot ISFB LOLSnif SaiGon
2020-05-01CSISBenoît Ancel
@online{ancel:20200501:end:939414e, author = {Benoît Ancel}, title = {{The end of Dreambot? Obituary for a loved piece of Gozi.}}, date = {2020-05-01}, organization = {CSIS}, url = {https://medium.com/csis-techblog/the-end-of-dreambot-a-loved-piece-of-gozi-24cc9bfc8122}, language = {English}, urldate = {2020-05-05} } The end of Dreambot? Obituary for a loved piece of Gozi.
DreamBot
2020-02-07Medium CSIS TechblogBenoît Ancel
@online{ancel:20200207:installcapital:23b3760, author = {Benoît Ancel}, title = {{InstallCapital — When AdWare Becomes Pay-per-Install Cyber-Crime}}, date = {2020-02-07}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/installcapital-when-adware-becomes-pay-per-install-cyber-crime-15516249a451}, language = {English}, urldate = {2020-02-09} } InstallCapital — When AdWare Becomes Pay-per-Install Cyber-Crime
DreamBot Glupteba
2017-05-29Lokalhost.plMaciej Kotowicz
@online{kotowicz:20170529:gozi:96e962d, author = {Maciej Kotowicz}, title = {{Gozi Tree}}, date = {2017-05-29}, organization = {Lokalhost.pl}, url = {https://lokalhost.pl/gozi_tree.txt}, language = {English}, urldate = {2020-01-08} } Gozi Tree
DreamBot Gozi ISFB Powersniff
2016-08-29ProofpointProofpoint Staff
@online{staff:20160829:nightmare:2268343, author = {Proofpoint Staff}, title = {{Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality}}, date = {2016-08-29}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality}, language = {English}, urldate = {2019-12-20} } Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality
DreamBot
Yara Rules
[TLP:WHITE] win_dreambot_auto (20221125 | Detects win.dreambot.)
rule win_dreambot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.dreambot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dreambot"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff7320 6a00 ff35???????? ffd6 8b44240c }
            // n = 5, score = 700
            //   ff7320               | push                dword ptr [ebx + 0x20]
            //   6a00                 | push                0
            //   ff35????????         |                     
            //   ffd6                 | call                esi
            //   8b44240c             | mov                 eax, dword ptr [esp + 0xc]

        $sequence_1 = { a801 7454 68???????? 68???????? ff7320 e8???????? 8bf8 }
            // n = 7, score = 700
            //   a801                 | test                al, 1
            //   7454                 | je                  0x56
            //   68????????           |                     
            //   68????????           |                     
            //   ff7320               | push                dword ptr [ebx + 0x20]
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax

        $sequence_2 = { ff75f8 e8???????? 8bf8 3bfb 754f ff7618 8b3d???????? }
            // n = 7, score = 700
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   3bfb                 | cmp                 edi, ebx
            //   754f                 | jne                 0x51
            //   ff7618               | push                dword ptr [esi + 0x18]
            //   8b3d????????         |                     

        $sequence_3 = { 897b20 6a00 68???????? ff7320 }
            // n = 4, score = 700
            //   897b20               | mov                 dword ptr [ebx + 0x20], edi
            //   6a00                 | push                0
            //   68????????           |                     
            //   ff7320               | push                dword ptr [ebx + 0x20]

        $sequence_4 = { 8b4618 e8???????? eb09 ff7618 ff15???????? }
            // n = 5, score = 700
            //   8b4618               | mov                 eax, dword ptr [esi + 0x18]
            //   e8????????           |                     
            //   eb09                 | jmp                 0xb
            //   ff7618               | push                dword ptr [esi + 0x18]
            //   ff15????????         |                     

        $sequence_5 = { e8???????? 8b7708 e8???????? 6a00 }
            // n = 4, score = 700
            //   e8????????           |                     
            //   8b7708               | mov                 esi, dword ptr [edi + 8]
            //   e8????????           |                     
            //   6a00                 | push                0

        $sequence_6 = { 0f8555ffffff 894730 e9???????? 55 8bec 83ec10 }
            // n = 6, score = 700
            //   0f8555ffffff         | jne                 0xffffff5b
            //   894730               | mov                 dword ptr [edi + 0x30], eax
            //   e9????????           |                     
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83ec10               | sub                 esp, 0x10

        $sequence_7 = { ff7508 e8???????? 8bf8 85ff 755a 39451c 7475 }
            // n = 7, score = 700
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   85ff                 | test                edi, edi
            //   755a                 | jne                 0x5c
            //   39451c               | cmp                 dword ptr [ebp + 0x1c], eax
            //   7475                 | je                  0x77

        $sequence_8 = { 85c0 7520 3bf3 741c 837d0c04 7516 }
            // n = 6, score = 600
            //   85c0                 | cmp                 dword ptr [ebp + 0xc], 4
            //   7520                 | jne                 0x18
            //   3bf3                 | push                dword ptr [ebp + 0x10]
            //   741c                 | push                dword ptr [esi]
            //   837d0c04             | test                eax, eax
            //   7516                 | jne                 0x22

        $sequence_9 = { e9???????? 3bf3 0f84b7000000 395d0c 0f84ae000000 6a01 ff750c }
            // n = 7, score = 600
            //   e9????????           |                     
            //   3bf3                 | cmp                 dword ptr [ebp + 0xc], ebx
            //   0f84b7000000         | je                  0x81
            //   395d0c               | push                3
            //   0f84ae000000         | jmp                 0xffffffd5
            //   6a01                 | cmp                 esi, ebx
            //   ff750c               | je                  0xbd

        $sequence_10 = { 6a03 ebcc 3bf3 7474 }
            // n = 4, score = 600
            //   6a03                 | mov                 edi, dword ptr [ebp + 8]
            //   ebcc                 | jmp                 0x29
            //   3bf3                 | test                eax, eax
            //   7474                 | jne                 0x29

        $sequence_11 = { 0f8481000000 395d0c 747c 6a03 ebcc }
            // n = 5, score = 600
            //   0f8481000000         | mov                 dword ptr [ebp + 8], eax
            //   395d0c               | mov                 edi, dword ptr [ebp + 8]
            //   747c                 | jmp                 0x29
            //   6a03                 | test                eax, eax
            //   ebcc                 | je                  0x87

        $sequence_12 = { 6a0d ebbf ff7510 53 68???????? eb54 3bf3 }
            // n = 7, score = 600
            //   6a0d                 | push                dword ptr [ebp + 0xc]
            //   ebbf                 | cmp                 esi, ebx
            //   ff7510               | je                  0xbd
            //   53                   | cmp                 dword ptr [ebp + 0xc], ebx
            //   68????????           |                     
            //   eb54                 | push                0xd
            //   3bf3                 | jmp                 0xffffffc1

        $sequence_13 = { 837d0c04 7516 ff7510 ff36 68???????? }
            // n = 5, score = 600
            //   837d0c04             | push                ebx
            //   7516                 | push                dword ptr [ebp + 0xc]
            //   ff7510               | mov                 edi, esi
            //   ff36                 | mov                 dword ptr [ebp + 8], 0x57
            //   68????????           |                     

        $sequence_14 = { 68???????? e8???????? 894508 8b7d08 eb24 a1???????? 85c0 }
            // n = 7, score = 600
            //   68????????           |                     
            //   e8????????           |                     
            //   894508               | je                  0x7e
            //   8b7d08               | inc                 ecx
            //   eb24                 | mov                 eax, 0xd
            //   a1????????           |                     
            //   85c0                 | jmp                 0xffffffb1

        $sequence_15 = { 395d0c 7457 53 ff750c 8bfe c7450857000000 }
            // n = 6, score = 600
            //   395d0c               | mov                 dword ptr [ebp + 8], eax
            //   7457                 | mov                 edi, dword ptr [ebp + 8]
            //   53                   | jmp                 0x29
            //   ff750c               | test                eax, eax
            //   8bfe                 | cmp                 dword ptr [ebp + 0xc], ebx
            //   c7450857000000       | je                  0x59

        $sequence_16 = { 7528 493bfd 7423 41b904000000 413bf1 7518 8b17 }
            // n = 7, score = 500
            //   7528                 | je                  0x9b
            //   493bfd               | inc                 ecx
            //   7423                 | mov                 eax, 3
            //   41b904000000         | jmp                 0xffffffc5
            //   413bf1               | dec                 ecx
            //   7518                 | cmp                 edi, ebp
            //   8b17                 | je                  0x92

        $sequence_17 = { 4c8b18 488b542460 4533c9 488bc8 }
            // n = 4, score = 500
            //   4c8b18               | or                  ecx, 0xffffffff
            //   488b542460           | dec                 ebp
            //   4533c9               | cmp                 ebp, edi
            //   488bc8               | je                  0x1a

        $sequence_18 = { e8???????? 4c8b1d???????? ba0d000000 41834b3401 }
            // n = 4, score = 500
            //   e8????????           |                     
            //   4c8b1d????????       |                     
            //   ba0d000000           | test                eax, eax
            //   41834b3401           | jne                 0x53

        $sequence_19 = { 5f c3 4053 4883ec20 4c8b4108 488bd9 }
            // n = 6, score = 500
            //   5f                   | mov                 edx, dword ptr [esp + 0xd8]
            //   c3                   | mov                 ecx, edi
            //   4053                 | inc                 ebp
            //   4883ec20             | mov                 eax, ebx
            //   4c8b4108             | dec                 esp
            //   488bd9               | mov                 eax, ebx

        $sequence_20 = { eb5a 493bfd 7464 413bf5 }
            // n = 4, score = 500
            //   eb5a                 | jmp                 0x5c
            //   493bfd               | dec                 ecx
            //   7464                 | cmp                 edi, ebp
            //   413bf5               | je                  0x66

        $sequence_21 = { 488b9424a8000000 4533c9 4533c0 ff5028 }
            // n = 4, score = 500
            //   488b9424a8000000     | pop                 edi
            //   4533c9               | ret                 
            //   4533c0               | inc                 eax
            //   ff5028               | push                ebx

        $sequence_22 = { 8bd6 488bcf bb57000000 e8???????? 413bc5 7446 448d4bac }
            // n = 7, score = 500
            //   8bd6                 | jne                 0x2a
            //   488bcf               | dec                 ecx
            //   bb57000000           | cmp                 edi, ebp
            //   e8????????           |                     
            //   413bc5               | je                  0x25
            //   7446                 | inc                 ecx
            //   448d4bac             | mov                 ecx, 4

        $sequence_23 = { 41b807000000 ebd7 493bfd 0f849b000000 413bf5 0f8492000000 }
            // n = 6, score = 500
            //   41b807000000         | inc                 ecx
            //   ebd7                 | cmp                 esi, ecx
            //   493bfd               | jne                 0x25
            //   0f849b000000         | mov                 edx, dword ptr [edi]
            //   413bf5               | mov                 edx, esi
            //   0f8492000000         | dec                 eax

        $sequence_24 = { 488d5e10 4533f6 488b0b 2580000000 }
            // n = 4, score = 500
            //   488d5e10             | test                eax, eax
            //   4533f6               | je                  0x1c
            //   488b0b               | push                0x104
            //   2580000000           | lea                 ecx, [edi + 0x10]

        $sequence_25 = { 413bf5 0f8492000000 41b803000000 ebbd }
            // n = 4, score = 500
            //   413bf5               | inc                 ecx
            //   0f8492000000         | cmp                 esi, ebp
            //   41b803000000         | inc                 ecx
            //   ebbd                 | cmp                 esi, ebp

        $sequence_26 = { ff15???????? e9???????? 493bfd 0f84d9000000 413bf5 }
            // n = 5, score = 500
            //   ff15????????         |                     
            //   e9????????           |                     
            //   493bfd               | inc                 ecx
            //   0f84d9000000         | cmp                 esi, ebp
            //   413bf5               | je                  0x8a

        $sequence_27 = { 418d5620 498bcf ff15???????? 4c8bf0 4885c0 }
            // n = 5, score = 500
            //   418d5620             | push                0x410
            //   498bcf               | mov                 dword ptr [ebp - 4], eax
            //   ff15????????         |                     
            //   4c8bf0               | test                eax, eax
            //   4885c0               | mov                 dword ptr [ebp - 4], eax

        $sequence_28 = { 448bc6 488bd7 e8???????? eb2c 8b05???????? }
            // n = 5, score = 500
            //   448bc6               | je                  0xa1
            //   488bd7               | inc                 ecx
            //   e8????????           |                     
            //   eb2c                 | cmp                 esi, ebp
            //   8b05????????         |                     

        $sequence_29 = { 492bd0 4803542460 41ff5220 4c8b442460 e9???????? }
            // n = 5, score = 500
            //   492bd0               | dec                 ecx
            //   4803542460           | mov                 edx, ebp
            //   41ff5220             | dec                 eax
            //   4c8b442460           | or                  ecx, 0xffffffff
            //   e9????????           |                     

        $sequence_30 = { ebbd 493bfd 0f8481000000 413bf5 747c }
            // n = 5, score = 500
            //   ebbd                 | cmp                 edi, ebp
            //   493bfd               | je                  0xa4
            //   0f8481000000         | inc                 ecx
            //   413bf5               | cmp                 esi, ebp
            //   747c                 | je                  0xa4

        $sequence_31 = { 4c896c2420 e8???????? 4c8b442468 488b0d???????? }
            // n = 4, score = 500
            //   4c896c2420           | pop                 ebp
            //   e8????????           |                     
            //   4c8b442468           | ret                 4
            //   488b0d????????       |                     

        $sequence_32 = { 56 57 4154 4155 4156 4883ec30 837a3c04 }
            // n = 7, score = 400
            //   56                   | dec                 eax
            //   57                   | sub                 esp, 0x20
            //   4154                 | dec                 esp
            //   4155                 | mov                 eax, dword ptr [ecx + 8]
            //   4156                 | ret                 
            //   4883ec30             | inc                 eax
            //   837a3c04             | push                ebx

        $sequence_33 = { e8???????? 8bbc24b0030000 33d2 3bc2 }
            // n = 4, score = 400
            //   e8????????           |                     
            //   8bbc24b0030000       | add                 eax, 0x258
            //   33d2                 | mov                 esp, ebp
            //   3bc2                 | pop                 ebp

        $sequence_34 = { 46 8945f8 85c0 7551 ff33 50 6810040000 }
            // n = 7, score = 400
            //   46                   | sub                 esp, 0x20
            //   8945f8               | dec                 esp
            //   85c0                 | mov                 eax, dword ptr [ecx + 8]
            //   7551                 | dec                 eax
            //   ff33                 | mov                 ebx, ecx
            //   50                   | dec                 ebp
            //   6810040000           | test                eax, eax

        $sequence_35 = { 488bc8 48898424d8000000 ff15???????? 448bd8 b8abaaaaaa }
            // n = 5, score = 400
            //   488bc8               | mov                 dword ptr [esp + 0x20], ebp
            //   48898424d8000000     | dec                 esp
            //   ff15????????         |                     
            //   448bd8               | mov                 eax, dword ptr [esp + 0x68]
            //   b8abaaaaaa           | dec                 esp

        $sequence_36 = { 8945f8 33ff eb03 8b750c ff75f8 }
            // n = 5, score = 400
            //   8945f8               | xor                 edi, edi
            //   33ff                 | jmp                 0xa
            //   eb03                 | push                dword ptr [ebp - 0xc]
            //   8b750c               | add                 esi, 0x3c6ef35f
            //   ff75f8               | mov                 dword ptr [ebp + 0xc], esi

        $sequence_37 = { 4d8bc4 33d2 ff15???????? 488bf8 }
            // n = 4, score = 400
            //   4d8bc4               | dec                 esp
            //   33d2                 | lea                 ecx, [esp + 0x40]
            //   ff15????????         |                     
            //   488bf8               | dec                 esp

        $sequence_38 = { 89750c 8d750c e8???????? 8bf0 }
            // n = 4, score = 400
            //   89750c               | jmp                 0xffffffd2
            //   8d750c               | cmp                 esi, ebx
            //   e8????????           |                     
            //   8bf0                 | cmp                 dword ptr [ebp + 0xc], ebx

        $sequence_39 = { 3df3b7b9a2 746e 837c244c01 765d }
            // n = 4, score = 400
            //   3df3b7b9a2           | pop                 edi
            //   746e                 | ret                 
            //   837c244c01           | inc                 eax
            //   765d                 | push                ebx

        $sequence_40 = { 41b825000000 e8???????? 4885db 7417 488b0d???????? 4c8bc3 }
            // n = 6, score = 400
            //   41b825000000         | dec                 eax
            //   e8????????           |                     
            //   4885db               | cmp                 eax, -1
            //   7417                 | dec                 eax
            //   488b0d????????       |                     
            //   4c8bc3               | mov                 edi, eax

        $sequence_41 = { 3decc7eea6 0f84e8000000 3d0470a8c4 0f8486000000 }
            // n = 4, score = 400
            //   3decc7eea6           | push                eax
            //   0f84e8000000         | xor                 ebx, ebx
            //   3d0470a8c4           | mov                 dword ptr [ebp - 4], ebx
            //   0f8486000000         | mov                 dword ptr [ebp - 8], eax

        $sequence_42 = { ff15???????? 85c0 7568 4c8d8c24d0000000 4c8d8424c8000000 }
            // n = 5, score = 400
            //   ff15????????         |                     
            //   85c0                 | je                  0x47
            //   7568                 | dec                 eax
            //   4c8d8c24d0000000     | lea                 eax, [esp + 0x88]
            //   4c8d8424c8000000     | dec                 eax

        $sequence_43 = { ff75f8 69f60d661900 ff75f4 81c65ff36e3c 89750c }
            // n = 5, score = 400
            //   ff75f8               | lea                 eax, [ebp - 0xc]
            //   69f60d661900         | push                eax
            //   ff75f4               | mov                 eax, dword ptr [ebp + 0xc]
            //   81c65ff36e3c         | mov                 dword ptr [ebp - 4], ebx
            //   89750c               | mov                 dword ptr [ebp - 8], eax

        $sequence_44 = { 4c8bc3 33d2 ff15???????? 8bc6 488b9c24c0000000 4881c480000000 }
            // n = 6, score = 400
            //   4c8bc3               | dec                 eax
            //   33d2                 | mov                 edi, eax
            //   ff15????????         |                     
            //   8bc6                 | je                  0x47
            //   488b9c24c0000000     | dec                 eax
            //   4881c480000000       | lea                 eax, [esp + 0x88]

        $sequence_45 = { 458d343b 4183fe18 7718 488b9424d8000000 8bcf 458bc3 }
            // n = 6, score = 400
            //   458d343b             | mov                 dword ptr [esp + 0x20], ebp
            //   4183fe18             | dec                 esp
            //   7718                 | mov                 eax, dword ptr [esp + 0x68]
            //   488b9424d8000000     | xor                 edx, edx
            //   8bcf                 | dec                 eax
            //   458bc3               | cmp                 eax, -1

        $sequence_46 = { e8???????? 33d2 3bc2 0f85bd000000 33c0 89942498000000 899424a8000000 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   33d2                 | cmp                 cx, 2
            //   3bc2                 | jne                 0x27
            //   0f85bd000000         | and                 dword ptr [edi + 0x8c], 0
            //   33c0                 | xor                 eax, eax
            //   89942498000000       | ret                 
            //   899424a8000000       | push                ecx

        $sequence_47 = { 6810040000 ff15???????? 8945fc 85c0 741a }
            // n = 5, score = 400
            //   6810040000           | inc                 eax
            //   ff15????????         |                     
            //   8945fc               | push                ebx
            //   85c0                 | dec                 eax
            //   741a                 | sub                 esp, 0x20

        $sequence_48 = { 56 33f6 46 8945f8 }
            // n = 4, score = 400
            //   56                   | mov                 dword ptr [ebp - 8], eax
            //   33f6                 | test                eax, eax
            //   46                   | jne                 0x5b
            //   8945f8               | push                eax

        $sequence_49 = { 56 8db4083089b9ed 57 8d45f4 50 8b450c }
            // n = 6, score = 400
            //   56                   | je                  0x5e
            //   8db4083089b9ed       | cmp                 dword ptr [ebp + 0xc], ebx
            //   57                   | je                  0x87
            //   8d45f4               | cmp                 dword ptr [ebp + 0xc], ebx
            //   50                   | je                  0x7e
            //   8b450c               | push                3

        $sequence_50 = { 33db 895dfc e8???????? 8945f8 33ff }
            // n = 5, score = 400
            //   33db                 | mov                 esi, eax
            //   895dfc               | lea                 esi, [eax + ecx - 0x124676d0]
            //   e8????????           |                     
            //   8945f8               | push                edi
            //   33ff                 | lea                 eax, [ebp - 0xc]

        $sequence_51 = { 8d8718020000 50 ff7310 ff15???????? 33d2 89b7184a0000 }
            // n = 6, score = 400
            //   8d8718020000         | inc                 ebp
            //   50                   | xor                 ecx, ecx
            //   ff7310               | inc                 ebp
            //   ff15????????         |                     
            //   33d2                 | xor                 eax, eax
            //   89b7184a0000         | call                dword ptr [eax + 0x28]

        $sequence_52 = { 44897630 89464c 8b464c a840 }
            // n = 4, score = 400
            //   44897630             | dec                 eax
            //   89464c               | sub                 esp, 0x20
            //   8b464c               | dec                 esp
            //   a840                 | mov                 eax, dword ptr [ecx + 8]

        $sequence_53 = { c78424a000000001000000 89bc24b0030000 895c2440 eb07 8bbc24b0030000 }
            // n = 5, score = 400
            //   c78424a000000001000000     | pop    ebx
            //   89bc24b0030000       | mov                 esp, ebp
            //   895c2440             | pop                 ebp
            //   eb07                 | ret                 
            //   8bbc24b0030000       | movzx               ecx, word ptr [eax]

        $sequence_54 = { 75f5 eb06 8b05???????? 35fc5585cf }
            // n = 4, score = 400
            //   75f5                 | mov                 ecx, eax
            //   eb06                 | dec                 eax
            //   8b05????????         |                     
            //   35fc5585cf           | mov                 dword ptr [esp + 0xd8], eax

        $sequence_55 = { c3 6a00 6800004000 6a00 ff15???????? a3???????? 85c0 }
            // n = 7, score = 400
            //   c3                   | inc                 esi
            //   6a00                 | mov                 dword ptr [ebp - 8], eax
            //   6800004000           | test                eax, eax
            //   6a00                 | push                dword ptr [ebx]
            //   ff15????????         |                     
            //   a3????????           |                     
            //   85c0                 | push                eax

        $sequence_56 = { 48895f2c 8b464c a802 7410 8b464c a840 7509 }
            // n = 7, score = 400
            //   48895f2c             | dec                 eax
            //   8b464c               | mov                 ebx, ecx
            //   a802                 | pop                 edi
            //   7410                 | ret                 
            //   8b464c               | inc                 eax
            //   a840                 | push                ebx
            //   7509                 | dec                 eax

        $sequence_57 = { e8???????? eb08 ff15???????? 8bd8 85db }
            // n = 5, score = 400
            //   e8????????           |                     
            //   eb08                 | sub                 esp, 0x11c
            //   ff15????????         |                     
            //   8bd8                 | lea                 ecx, [eax + 7]
            //   85db                 | and                 ecx, 0xfffffff8

        $sequence_58 = { 4883f8ff 488bf8 7445 488d842488000000 }
            // n = 4, score = 400
            //   4883f8ff             | pop                 ebp
            //   488bf8               | ret                 4
            //   7445                 | push                0
            //   488d842488000000     | mov                 dword ptr [ebp - 4], edi

        $sequence_59 = { 4489634c 488b4b50 4885c9 741d e8???????? }
            // n = 5, score = 400
            //   4489634c             | dec                 eax
            //   488b4b50             | sub                 esp, 0x20
            //   4885c9               | dec                 esp
            //   741d                 | mov                 eax, dword ptr [ecx + 8]
            //   e8????????           |                     

        $sequence_60 = { 85c0 741a 6804010000 8d4f10 51 6a00 }
            // n = 6, score = 400
            //   85c0                 | dec                 ebp
            //   741a                 | test                eax, eax
            //   6804010000           | ret                 
            //   8d4f10               | inc                 eax
            //   51                   | push                ebx
            //   6a00                 | dec                 eax

        $sequence_61 = { 3c09 7618 8a07 2c41 3c05 8a07 7704 }
            // n = 7, score = 400
            //   3c09                 | sub                 esp, 0x20
            //   7618                 | dec                 esp
            //   8a07                 | mov                 eax, dword ptr [ecx + 8]
            //   2c41                 | dec                 eax
            //   3c05                 | mov                 ebx, ecx
            //   8a07                 | dec                 ebp
            //   7704                 | test                eax, eax

        $sequence_62 = { 817424105085b8ed 33ff 47 57 be???????? 56 8d542418 }
            // n = 7, score = 400
            //   817424105085b8ed     | xor                 edi, edi
            //   33ff                 | jmp                 0xf
            //   47                   | xor                 edi, edi
            //   57                   | jmp                 5
            //   be????????           |                     
            //   56                   | mov                 esi, dword ptr [ebp + 0xc]
            //   8d542418             | push                dword ptr [ebp - 8]

        $sequence_63 = { 4c8bc6 ff15???????? 488bd8 493bc7 }
            // n = 4, score = 300
            //   4c8bc6               | push                0xa
            //   ff15????????         |                     
            //   488bd8               | mov                 eax, dword ptr [eax + 0x36]
            //   493bc7               | test                eax, eax

        $sequence_64 = { e8???????? 8bd8 39751c 756c 3bde 742f f7450c00000060 }
            // n = 7, score = 300
            //   e8????????           |                     
            //   8bd8                 | push                0x400000
            //   39751c               | push                0
            //   756c                 | test                eax, eax
            //   3bde                 | ret                 
            //   742f                 | push                0
            //   f7450c00000060       | push                0x400000

        $sequence_65 = { 493bc5 742f 488d4810 ff15???????? }
            // n = 4, score = 300
            //   493bc5               | push                0x3a
            //   742f                 | push                0xa
            //   488d4810             | mov                 eax, dword ptr [eax + 0x36]
            //   ff15????????         |                     

        $sequence_66 = { 57 ff15???????? 85c0 0f8497010000 be???????? 8d7dd4 }
            // n = 6, score = 300
            //   57                   | lea                 ecx, [edi + 0x10]
            //   ff15????????         |                     
            //   85c0                 | push                0x410
            //   0f8497010000         | mov                 dword ptr [ebp - 4], eax
            //   be????????           |                     
            //   8d7dd4               | test                eax, eax

        $sequence_67 = { 0f85d1020000 837d1010 750b 56 e8???????? e9???????? 6a57 }
            // n = 7, score = 300
            //   0f85d1020000         | je                  0x21
            //   837d1010             | push                0x104
            //   750b                 | push                eax
            //   56                   | push                0x410
            //   e8????????           |                     
            //   e9????????           |                     
            //   6a57                 | mov                 dword ptr [ebp - 4], eax

        $sequence_68 = { 488b0d???????? 4885c9 7405 e8???????? 4883c428 c3 4053 }
            // n = 7, score = 300
            //   488b0d????????       |                     
            //   4885c9               | push                dword ptr [ebx]
            //   7405                 | push                eax
            //   e8????????           |                     
            //   4883c428             | jne                 0x53
            //   c3                   | push                dword ptr [ebx]
            //   4053                 | push                eax

        $sequence_69 = { 8be5 5d c20400 8325????????00 6a00 68???????? }
            // n = 6, score = 300
            //   8be5                 | imul                esi, esi, 0x19660d
            //   5d                   | push                dword ptr [ebp - 0xc]
            //   c20400               | add                 esi, 0x3c6ef35f
            //   8325????????00       |                     
            //   6a00                 | add                 esi, 0x3c6ef35f
            //   68????????           |                     

        $sequence_70 = { 83c730 57 8945f4 e8???????? 8945f8 85c0 }
            // n = 6, score = 300
            //   83c730               | test                eax, eax
            //   57                   | je                  0x26
            //   8945f4               | push                0x104
            //   e8????????           |                     
            //   8945f8               | ret                 
            //   85c0                 | push                0

        $sequence_71 = { 8b45fc 0fb700 8bc8 81e100f00000 }
            // n = 4, score = 300
            //   8b45fc               | mov                 eax, dword ptr [edi + 0x4a18]
            //   0fb700               | push                esi
            //   8bc8                 | xor                 esi, esi
            //   81e100f00000         | inc                 esi

        $sequence_72 = { 4d3bef 7415 498bd5 4883c9ff ff15???????? 8bc8 ff15???????? }
            // n = 7, score = 300
            //   4d3bef               | mov                 eax, dword ptr fs:[0]
            //   7415                 | push                eax
            //   498bd5               | mov                 eax, dword ptr fs:[0]
            //   4883c9ff             | push                eax
            //   ff15????????         |                     
            //   8bc8                 | mov                 eax, dword ptr [esp + 0x10]
            //   ff15????????         |                     

        $sequence_73 = { 33ff 897dfc 393d???????? 754a a1???????? }
            // n = 5, score = 300
            //   33ff                 | push                dword ptr [ebx]
            //   897dfc               | push                eax
            //   393d????????         |                     
            //   754a                 | push                0x410
            //   a1????????           |                     

        $sequence_74 = { f605????????04 740e 44893d???????? 44893d???????? 488d442440 4c8d4c2440 4c8d442440 }
            // n = 7, score = 300
            //   f605????????04       |                     
            //   740e                 | inc                 ecx
            //   44893d????????       |                     
            //   44893d????????       |                     
            //   488d442440           | lea                 edx, [esi + 0x20]
            //   4c8d4c2440           | dec                 ecx
            //   4c8d442440           | mov                 ecx, edi

        $sequence_75 = { 895df4 894df8 e8???????? 8945fc 3bc3 0f843b010000 }
            // n = 6, score = 300
            //   895df4               | mov                 dword ptr [ebp - 4], eax
            //   894df8               | test                eax, eax
            //   e8????????           |                     
            //   8945fc               | test                eax, eax
            //   3bc3                 | jne                 0x53
            //   0f843b010000         | push                dword ptr [ebx]

        $sequence_76 = { eb62 3bf3 0f84cd000000 395d10 0f84c4000000 53 }
            // n = 6, score = 300
            //   eb62                 | push                eax
            //   3bf3                 | push                0x410
            //   0f84cd000000         | mov                 dword ptr [ebp - 4], eax
            //   395d10               | test                eax, eax
            //   0f84c4000000         | je                  0x21
            //   53                   | push                0x104

        $sequence_77 = { 6a0a ff15???????? a1???????? 8b4036 }
            // n = 4, score = 200
            //   6a0a                 | test                eax, eax
            //   ff15????????         |                     
            //   a1????????           |                     
            //   8b4036               | je                  0x1e

        $sequence_78 = { 83c136 83caff f00fc111 33f6 3bc6 }
            // n = 5, score = 200
            //   83c136               | or                  ecx, 0xffffffff
            //   83caff               | je                  0x10
            //   f00fc111             | dec                 eax
            //   33f6                 | lea                 eax, [esp + 0x40]
            //   3bc6                 | dec                 esp

        $sequence_79 = { 4c891d???????? 4c891d???????? 8d7b5b 33d2 4c8bc7 }
            // n = 5, score = 200
            //   4c891d????????       |                     
            //   4c891d????????       |                     
            //   8d7b5b               | mov                 esi, dword ptr [esp + 0x58]
            //   33d2                 | dec                 eax
            //   4c8bc7               | add                 esp, 0x20

        $sequence_80 = { 41 f00fc108 a1???????? 83c01e }
            // n = 4, score = 200
            //   41                   | dec                 ecx
            //   f00fc108             | mov                 edx, ebp
            //   a1????????           |                     
            //   83c01e               | dec                 eax

        $sequence_81 = { ffb72c080000 e8???????? 5e 5d 5b c3 eb10 }
            // n = 7, score = 200
            //   ffb72c080000         | xor                 ecx, ecx
            //   e8????????           |                     
            //   5e                   | dec                 eax
            //   5d                   | mov                 ecx, edi
            //   5b                   | xor                 ecx, ecx
            //   c3                   | dec                 eax
            //   eb10                 | mov                 ecx, edi

        $sequence_82 = { c1ed03 0fb70442 6683e107 66898c4788000000 }
            // n = 4, score = 200
            //   c1ed03               | inc                 ecx
            //   0fb70442             | lea                 edx, [esi + 0x20]
            //   6683e107             | inc                 ecx
            //   66898c4788000000     | lea                 edx, [esi + 0x20]

        $sequence_83 = { 488bce ff15???????? 488b0d???????? 4883c12e ff15???????? }
            // n = 5, score = 200
            //   488bce               | cmp                 eax, ebp
            //   ff15????????         |                     
            //   488b0d????????       |                     
            //   4883c12e             | je                  0x31
            //   ff15????????         |                     

        $sequence_84 = { ff15???????? 8bd8 413bde 0f85fb010000 488b05???????? 44017804 }
            // n = 6, score = 200
            //   ff15????????         |                     
            //   8bd8                 | pop                 esp
            //   413bde               | pop                 edi
            //   0f85fb010000         | ret                 
            //   488b05????????       |                     
            //   44017804             | dec                 ecx

        $sequence_85 = { 488b15???????? 4c8d442468 48c7c101000080 ff15???????? }
            // n = 4, score = 200
            //   488b15????????       |                     
            //   4c8d442468           | dec                 ecx
            //   48c7c101000080       | mov                 edx, ebp
            //   ff15????????         |                     

        $sequence_86 = { e8???????? 83a78c00000000 33c0 c3 51 e8???????? }
            // n = 6, score = 200
            //   e8????????           |                     
            //   83a78c00000000       | jle                 0x430
            //   33c0                 | inc                 edx
            //   c3                   | cmp                 byte ptr [ebx + ebp], al
            //   51                   | jne                 0x27
            //   e8????????           |                     

        $sequence_87 = { 74d6 ff763f ff15???????? ff35???????? 8d7e18 57 }
            // n = 6, score = 200
            //   74d6                 | mov                 dword ptr [ebp - 8], eax
            //   ff763f               | test                eax, eax
            //   ff15????????         |                     
            //   ff35????????         |                     
            //   8d7e18               | push                esi
            //   57                   | xor                 esi, esi

        $sequence_88 = { c9 c20800 55 8bec 81ec1c010000 8d4807 83e1f8 }
            // n = 7, score = 200
            //   c9                   | dec                 eax
            //   c20800               | add                 esp, 0x28
            //   55                   | ret                 
            //   8bec                 | inc                 eax
            //   81ec1c010000         | push                ebx
            //   8d4807               | dec                 eax
            //   83e1f8               | sub                 esp, 0x20

        $sequence_89 = { 68???????? 8975f4 ffd7 8b1d???????? 6a3a b8???????? }
            // n = 6, score = 200
            //   68????????           |                     
            //   8975f4               | push                eax
            //   ffd7                 | push                0x410
            //   8b1d????????         |                     
            //   6a3a                 | mov                 dword ptr [ebp - 4], eax
            //   b8????????           |                     

        $sequence_90 = { a1???????? 8b4c2404 8908 83c01e }
            // n = 4, score = 200
            //   a1????????           |                     
            //   8b4c2404             | pop                 esp
            //   8908                 | pop                 edi
            //   83c01e               | dec                 ebp

        $sequence_91 = { eb14 a1???????? 89701a 8b4508 8938 eb14 bbb7000000 }
            // n = 7, score = 200
            //   eb14                 | mov                 ebp, dword ptr [esp + 0x50]
            //   a1????????           |                     
            //   89701a               | mov                 eax, esi
            //   8b4508               | dec                 eax
            //   8938                 | mov                 esi, dword ptr [esp + 0x58]
            //   eb14                 | dec                 eax
            //   bbb7000000           | add                 esp, 0x20

        $sequence_92 = { 74eb 2bcb 0f84fa000000 2bcb }
            // n = 4, score = 200
            //   74eb                 | dec                 eax
            //   2bcb                 | lea                 ebx, [esi + 0x10]
            //   0f84fa000000         | inc                 ebp
            //   2bcb                 | xor                 esi, esi

        $sequence_93 = { eb34 488d0595d6ffff 4885c0 7428 8b7b10 }
            // n = 5, score = 200
            //   eb34                 | dec                 eax
            //   488d0595d6ffff       | test                eax, eax
            //   4885c0               | dec                 ecx
            //   7428                 | inc                 edi
            //   8b7b10               | inc                 ecx

        $sequence_94 = { e9???????? ff25???????? ff25???????? 68???????? 64a100000000 50 }
            // n = 6, score = 200
            //   e9????????           |                     
            //   ff25????????         |                     
            //   ff25????????         |                     
            //   68????????           |                     
            //   64a100000000         | push                dword ptr [ebx]
            //   50                   | push                eax

        $sequence_95 = { 0f848d010000 a1???????? 8b35???????? 83c01e 50 ffd6 }
            // n = 6, score = 200
            //   0f848d010000         | dec                 eax
            //   a1????????           |                     
            //   8b35????????         |                     
            //   83c01e               | mov                 esi, dword ptr [esp + 0x58]
            //   50                   | dec                 eax
            //   ffd6                 | add                 esp, 0x20

        $sequence_96 = { 33d2 e8???????? 44892d???????? 33c9 44892d???????? e8???????? 488bcf }
            // n = 7, score = 200
            //   33d2                 | push                dword ptr [esi + 0x3f]
            //   e8????????           |                     
            //   44892d????????       |                     
            //   33c9                 | lea                 edi, [esi + 0x18]
            //   44892d????????       |                     
            //   e8????????           |                     
            //   488bcf               | push                edi

        $sequence_97 = { 448be0 f0834156ff 85c0 7545 4c8b0d???????? 8b8424c0000000 }
            // n = 6, score = 200
            //   448be0               | dec                 eax
            //   f0834156ff           | or                  ecx, 0xffffffff
            //   85c0                 | mov                 ecx, eax
            //   7545                 | mov                 eax, esi
            //   4c8b0d????????       |                     
            //   8b8424c0000000       | dec                 eax

        $sequence_98 = { 4883c12e ff15???????? 488b15???????? 488bcd 488b12 e8???????? }
            // n = 6, score = 200
            //   4883c12e             | inc                 ecx
            //   ff15????????         |                     
            //   488b15????????       |                     
            //   488bcd               | pop                 ebp
            //   488b12               | inc                 ecx
            //   e8????????           |                     

        $sequence_99 = { 5e 5b c20800 51 53 57 }
            // n = 6, score = 200
            //   5e                   | xor                 ebx, ebx
            //   5b                   | inc                 ecx
            //   c20800               | cmp                 eax, 0x11
            //   51                   | dec                 eax
            //   53                   | test                ecx, ecx
            //   57                   | je                  7

        $sequence_100 = { e9???????? 83bbb000000004 0f84b4000000 3bca }
            // n = 4, score = 200
            //   e9????????           |                     
            //   83bbb000000004       | dec                 ecx
            //   0f84b4000000         | mov                 ecx, edi
            //   3bca                 | dec                 esp

        $sequence_101 = { 5b 8be5 5d c3 0fb708 6683f902 }
            // n = 6, score = 200
            //   5b                   | dec                 esp
            //   8be5                 | lea                 ecx, [esp + 0x40]
            //   5d                   | dec                 esp
            //   c3                   | lea                 eax, [esp + 0x40]
            //   0fb708               | jle                 0x430
            //   6683f902             | inc                 edx

        $sequence_102 = { 66b90100 4889442420 e8???????? 3bc3 0f859b000000 }
            // n = 5, score = 200
            //   66b90100             | mov                 dword ptr [ebp + 0xc], eax
            //   4889442420           | test                eax, eax
            //   e8????????           |                     
            //   3bc3                 | je                  0x26
            //   0f859b000000         | jmp                 9

        $sequence_103 = { 81c101010000 83e00f 03d3 c1ed04 83c004 81f91e010000 894f74 }
            // n = 7, score = 200
            //   81c101010000         | dec                 eax
            //   83e00f               | lea                 ebx, [esi + 0x10]
            //   03d3                 | inc                 ebp
            //   c1ed04               | xor                 esi, esi
            //   83c004               | dec                 eax
            //   81f91e010000         | mov                 ecx, dword ptr [ebx]
            //   894f74               | and                 eax, 0x80

        $sequence_104 = { 8d5857 eb15 488b05???????? 89702a }
            // n = 4, score = 200
            //   8d5857               | dec                 eax
            //   eb15                 | mov                 ebx, eax
            //   488b05????????       |                     
            //   89702a               | dec                 ecx

        $sequence_105 = { 0f8e2a040000 8a05???????? 4238042b 7521 448bc2 4963ce }
            // n = 6, score = 200
            //   0f8e2a040000         | inc                 esi
            //   8a05????????         |                     
            //   4238042b             | mov                 dword ptr [ebp - 8], eax
            //   7521                 | test                eax, eax
            //   448bc2               | jne                 0x55
            //   4963ce               | push                dword ptr [ebx]

        $sequence_106 = { c3 33c0 483bc8 7458 488b5128 483bd0 }
            // n = 6, score = 200
            //   c3                   | dec                 ecx
            //   33c0                 | mov                 ecx, edi
            //   483bc8               | dec                 esp
            //   7458                 | mov                 esi, eax
            //   488b5128             | dec                 eax
            //   483bd0               | test                eax, eax

        $sequence_107 = { 897760 488b6c2438 488b742440 4883c420 5f c3 48895c2408 }
            // n = 7, score = 200
            //   897760               | dec                 eax
            //   488b6c2438           | lea                 ebx, [esi + 0x10]
            //   488b742440           | inc                 ebp
            //   4883c420             | xor                 esi, esi
            //   5f                   | dec                 eax
            //   c3                   | mov                 ecx, dword ptr [ebx]
            //   48895c2408           | and                 eax, 0x80

        $sequence_108 = { c3 a1???????? 83c01e 50 ff15???????? }
            // n = 5, score = 200
            //   c3                   | or                  ecx, 0xffffffff
            //   a1????????           |                     
            //   83c01e               | mov                 ecx, eax
            //   50                   | mov                 eax, esi
            //   ff15????????         |                     

        $sequence_109 = { 8bd0 83e20f 4f 33ca c1e804 46 33048d1062be03 }
            // n = 7, score = 100
            //   8bd0                 | je                  0x104
            //   83e20f               | sub                 ecx, ebx
            //   4f                   | sub                 ecx, 8
            //   33ca                 | je                  0xffffffed
            //   c1e804               | sub                 ecx, ebx
            //   46                   | je                  0x104
            //   33048d1062be03       | sub                 ecx, ebx

        $sequence_110 = { 3934850875be03 742a 8d41ff 85c0 7c10 3934850875be03 }
            // n = 6, score = 100
            //   3934850875be03       | je                  0x13f
            //   742a                 | je                  0xffffffed
            //   8d41ff               | sub                 ecx, ebx
            //   85c0                 | je                  0x102
            //   7c10                 | sub                 ecx, ebx
            //   3934850875be03       | je                  0x13d

        $sequence_111 = { 848698046e99 16 6481f986257614 c1730921 }
            // n = 4, score = 100
            //   848698046e99         | and                 cx, 7
            //   16                   | mov                 word ptr [edi + eax*2 + 0x88], cx
            //   6481f986257614       | add                 dword ptr [edi + 0x7c], ebx
            //   c1730921             | add                 esi, -3

        $sequence_112 = { a3???????? e8???????? 8bf0 3bf3 0f859d010000 }
            // n = 5, score = 100
            //   a3????????           |                     
            //   e8????????           |                     
            //   8bf0                 | add                 dword ptr [edi + 0x7c], ebx
            //   3bf3                 | shr                 ebp, 3
            //   0f859d010000         | movzx               eax, word ptr [edx + eax*2]

        $sequence_113 = { c744244410410310 c744244800000000 894c242c e8???????? b836000000 }
            // n = 5, score = 100
            //   c744244410410310     | mov                 word ptr [edi + eax*2 + 0x88], cx
            //   c744244800000000     | cmp                 dword ptr [ebx + 0xb0], 4
            //   894c242c             | je                  0xba
            //   e8????????           |                     
            //   b836000000           | cmp                 ecx, edx

        $sequence_114 = { 5e 5f 8bc3 5b c20800 55 8bec }
            // n = 7, score = 100
            //   5e                   | add                 esi, -3
            //   5f                   | mov                 eax, dword ptr [edi + 0x70]
            //   8bc3                 | je                  0xffffffed
            //   5b                   | sub                 ecx, ebx
            //   c20800               | je                  0x102
            //   55                   | sub                 ecx, ebx
            //   8bec                 | sub                 ecx, 8

        $sequence_115 = { 85c9 7e0e 3934850875be03 742b 40 3bc1 7cf2 }
            // n = 7, score = 100
            //   85c9                 | shr                 ebp, 4
            //   7e0e                 | add                 eax, 4
            //   3934850875be03       | cmp                 ecx, 0x11e
            //   742b                 | mov                 dword ptr [edi + 0x74], ecx
            //   40                   | cmp                 ecx, 0x16
            //   3bc1                 | jg                  0x8b0
            //   7cf2                 | je                  0x81b

        $sequence_116 = { e8???????? 85c0 7404 8b30 03f5 85f6 89b31c70be03 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   85c0                 | je                  0xffffffed
            //   7404                 | sub                 ecx, ebx
            //   8b30                 | je                  0x104
            //   03f5                 | sub                 ecx, 8
            //   85f6                 | je                  0xffffffed
            //   89b31c70be03         | sub                 ecx, ebx

        $sequence_117 = { 896f24 c7472834ed0310 c7472c40ed0310 c7473044ed0310 7505 b8???????? 8b4c2474 }
            // n = 7, score = 100
            //   896f24               | add                 eax, 4
            //   c7472834ed0310       | cmp                 ecx, 0x11e
            //   c7472c40ed0310       | mov                 dword ptr [edi + 0x74], ecx
            //   c7473044ed0310       | shr                 ebp, 3
            //   7505                 | movzx               eax, word ptr [edx + eax*2]
            //   b8????????           |                     
            //   8b4c2474             | and                 cx, 7

        $sequence_118 = { 56 ff7508 8d45e8 e8???????? }
            // n = 4, score = 100
            //   56                   | dec                 esp
            //   ff7508               | mov                 ebx, dword ptr [eax]
            //   8d45e8               | dec                 eax
            //   e8????????           |                     

        $sequence_119 = { 6a00 57 ff14c51c250410 8bd8 e9???????? 80f9c5 }
            // n = 6, score = 100
            //   6a00                 | mov                 edx, dword ptr [ecx + 0x28]
            //   57                   | add                 ecx, 0x101
            //   ff14c51c250410       | and                 eax, 0xf
            //   8bd8                 | add                 edx, ebx
            //   e9????????           |                     
            //   80f9c5               | shr                 ebp, 4

    condition:
        7 of them and filesize < 802816
}
Download all Yara Rules