SYMBOLCOMMON_NAMEaka. SYNONYMS
win.dridex (Back to overview)

Dridex

Actor(s): TA505, INDRIK SPIDER

URLhaus    

OxCERT blog describes Dridex as "an evasive, information-stealing malware variant; its goal is to acquire as many credentials as possible and return them via an encrypted tunnel to a Command-and-Control (C&C) server. These C&C servers are numerous and scattered all over the Internet, if the malware cannot reach one server it will try another. For this reason, network-based measures such as blocking the C&C IPs is effective only in the short-term."
According to MalwareBytes, "Dridex uses an older tactic of infection by attaching a Word document that utilizes macros to install malware. However, once new versions of Microsoft Office came out and users generally updated, such a threat subsided because it was no longer simple to infect a user with this method."
IBM X-Force discovered "a new version of the Dridex banking Trojan that takes advantage of a code injection technique called AtomBombing to infect systems. AtomBombing is a technique for injecting malicious code into the 'atom tables' that almost all versions of Windows uses to store certain application data. It is a variation of typical code injection attacks that take advantage of input validation errors to insert and to execute malicious code in a legitimate process or application. Dridex v4 is the first malware that uses the AtomBombing process to try and infect systems."

References
2020-10-15Department of JusticeDepartment of Justice
@online{justice:20201015:officials:b340951, author = {Department of Justice}, title = {{Officials Announce International Operation Targeting Transnational Criminal Organization QQAAZZ that Provided Money Laundering Services to High-Level Cybercriminals}}, date = {2020-10-15}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization}, language = {English}, urldate = {2020-10-23} } Officials Announce International Operation Targeting Transnational Criminal Organization QQAAZZ that Provided Money Laundering Services to High-Level Cybercriminals
Dridex ISFB TrickBot
2020-09-18AppGateGustavo Palazolo, Felipe Duarte
@online{palazolo:20200918:reverse:689e4cb, author = {Gustavo Palazolo and Felipe Duarte}, title = {{Reverse Engineering Dridex and Automating IOC Extraction}}, date = {2020-09-18}, organization = {AppGate}, url = {https://www.appgate.com/blog/reverse-engineering-dridex-and-automating-ioc-extraction}, language = {English}, urldate = {2020-09-25} } Reverse Engineering Dridex and Automating IOC Extraction
Dridex
2020-09-10SANS ISC InfoSec ForumsBrad Duncan
@online{duncan:20200910:recent:f9e103f, author = {Brad Duncan}, title = {{Recent Dridex activity}}, date = {2020-09-10}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/Recent+Dridex+activity/26550/}, language = {English}, urldate = {2020-09-15} } Recent Dridex activity
Dridex
2020-09-07Github (pan-unit42)Brad Duncan
@online{duncan:20200907:collection:09ab7be, author = {Brad Duncan}, title = {{Collection of recent Dridex IOCs}}, date = {2020-09-07}, organization = {Github (pan-unit42)}, url = {https://github.com/pan-unit42/tweets/blob/master/2020-09-07-Dridex-IOCs.txt}, language = {English}, urldate = {2020-09-15} } Collection of recent Dridex IOCs
Cutwail Dridex
2020-08-21Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20200821:wireshark:d98d5ed, author = {Brad Duncan}, title = {{Wireshark Tutorial: Decrypting HTTPS Traffic}}, date = {2020-08-21}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/}, language = {English}, urldate = {2020-08-25} } Wireshark Tutorial: Decrypting HTTPS Traffic
Dridex
2020-08-20CERT-FRCERT-FR
@techreport{certfr:20200820:development:d518522, author = {CERT-FR}, title = {{Development of the Activity of the TA505 Cybercriminal Group}}, date = {2020-08-20}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf}, language = {English}, urldate = {2020-08-28} } Development of the Activity of the TA505 Cybercriminal Group
AndroMut Bart Clop Dridex FlawedAmmyy FlawedGrace Get2 Locky Marap QuantLoader SDBbot ServHelper tRat TrickBot
2020-08-03The DFIR Report
@online{report:20200803:dridex:165cf39, author = {The DFIR Report}, title = {{Dridex – From Word to Domain Dominance}}, date = {2020-08-03}, url = {https://thedfirreport.com/2020/08/03/dridex-from-word-to-domain-dominance/}, language = {English}, urldate = {2020-08-05} } Dridex – From Word to Domain Dominance
Dridex
2020-07-17CERT-FRCERT-FR
@techreport{certfr:20200717:malware:5c58cdf, author = {CERT-FR}, title = {{The Malware Dridex: Origins and Uses}}, date = {2020-07-17}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf}, language = {English}, urldate = {2020-07-20} } The Malware Dridex: Origins and Uses
Andromeda CryptoLocker Cutwail DoppelPaymer Dridex Emotet FriedEx Gameover P2P Gandcrab ISFB Murofet Necurs Predator The Thief Zeus
2020-06-24MorphisecArnold Osipov
@online{osipov:20200624:obfuscated:74bfeed, author = {Arnold Osipov}, title = {{Obfuscated VBScript Drops Zloader, Ursnif, Qakbot, Dridex}}, date = {2020-06-24}, organization = {Morphisec}, url = {https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex}, language = {English}, urldate = {2020-06-25} } Obfuscated VBScript Drops Zloader, Ursnif, Qakbot, Dridex
Dridex ISFB QakBot Zloader
2020-06-22CERT-FRCERT-FR
@techreport{certfr:20200622:volution:fba1cfa, author = {CERT-FR}, title = {{Évolution De Lactivité du Groupe Cybercriminel TA505}}, date = {2020-06-22}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf}, language = {French}, urldate = {2020-06-24} } Évolution De Lactivité du Groupe Cybercriminel TA505
Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot
2020-06-19ReaqtaReaqta
@online{reaqta:20200619:dridex:54f4dd5, author = {Reaqta}, title = {{Dridex: the secret in a PostMessage()}}, date = {2020-06-19}, organization = {Reaqta}, url = {https://reaqta.com/2020/06/dridex-the-secret-in-a-postmessage/}, language = {English}, urldate = {2020-06-22} } Dridex: the secret in a PostMessage()
Dridex
2020-06-05VotiroVotiro’s Research Team
@online{team:20200605:anatomy:3047f6e, author = {Votiro’s Research Team}, title = {{Anatomy of a Well-Crafted UPS, FedEx, and DHL Phishing Email During COVID-19}}, date = {2020-06-05}, organization = {Votiro}, url = {https://votiro.com/blog/anatomy-of-a-well-crafted-ups-fedex-and-dhl-phishing-email-during-covid-19/}, language = {English}, urldate = {2020-06-10} } Anatomy of a Well-Crafted UPS, FedEx, and DHL Phishing Email During COVID-19
Dridex
2020-05-27GAIS-CERTGAIS-CERT
@techreport{gaiscert:20200527:dridex:90bd3bd, author = {GAIS-CERT}, title = {{Dridex Banking Trojan Technical Analysis Report}}, date = {2020-05-27}, institution = {GAIS-CERT}, url = {https://gaissecurity.com/uploads/csirt/EN-Dridex-banking-trojan.pdf}, language = {English}, urldate = {2020-06-24} } Dridex Banking Trojan Technical Analysis Report
Dridex
2020-05-25CERT-FRCERT-FR
@techreport{certfr:20200525:le:ac94f72, author = {CERT-FR}, title = {{Le Code Malveillant Dridex: Origines et Usages}}, date = {2020-05-25}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-005.pdf}, language = {French}, urldate = {2020-05-26} } Le Code Malveillant Dridex: Origines et Usages
Dridex
2020-05-25CERT-FRCERT-FR
@online{certfr:20200525:indicateurs:642332f, author = {CERT-FR}, title = {{INDICATEURS DE COMPROMISSION DU CERT-FR - Objet: Le code malveillant Dridex}}, date = {2020-05-25}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/ioc/CERTFR-2020-IOC-003/}, language = {French}, urldate = {2020-06-03} } INDICATEURS DE COMPROMISSION DU CERT-FR - Objet: Le code malveillant Dridex
Dridex
2020-05-21Intel 471Intel 471
@online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/}, language = {English}, urldate = {2020-05-23} } A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-03-30IntezerMichael Kajiloti
@online{kajiloti:20200330:fantastic:c01db60, author = {Michael Kajiloti}, title = {{Fantastic payloads and where we find them}}, date = {2020-03-30}, organization = {Intezer}, url = {https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them}, language = {English}, urldate = {2020-04-07} } Fantastic payloads and where we find them
Dridex Emotet ISFB TrickBot
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200305:humanoperated:d90a28e, author = {Microsoft Threat Protection Intelligence Team}, title = {{Human-operated ransomware attacks: A preventable disaster}}, date = {2020-03-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/}, language = {English}, urldate = {2020-03-06} } Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020-02-18Sophos LabsLuca Nagy
@online{nagy:20200218:nearly:8ff363f, author = {Luca Nagy}, title = {{Nearly a quarter of malware now communicates using TLS}}, date = {2020-02-18}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/}, language = {English}, urldate = {2020-02-27} } Nearly a quarter of malware now communicates using TLS
Dridex IcedID TrickBot
2020-01-31Virus BulletinMichal Poslušný, Peter Kálnai
@online{poslun:20200131:rich:c25f156, author = {Michal Poslušný and Peter Kálnai}, title = {{Rich Headers: leveraging this mysterious artifact of the PE format}}, date = {2020-01-31}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/}, language = {English}, urldate = {2020-02-03} } Rich Headers: leveraging this mysterious artifact of the PE format
Dridex Exaramel Industroyer Neutrino RCS Sathurbot
2020SecureworksSecureWorks
@online{secureworks:2020:gold:0d8c853, author = {SecureWorks}, title = {{GOLD DRAKE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-drake}, language = {English}, urldate = {2020-05-23} } GOLD DRAKE
Dridex Empire Downloader FriedEx Koadic MimiKatz
2020SecureworksSecureWorks
@online{secureworks:2020:gold:b12ae49, author = {SecureWorks}, title = {{GOLD HERON}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-heron}, language = {English}, urldate = {2020-05-23} } GOLD HERON
DoppelPaymer Dridex Empire Downloader
2019-09-09McAfeeThomas Roccia, Marc Rivero López, Chintan Shah
@online{roccia:20190909:evolution:baf3b6c, author = {Thomas Roccia and Marc Rivero López and Chintan Shah}, title = {{Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study}}, date = {2019-09-09}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/}, language = {English}, urldate = {2020-08-30} } Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study
Cutwail Dridex Dyre Kovter Locky Phorpiex Simda
2019-08-13AdalogicsDavid Korczynski
@online{korczynski:20190813:state:a4ad074, author = {David Korczynski}, title = {{The state of advanced code injections}}, date = {2019-08-13}, organization = {Adalogics}, url = {https://adalogics.com/blog/the-state-of-advanced-code-injections}, language = {English}, urldate = {2020-01-13} } The state of advanced code injections
Dridex Emotet Tinba
2019-07-12CrowdStrikeBrett Stone-Gross, Sergei Frankoff, Bex Hartley
@online{stonegross:20190712:bitpaymer:113a037, author = {Brett Stone-Gross and Sergei Frankoff and Bex Hartley}, title = {{BitPaymer Source Code Fork: Meet DoppelPaymer Ransomware and Dridex 2.0}}, date = {2019-07-12}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/}, language = {English}, urldate = {2020-04-25} } BitPaymer Source Code Fork: Meet DoppelPaymer Ransomware and Dridex 2.0
DoppelPaymer Dridex FriedEx
2019-05-14GovCERT.chGovCERT.ch
@online{govcertch:20190514:rise:8fd8ef4, author = {GovCERT.ch}, title = {{The Rise of Dridex and the Role of ESPs}}, date = {2019-05-14}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/28/the-rise-of-dridex-and-the-role-of-esps}, language = {English}, urldate = {2020-01-09} } The Rise of Dridex and the Role of ESPs
Dridex
2018-12-18Trend MicroTrendmicro
@online{trendmicro:20181218:ursnif:cc5ce31, author = {Trendmicro}, title = {{URSNIF, EMOTET, DRIDEX and BitPaymer Gangs Linked by a Similar Loader}}, date = {2018-12-18}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/}, language = {English}, urldate = {2020-01-07} } URSNIF, EMOTET, DRIDEX and BitPaymer Gangs Linked by a Similar Loader
Dridex Emotet FriedEx ISFB
2018-01-26ESET ResearchMichal Poslušný
@online{poslun:20180126:friedex:3c3f46b, author = {Michal Poslušný}, title = {{FriedEx: BitPaymer ransomware the work of Dridex authors}}, date = {2018-01-26}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/}, language = {English}, urldate = {2019-11-14} } FriedEx: BitPaymer ransomware the work of Dridex authors
Dridex FriedEx
2017-08-01Panda SecurityPanda Security
@techreport{security:20170801:malware:e92cd36, author = {Panda Security}, title = {{Malware Report: Dridex Version 4}}, date = {2017-08-01}, institution = {Panda Security}, url = {https://www.pandasecurity.com/mediacenter/src/uploads/2017/10/Informe_Dridex_Revisado_FINAL_EN-2.pdf}, language = {English}, urldate = {2020-04-14} } Malware Report: Dridex Version 4
Dridex
2017-07-25Github (viql)Johannes Bader
@online{bader:20170725:dridex:44f64d8, author = {Johannes Bader}, title = {{Dridex Loot}}, date = {2017-07-25}, organization = {Github (viql)}, url = {https://viql.github.io/dridex/}, language = {English}, urldate = {2020-01-07} } Dridex Loot
Dridex
2017-07-18ElasticAshkan Hosseini
@online{hosseini:20170718:ten:af036b3, author = {Ashkan Hosseini}, title = {{Ten process injection techniques: A technical survey of common and trending process injection techniques}}, date = {2017-07-18}, organization = {Elastic}, url = {https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process}, language = {English}, urldate = {2020-07-15} } Ten process injection techniques: A technical survey of common and trending process injection techniques
Cryakl CyberGate Dridex FinFisher RAT Locky
2017-02-28Security IntelligenceMagal Baz, Or Safran
@online{baz:20170228:dridexs:f72a5ec, author = {Magal Baz and Or Safran}, title = {{Dridex’s Cold War: Enter AtomBombing}}, date = {2017-02-28}, organization = {Security Intelligence}, url = {https://securityintelligence.com/dridexs-cold-war-enter-atombombing/}, language = {English}, urldate = {2019-12-16} } Dridex’s Cold War: Enter AtomBombing
Dridex
2017-01-26FlashpointFlashpoint
@online{flashpoint:20170126:dridex:2ca4920, author = {Flashpoint}, title = {{Dridex Banking Trojan Returns, Leverages New UAC Bypass Method}}, date = {2017-01-26}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog-dridex-banking-trojan-returns/}, language = {English}, urldate = {2020-01-08} } Dridex Banking Trojan Returns, Leverages New UAC Bypass Method
Dridex
2016-02-16SymantecDick O'Brien
@techreport{obrien:20160216:dridex:7abdc31, author = {Dick O'Brien}, title = {{Dridex: Tidal waves of spam pushing dangerous financial Trojan}}, date = {2016-02-16}, institution = {Symantec}, url = {https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dridex-financial-trojan.pdf}, language = {English}, urldate = {2020-01-08} } Dridex: Tidal waves of spam pushing dangerous financial Trojan
Dridex
2015-11-10CERT.PLCERT.PL
@online{certpl:20151110:talking:d93cf24, author = {CERT.PL}, title = {{Talking to Dridex (part 0) – inside the dropper}}, date = {2015-11-10}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/talking-dridex-part-0-inside-the-dropper/}, language = {English}, urldate = {2020-01-06} } Talking to Dridex (part 0) – inside the dropper
Dridex
2015-10-26BluelivBlueliv
@techreport{blueliv:20151026:chasing:975ef1a, author = {Blueliv}, title = {{Chasing cybercrime: network insights of Dyre and Dridex Trojan bankers}}, date = {2015-10-26}, institution = {Blueliv}, url = {https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf}, language = {English}, urldate = {2020-01-13} } Chasing cybercrime: network insights of Dyre and Dridex Trojan bankers
Dridex Dyre
2015-10-15BitSightAnubisLabs
@techreport{anubislabs:20151015:dridex:4dafca8, author = {AnubisLabs}, title = {{Dridex: Chasing a botnet from the inside}}, date = {2015-10-15}, institution = {BitSight}, url = {https://cdn2.hubspot.net/hubfs/507516/ANB_MIR_Dridex_PRv7_final.pdf}, language = {English}, urldate = {2020-08-06} } Dridex: Chasing a botnet from the inside
Dridex
2015-10-13SecureworksBrett Stone-Gross
@online{stonegross:20151013:dridex:46d9a58, author = {Brett Stone-Gross}, title = {{Dridex (Bugat v5) Botnet Takeover Operation}}, date = {2015-10-13}, organization = {Secureworks}, url = {https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation}, language = {English}, urldate = {2020-01-08} } Dridex (Bugat v5) Botnet Takeover Operation
Dridex
Yara Rules
[TLP:WHITE] win_dridex_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_dridex_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ffd6 85c0 7512 e8???????? eb03 }
            // n = 5, score = 4000
            //   ffd6                 | dec                 eax
            //   85c0                 | lea                 ecx, [esp + 0x50]
            //   7512                 | xor                 ecx, ecx
            //   e8????????           |                     
            //   eb03                 | cmp                 byte ptr [esp + 0x50], 0

        $sequence_1 = { e8???????? b910270000 e8???????? e8???????? }
            // n = 4, score = 4000
            //   e8????????           |                     
            //   b910270000           | mov                 ecx, 0x2710
            //   e8????????           |                     
            //   e8????????           |                     

        $sequence_2 = { c605????????01 c3 c605????????00 c3 }
            // n = 4, score = 3900
            //   c605????????01       |                     
            //   c3                   | ret                 
            //   c605????????00       |                     
            //   c3                   | ret                 

        $sequence_3 = { 83f8ff 7505 e8???????? 3d34270000 }
            // n = 4, score = 3900
            //   83f8ff               | cmp                 eax, -1
            //   7505                 | jne                 7
            //   e8????????           |                     
            //   3d34270000           | cmp                 eax, 0x2734

        $sequence_4 = { ffd0 85c0 751f e8???????? }
            // n = 4, score = 3800
            //   ffd0                 | ret                 
            //   85c0                 | ret                 
            //   751f                 | cmp                 eax, -1
            //   e8????????           |                     

        $sequence_5 = { e8???????? 84c0 740c b9e8030000 }
            // n = 4, score = 3800
            //   e8????????           |                     
            //   84c0                 | test                eax, eax
            //   740c                 | jne                 0x16
            //   b9e8030000           | jmp                 9

        $sequence_6 = { 740c b9e8030000 e8???????? b301 }
            // n = 4, score = 3800
            //   740c                 | jne                 7
            //   b9e8030000           | cmp                 eax, 0x2734
            //   e8????????           |                     
            //   b301                 | test                al, al

        $sequence_7 = { 53 53 53 6a01 53 ffd0 }
            // n = 6, score = 3400
            //   53                   | sub                 esp, 0x74
            //   53                   | mov                 eax, dword ptr [ebp + 0xc]
            //   53                   | add                 esp, 0x74
            //   6a01                 | pop                 ebx
            //   53                   | pop                 edi
            //   ffd0                 | pop                 esi

        $sequence_8 = { eb0a e8???????? eb03 6a7f 58 }
            // n = 5, score = 3000
            //   eb0a                 | push                ebx
            //   e8????????           |                     
            //   eb03                 | call                eax
            //   6a7f                 | push                ebx
            //   58                   | push                ebx

        $sequence_9 = { ffd0 eb02 33c0 6a00 }
            // n = 4, score = 2500
            //   ffd0                 | push                ebx
            //   eb02                 | push                1
            //   33c0                 | test                eax, eax
            //   6a00                 | je                  0x11

        $sequence_10 = { 7406 42 803a00 75fa }
            // n = 4, score = 2500
            //   7406                 | push                1
            //   42                   | push                ebx
            //   803a00               | test                eax, eax
            //   75fa                 | je                  0x13

        $sequence_11 = { b801000000 c3 31c0 c3 50 }
            // n = 5, score = 2500
            //   b801000000           | mov                 ecx, 0x3e8
            //   c3                   | mov                 bl, 1
            //   31c0                 | test                al, al
            //   c3                   | je                  0xe
            //   50                   | mov                 ecx, 0x3e8

        $sequence_12 = { ff36 ffd0 8bf8 85ff }
            // n = 4, score = 2500
            //   ff36                 | mov                 ecx, 0x3e8
            //   ffd0                 | call                eax
            //   8bf8                 | test                eax, eax
            //   85ff                 | je                  0xffffffe0

        $sequence_13 = { e8???????? 85c0 7407 56 ffd0 }
            // n = 5, score = 2400
            //   e8????????           |                     
            //   85c0                 | push                ebx
            //   7407                 | push                1
            //   56                   | je                  0x11
            //   ffd0                 | push                ebx

        $sequence_14 = { 7403 56 ffd0 33f6 }
            // n = 4, score = 2300
            //   7403                 | push                esi
            //   56                   | call                eax
            //   ffd0                 | xor                 esi, esi
            //   33f6                 | test                eax, eax

        $sequence_15 = { e8???????? 6880000000 53 53 }
            // n = 4, score = 2300
            //   e8????????           |                     
            //   6880000000           | jmp                 6
            //   53                   | xor                 eax, eax
            //   53                   | push                0

        $sequence_16 = { 55 8bec 837d0800 7422 }
            // n = 4, score = 2300
            //   55                   | call                edi
            //   8bec                 | test                eax, eax
            //   837d0800             | jne                 0x16
            //   7422                 | jmp                 9

        $sequence_17 = { e8???????? 85c0 7408 6a00 ffd0 }
            // n = 5, score = 2300
            //   e8????????           |                     
            //   85c0                 | jmp                 6
            //   7408                 | xor                 eax, eax
            //   6a00                 | push                0
            //   ffd0                 | call                eax

        $sequence_18 = { 807c241400 7409 8d4c2410 e8???????? }
            // n = 4, score = 2300
            //   807c241400           | push                dword ptr [esi]
            //   7409                 | call                eax
            //   8d4c2410             | mov                 edi, eax
            //   e8????????           |                     

        $sequence_19 = { e8???????? eb0a b9d0070000 e8???????? }
            // n = 4, score = 2200
            //   e8????????           |                     
            //   eb0a                 | jmp                 0xc
            //   b9d0070000           | mov                 ecx, 0x7d0
            //   e8????????           |                     

        $sequence_20 = { 8d4c2420 e8???????? 50 6a00 }
            // n = 4, score = 2200
            //   8d4c2420             | jmp                 4
            //   e8????????           |                     
            //   50                   | xor                 eax, eax
            //   6a00                 | push                0

        $sequence_21 = { c70350000000 eb0d 3da665f63e 7506 c703bb010000 }
            // n = 5, score = 2200
            //   c70350000000         | mov                 dword ptr [ebx], 0x50
            //   eb0d                 | jmp                 0xf
            //   3da665f63e           | cmp                 eax, 0x3ef665a6
            //   7506                 | jne                 8
            //   c703bb010000         | mov                 dword ptr [ebx], 0x1bb

        $sequence_22 = { ffd0 5b c3 33c0 }
            // n = 4, score = 2200
            //   ffd0                 | je                  5
            //   5b                   | push                esi
            //   c3                   | call                eax
            //   33c0                 | xor                 esi, esi

        $sequence_23 = { e8???????? 3db20d7897 7508 c70350000000 }
            // n = 4, score = 2200
            //   e8????????           |                     
            //   3db20d7897           | cmp                 eax, 0x97780db2
            //   7508                 | jne                 0xa
            //   c70350000000         | mov                 dword ptr [ebx], 0x50

        $sequence_24 = { eb08 6a64 59 e8???????? }
            // n = 4, score = 2100
            //   eb08                 | jmp                 0xa
            //   6a64                 | push                0x64
            //   59                   | pop                 ecx
            //   e8????????           |                     

        $sequence_25 = { eb08 83ca20 eb03 83ca10 }
            // n = 4, score = 2100
            //   eb08                 | jmp                 0xa
            //   83ca20               | or                  edx, 0x20
            //   eb03                 | jmp                 5
            //   83ca10               | or                  edx, 0x10

        $sequence_26 = { 85c0 7407 685a040000 ffd0 }
            // n = 4, score = 2100
            //   85c0                 | test                eax, eax
            //   7407                 | je                  9
            //   685a040000           | push                0x45a
            //   ffd0                 | call                eax

        $sequence_27 = { e8???????? 6a00 8d4e1c e8???????? }
            // n = 4, score = 2100
            //   e8????????           |                     
            //   6a00                 | push                0
            //   8d4e1c               | lea                 ecx, [esi + 0x1c]
            //   e8????????           |                     

        $sequence_28 = { 7411 c7461003000000 e8???????? 894614 }
            // n = 4, score = 2100
            //   7411                 | test                eax, eax
            //   c7461003000000       | jne                 0x14
            //   e8????????           |                     
            //   894614               | je                  0x13

        $sequence_29 = { 50 56 ffd5 57 }
            // n = 4, score = 2100
            //   50                   | je                  5
            //   56                   | push                esi
            //   ffd5                 | call                eax
            //   57                   | xor                 esi, esi

        $sequence_30 = { e8???????? 3bc3 7e44 8bce }
            // n = 4, score = 2100
            //   e8????????           |                     
            //   3bc3                 | push                0x70
            //   7e44                 | push                0x74
            //   8bce                 | mov                 ecx, eax

        $sequence_31 = { 50 e8???????? 8938 8b35???????? }
            // n = 4, score = 2100
            //   50                   | push                eax
            //   e8????????           |                     
            //   8938                 | test                eax, eax
            //   8b35????????         |                     

        $sequence_32 = { e8???????? e9???????? 807c245000 740a }
            // n = 4, score = 2100
            //   e8????????           |                     
            //   e9????????           |                     
            //   807c245000           | cmp                 byte ptr [esp + 0x50], 0
            //   740a                 | je                  0xc

        $sequence_33 = { 50 53 8bce e8???????? 50 e8???????? 83c40c }
            // n = 7, score = 2100
            //   50                   | je                  9
            //   53                   | push                esi
            //   8bce                 | call                eax
            //   e8????????           |                     
            //   50                   | je                  0x17
            //   e8????????           |                     
            //   83c40c               | push                1

        $sequence_34 = { 7415 6a01 6a00 6a00 8d4dfc }
            // n = 5, score = 2100
            //   7415                 | push                ebx
            //   6a01                 | push                ebx
            //   6a00                 | push                1
            //   6a00                 | push                ebx
            //   8d4dfc               | test                eax, eax

        $sequence_35 = { e8???????? 84c0 7516 8bd3 }
            // n = 4, score = 2100
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   7516                 | jne                 0x18
            //   8bd3                 | mov                 edx, ebx

        $sequence_36 = { e8???????? 85c0 7406 6a01 }
            // n = 4, score = 2100
            //   e8????????           |                     
            //   85c0                 | je                  0xa
            //   7406                 | push                0
            //   6a01                 | call                eax

        $sequence_37 = { e8???????? 85c0 7404 6a7f ffd0 }
            // n = 5, score = 2100
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7404                 | je                  6
            //   6a7f                 | push                0x7f
            //   ffd0                 | call                eax

        $sequence_38 = { 6810270000 50 e8???????? 83c410 }
            // n = 4, score = 2100
            //   6810270000           | push                0x70
            //   50                   | mov                 ecx, eax
            //   e8????????           |                     
            //   83c410               | test                eax, eax

        $sequence_39 = { 6a74 8bc8 e8???????? 6a70 }
            // n = 4, score = 2100
            //   6a74                 | add                 esp, 0xc
            //   8bc8                 | test                eax, eax
            //   e8????????           |                     
            //   6a70                 | je                  0x17

        $sequence_40 = { 6a70 8bc8 e8???????? 6a73 8bc8 }
            // n = 5, score = 2100
            //   6a70                 | push                0x73
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   6a73                 | push                0x74
            //   8bc8                 | mov                 ecx, eax

        $sequence_41 = { 7414 31c0 89c1 8b442424 }
            // n = 4, score = 2000
            //   7414                 | mov                 ecx, eax
            //   31c0                 | mov                 eax, dword ptr [esp + 0x24]
            //   89c1                 | mov                 dl, al
            //   8b442424             | mov                 byte ptr [esp + 7], bl

        $sequence_42 = { eb18 c7461002000000 eb0f c7461003000000 e8???????? }
            // n = 5, score = 2000
            //   eb18                 | mov                 dword ptr [esi + 0x10], 3
            //   c7461002000000       | mov                 dword ptr [esi + 0x14], eax
            //   eb0f                 | jmp                 0x1a
            //   c7461003000000       | mov                 dword ptr [esi + 0x10], 2
            //   e8????????           |                     

        $sequence_43 = { 51 6802100000 68ffff0000 ff36 }
            // n = 4, score = 2000
            //   51                   | mov                 dword ptr [esi + 0x14], eax
            //   6802100000           | xor                 al, al
            //   68ffff0000           | push                ecx
            //   ff36                 | push                0x1002

        $sequence_44 = { 85c0 7406 6a02 ff36 ffd0 }
            // n = 5, score = 2000
            //   85c0                 | push                0xffff
            //   7406                 | push                dword ptr [esi]
            //   6a02                 | test                eax, eax
            //   ff36                 | je                  8
            //   ffd0                 | push                2

        $sequence_45 = { 50 56 8bcb e8???????? 50 e8???????? }
            // n = 6, score = 2000
            //   50                   | push                dword ptr [esi]
            //   56                   | call                eax
            //   8bcb                 | mov                 edi, eax
            //   e8????????           |                     
            //   50                   | test                edi, edi
            //   e8????????           |                     

        $sequence_46 = { 885c2407 89442408 7598 8a442407 }
            // n = 4, score = 2000
            //   885c2407             | mov                 eax, dword ptr [esp + 0x2c]
            //   89442408             | mov                 ecx, eax
            //   7598                 | mov                 edx, ecx
            //   8a442407             | xor                 eax, eax

        $sequence_47 = { eb0a b988130000 e8???????? 33d2 }
            // n = 4, score = 2000
            //   eb0a                 | jmp                 0xc
            //   b988130000           | mov                 ecx, 0x1388
            //   e8????????           |                     
            //   33d2                 | xor                 edx, edx

        $sequence_48 = { 8a442427 a801 7534 eb00 31c0 }
            // n = 5, score = 2000
            //   8a442427             | mov                 dword ptr [esp + 8], eax
            //   a801                 | jne                 0xffffff9e
            //   7534                 | mov                 al, byte ptr [esp + 7]
            //   eb00                 | test                al, 1
            //   31c0                 | je                  0x16

        $sequence_49 = { 89c1 8b442424 88c2 8854240f }
            // n = 4, score = 2000
            //   89c1                 | ret                 
            //   8b442424             | xor                 eax, eax
            //   88c2                 | ret                 
            //   8854240f             | push                eax

        $sequence_50 = { 89442404 eb00 8b442404 89c1 }
            // n = 4, score = 2000
            //   89442404             | xor                 eax, eax
            //   eb00                 | ret                 
            //   8b442404             | push                eax
            //   89c1                 | mov                 eax, 1

        $sequence_51 = { 488d4c2450 e8???????? 33c9 e8???????? }
            // n = 4, score = 2000
            //   488d4c2450           | dec                 eax
            //   e8????????           |                     
            //   33c9                 | add                 esp, 0x60
            //   e8????????           |                     

        $sequence_52 = { 890424 894c2404 75dd 8b0424 }
            // n = 4, score = 2000
            //   890424               | mov                 dword ptr [esp], eax
            //   894c2404             | mov                 dword ptr [esp + 4], ecx
            //   75dd                 | jne                 0xffffffdf
            //   8b0424               | mov                 eax, dword ptr [esp]

        $sequence_53 = { 8954242c 8b44242c 89c1 89ca }
            // n = 4, score = 2000
            //   8954242c             | mov                 dword ptr [esp + 4], eax
            //   8b44242c             | jmp                 2
            //   89c1                 | mov                 eax, dword ptr [esp + 4]
            //   89ca                 | mov                 ecx, eax

        $sequence_54 = { 8b442428 6689c1 66894c2458 66894c245a }
            // n = 4, score = 2000
            //   8b442428             | jne                 0x38
            //   6689c1               | jmp                 6
            //   66894c2458           | xor                 eax, eax
            //   66894c245a           | mov                 ecx, eax

        $sequence_55 = { e8???????? 8be8 85ed 7458 }
            // n = 4, score = 1900
            //   e8????????           |                     
            //   8be8                 | lea                 ecx, [esp + 0x20]
            //   85ed                 | push                eax
            //   7458                 | push                0

        $sequence_56 = { 807c242400 7409 8d4c2420 e8???????? }
            // n = 4, score = 1800
            //   807c242400           | je                  8
            //   7409                 | push                1
            //   8d4c2420             | mov                 ebp, eax
            //   e8????????           |                     

        $sequence_57 = { e8???????? 6880000000 55 55 }
            // n = 4, score = 1800
            //   e8????????           |                     
            //   6880000000           | push                eax
            //   55                   | mov                 dword ptr [eax], edi
            //   55                   | test                eax, eax

        $sequence_58 = { ff7508 ffd0 33c0 40 5d }
            // n = 5, score = 1700
            //   ff7508               | test                eax, eax
            //   ffd0                 | jne                 0x17
            //   33c0                 | jmp                 7
            //   40                   | ret                 
            //   5d                   | push                ebp

        $sequence_59 = { 8d4de0 51 68???????? ffd0 }
            // n = 4, score = 1600
            //   8d4de0               | inc                 eax
            //   51                   | push                dword ptr [ebp + 8]
            //   68????????           |                     
            //   ffd0                 | call                eax

        $sequence_60 = { 895704 895708 89570c 895710 }
            // n = 4, score = 1500
            //   895704               | je                  0xb
            //   895708               | lea                 ecx, [esp + 0x10]
            //   89570c               | lea                 ecx, [esp + 0x20]
            //   895710               | push                eax

        $sequence_61 = { eb0c e8???????? 8bf0 eb03 }
            // n = 4, score = 900
            //   eb0c                 | xor                 eax, eax
            //   e8????????           |                     
            //   8bf0                 | inc                 eax
            //   eb03                 | pop                 ebp

        $sequence_62 = { e8???????? 50 ffd7 85c0 7512 }
            // n = 5, score = 900
            //   e8????????           |                     
            //   50                   | jne                 0x16
            //   ffd7                 | jmp                 9
            //   85c0                 | push                0x7f
            //   7512                 | push                eax

        $sequence_63 = { 8038e9 89c1 8945d0 894dcc }
            // n = 4, score = 700
            //   8038e9               | mov                 ecx, 0x3e8
            //   89c1                 | call                eax
            //   8945d0               | test                eax, eax
            //   894dcc               | je                  0xffffffe0

        $sequence_64 = { e8???????? 8b4d0c 50 6a00 e8???????? }
            // n = 5, score = 700
            //   e8????????           |                     
            //   8b4d0c               | test                eax, eax
            //   50                   | jne                 0x18
            //   6a00                 | push                eax
            //   e8????????           |                     

        $sequence_65 = { 8b45cc 31c9 8b55d0 39c2 }
            // n = 4, score = 700
            //   8b45cc               | mov                 ecx, 0x3e8
            //   31c9                 | mov                 bl, 1
            //   8b55d0               | test                al, al
            //   39c2                 | je                  0x10

        $sequence_66 = { 8b45e8 05ffff0000 25ffff0000 83c001 }
            // n = 4, score = 600
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x34]
            //   05ffff0000           | xor                 ecx, ecx
            //   25ffff0000           | mov                 edx, dword ptr [ebp - 0x30]
            //   83c001               | cmp                 edx, eax

        $sequence_67 = { 8b510c 8b75bc 01d6 8b7dbc 8a1c17 80fb00 }
            // n = 6, score = 600
            //   8b510c               | mov                 edx, dword ptr [ecx + 0xc]
            //   8b75bc               | mov                 esi, dword ptr [ebp - 0x44]
            //   01d6                 | add                 esi, edx
            //   8b7dbc               | mov                 edi, dword ptr [ebp - 0x44]
            //   8a1c17               | mov                 bl, byte ptr [edi + edx]
            //   80fb00               | cmp                 bl, 0

        $sequence_68 = { 0f84d0000000 8b45bc 03403c 8b4dbc 6681394d5a 8945b8 894dc4 }
            // n = 7, score = 600
            //   0f84d0000000         | je                  0xd6
            //   8b45bc               | mov                 eax, dword ptr [ebp - 0x44]
            //   03403c               | add                 eax, dword ptr [eax + 0x3c]
            //   8b4dbc               | mov                 ecx, dword ptr [ebp - 0x44]
            //   6681394d5a           | cmp                 word ptr [ecx], 0x5a4d
            //   8945b8               | mov                 dword ptr [ebp - 0x48], eax
            //   894dc4               | mov                 dword ptr [ebp - 0x3c], ecx

        $sequence_69 = { 83c205 807c0805e9 891424 74e9 8b0424 }
            // n = 5, score = 600
            //   83c205               | xor                 eax, eax
            //   807c0805e9           | ret                 
            //   891424               | push                eax
            //   74e9                 | xor                 eax, eax
            //   8b0424               | ret                 

        $sequence_70 = { 8b704c 2b7134 891424 89742404 894c2418 e8???????? 8b4c2420 }
            // n = 7, score = 600
            //   8b704c               | mov                 eax, dword ptr [esp]
            //   2b7134               | mov                 ecx, dword ptr [eax + 1]
            //   891424               | mov                 edx, eax
            //   89742404             | add                 edx, ecx
            //   894c2418             | add                 edx, 5
            //   e8????????           |                     
            //   8b4c2420             | cmp                 byte ptr [eax + ecx + 5], 0xe9

        $sequence_71 = { 8b0424 8b4801 89c2 01ca 83c205 807c0805e9 }
            // n = 6, score = 600
            //   8b0424               | push                eax
            //   8b4801               | mov                 eax, dword ptr [esp + 8]
            //   89c2                 | cmp                 byte ptr [eax], 0xe9
            //   01ca                 | add                 edx, 5
            //   83c205               | cmp                 byte ptr [eax + ecx + 5], 0xe9
            //   807c0805e9           | mov                 dword ptr [esp], edx

        $sequence_72 = { 8038e9 890424 7517 8b0424 8b4801 89c2 }
            // n = 6, score = 600
            //   8038e9               | mov                 dword ptr [esp], edx
            //   890424               | mov                 dword ptr [esp + 4], esi
            //   7517                 | mov                 dword ptr [esp + 0x18], ecx
            //   8b0424               | mov                 ecx, dword ptr [esp + 0x20]
            //   8b4801               | mov                 dword ptr [esp + 4], esi
            //   89c2                 | mov                 dword ptr [esp + 0x18], ecx

        $sequence_73 = { c3 50 8b442408 8038e9 890424 7517 }
            // n = 6, score = 600
            //   c3                   | mov                 ecx, dword ptr [esp + 0x20]
            //   50                   | mov                 dword ptr [esp], ecx
            //   8b442408             | cmp                 byte ptr [eax], 0xe9
            //   8038e9               | mov                 dword ptr [esp], eax
            //   890424               | jne                 0x1c
            //   7517                 | mov                 eax, dword ptr [esp]

        $sequence_74 = { 8b513c 6689d6 6683fe00 89cf }
            // n = 4, score = 600
            //   8b513c               | cmp                 byte ptr [eax], 0xe9
            //   6689d6               | mov                 ecx, eax
            //   6683fe00             | mov                 dword ptr [ebp - 0x30], eax
            //   89cf                 | mov                 dword ptr [ebp - 0x34], ecx

        $sequence_75 = { 83c430 5e 5d c3 55 89e5 57 }
            // n = 7, score = 500
            //   83c430               | mov                 bl, 1
            //   5e                   | test                al, al
            //   5d                   | je                  0xe
            //   c3                   | mov                 ecx, 0x3e8
            //   55                   | mov                 bl, 1
            //   89e5                 | call                eax
            //   57                   | test                eax, eax

        $sequence_76 = { c7424800b00400 8b7de4 c787cc00000000000000 c787c800000000000000 }
            // n = 4, score = 500
            //   c7424800b00400       | pop                 edi
            //   8b7de4               | pop                 ebp
            //   c787cc00000000000000     | mov    dword ptr [ebp - 0x34], edx
            //   c787c800000000000000     | je    0xffffffbe

        $sequence_77 = { 83c454 5b 5e 5f 5d c3 55 }
            // n = 7, score = 500
            //   83c454               | push                edi
            //   5b                   | ret                 
            //   5e                   | push                ebp
            //   5f                   | mov                 ebp, esp
            //   5d                   | push                edi
            //   c3                   | push                esi
            //   55                   | push                ebx

        $sequence_78 = { e8???????? 8b483c 6689ce 6683fe00 89c2 8945e8 }
            // n = 6, score = 500
            //   e8????????           |                     
            //   8b483c               | cmp                 si, 0
            //   6689ce               | mov                 edi, ecx
            //   6683fe00             | and                 eax, 0xffff
            //   89c2                 | add                 eax, 1
            //   8945e8               | mov                 ecx, dword ptr [ebp - 0x18]

        $sequence_79 = { 8b4df8 01c1 894df0 8b45f0 }
            // n = 4, score = 500
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   01c1                 | add                 ecx, eax
            //   894df0               | mov                 dword ptr [ebp - 0x10], ecx
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]

        $sequence_80 = { 25ffff0000 83c001 8b4da8 01c1 }
            // n = 4, score = 500
            //   25ffff0000           | and                 eax, 0xffff
            //   83c001               | add                 eax, 1
            //   8b4da8               | mov                 ecx, dword ptr [ebp - 0x58]
            //   01c1                 | add                 ecx, eax

        $sequence_81 = { 81e1ffff0000 83c101 8b55ec 01ca }
            // n = 4, score = 500
            //   81e1ffff0000         | mov                 ecx, dword ptr [eax + 0x3c]
            //   83c101               | mov                 si, cx
            //   8b55ec               | mov                 dword ptr [esp + 4], 0
            //   01ca                 | mov                 dword ptr [ebp - 0x10], eax

        $sequence_82 = { 8945f8 894df4 8975f0 7418 8b45f4 05ffff0000 }
            // n = 6, score = 500
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   8975f0               | mov                 dword ptr [ebp - 0x10], esi
            //   7418                 | je                  0x1a
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   05ffff0000           | add                 eax, 0xffff

        $sequence_83 = { 894df0 8b45f0 83c40c 5e 5d }
            // n = 5, score = 500
            //   894df0               | mov                 dword ptr [ebp - 0x10], ecx
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   83c40c               | add                 esp, 0xc
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp

        $sequence_84 = { 8b45ec 83c410 5e 5d }
            // n = 4, score = 500
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   83c410               | add                 esp, 0x10
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp

        $sequence_85 = { 25ffff0000 83c001 8b4de8 01c1 894de0 8b45e0 }
            // n = 6, score = 500
            //   25ffff0000           | mov                 eax, dword ptr [ebp - 0x18]
            //   83c001               | add                 eax, 0xffff
            //   8b4de8               | and                 eax, 0xffff
            //   01c1                 | add                 eax, 1
            //   894de0               | mov                 edx, dword ptr [ecx + 0x3c]
            //   8b45e0               | mov                 si, dx

        $sequence_86 = { 8b4ddc 8b9180000000 8b75ec 01d6 }
            // n = 4, score = 500
            //   8b4ddc               | mov                 si, cx
            //   8b9180000000         | cmp                 si, 0
            //   8b75ec               | mov                 edx, eax
            //   01d6                 | mov                 dword ptr [ebp - 0x18], eax

        $sequence_87 = { 56 53 57 83ec5c 8b450c 8b4d08 }
            // n = 6, score = 400
            //   56                   | pop                 ebx
            //   53                   | pop                 esi
            //   57                   | je                  0xfffffee8
            //   83ec5c               | mov                 eax, dword ptr [ebp - 0x20]
            //   8b450c               | add                 esp, 0x5c
            //   8b4d08               | pop                 edi

        $sequence_88 = { 8945c4 894dc0 885dbf 8975b8 8955b4 }
            // n = 5, score = 400
            //   8945c4               | mov                 dword ptr [ebp - 0x3c], eax
            //   894dc0               | mov                 dword ptr [ebp - 0x40], ecx
            //   885dbf               | mov                 byte ptr [ebp - 0x41], bl
            //   8975b8               | mov                 dword ptr [ebp - 0x48], esi
            //   8955b4               | mov                 dword ptr [ebp - 0x4c], edx

        $sequence_89 = { 8b45e0 83c45c 5f 5b }
            // n = 4, score = 400
            //   8b45e0               | add                 esp, 0x5c
            //   83c45c               | pop                 edi
            //   5f                   | pop                 ebx
            //   5b                   | pop                 esi

        $sequence_90 = { 5b 5d c3 8b45d0 8b4dd4 668b55d8 }
            // n = 6, score = 400
            //   5b                   | mov                 dword ptr [edi + 0xcc], 0
            //   5d                   | mov                 dword ptr [edi + 0xc8], 0
            //   c3                   | mov                 dword ptr [ebp - 0x24], eax
            //   8b45d0               | mov                 eax, ecx
            //   8b4dd4               | add                 esp, 0x2c
            //   668b55d8             | pop                 ebx

        $sequence_91 = { 894de0 7505 e9???????? 8b45e0 83c438 5f }
            // n = 6, score = 400
            //   894de0               | mov                 eax, ecx
            //   7505                 | pop                 ebx
            //   e9????????           |                     
            //   8b45e0               | pop                 esi
            //   83c438               | pop                 ebp
            //   5f                   | ret                 

        $sequence_92 = { 8b4c2454 894c240c 8b942484000000 ffd2 83ec10 b918000000 }
            // n = 6, score = 300
            //   8b4c2454             | jne                 0x1f
            //   894c240c             | mov                 eax, dword ptr [esp]
            //   8b942484000000       | mov                 edx, eax
            //   ffd2                 | add                 edx, ecx
            //   83ec10               | add                 edx, 5
            //   b918000000           | cmp                 byte ptr [eax + ecx + 5], 0xe9

        $sequence_93 = { 8b45e0 83c438 5e 5b 5f }
            // n = 5, score = 300
            //   8b45e0               | add                 esp, 0x74
            //   83c438               | pop                 ebx
            //   5e                   | push                ebx
            //   5b                   | push                esi
            //   5f                   | sub                 esp, 0x38

        $sequence_94 = { 8945e4 0f85dafeffff 8b45e4 83c474 5b }
            // n = 5, score = 300
            //   8945e4               | sub                 esp, 0xb0
            //   0f85dafeffff         | mov                 eax, dword ptr [ebp + 8]
            //   8b45e4               | lea                 ecx, [ebp - 0x28]
            //   83c474               | push                ebx
            //   5b                   | sub                 esp, 0xb0

        $sequence_95 = { 890424 e8???????? 31c0 83c420 5f }
            // n = 5, score = 300
            //   890424               | mov                 eax, dword ptr [ebp + 0xc]
            //   e8????????           |                     
            //   31c0                 | mov                 ecx, dword ptr [ebp + 8]
            //   83c420               | push                ebx
            //   5f                   | sub                 esp, 0x74

        $sequence_96 = { c3 53 57 56 83ec5c }
            // n = 5, score = 300
            //   c3                   | mov                 dword ptr [edi + 0xc8], 0
            //   53                   | mov                 dword ptr [esp + 0x10], eax
            //   57                   | mov                 eax, ecx
            //   56                   | mov                 dword ptr [edx + 0x48], 0x4b000
            //   83ec5c               | mov                 edi, dword ptr [esp + 0x18]

        $sequence_97 = { c3 8b45f0 8b0c8504406e00 8b55f8 39d1 }
            // n = 5, score = 300
            //   c3                   | ret                 
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   8b0c8504406e00       | mov                 ecx, dword ptr [eax*4 + 0x6e4004]
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   39d1                 | cmp                 ecx, edx

        $sequence_98 = { 8955cc 74bc 8b45cc 83c454 5f }
            // n = 5, score = 300
            //   8955cc               | lea                 ecx, [ebp - 0x28]
            //   74bc                 | mov                 dword ptr [ebp - 0x28], 0
            //   8b45cc               | push                ebx
            //   83c454               | sub                 esp, 0xb0
            //   5f                   | mov                 eax, dword ptr [ebp + 8]

        $sequence_99 = { 53 56 83ec38 8b450c 8b4d08 8945f0 }
            // n = 6, score = 300
            //   53                   | jne                 0xfffffee0
            //   56                   | mov                 eax, dword ptr [ebp - 0x1c]
            //   83ec38               | add                 esp, 0x74
            //   8b450c               | pop                 ebx
            //   8b4d08               | jne                 0xfffffee0
            //   8945f0               | mov                 eax, dword ptr [ebp - 0x1c]

        $sequence_100 = { 57 83ec20 8b4508 890424 8945f0 e8???????? 8945ec }
            // n = 7, score = 300
            //   57                   | xor                 eax, eax
            //   83ec20               | add                 esp, 0x20
            //   8b4508               | pop                 edi
            //   890424               | mov                 eax, dword ptr [ebp - 0x10]
            //   8945f0               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   8945ec               | xor                 eax, eax

        $sequence_101 = { 53 83ec74 8b450c 8b4d08 31d2 8b713c 89cf }
            // n = 7, score = 300
            //   53                   | pop                 ebx
            //   83ec74               | mov                 dword ptr [ebp - 0x38], edx
            //   8b450c               | mov                 dword ptr [ebp - 0x3c], ebx
            //   8b4d08               | mov                 dword ptr [ebp - 0x1c], eax
            //   31d2                 | jne                 0xfffffee6
            //   8b713c               | mov                 eax, dword ptr [ebp - 0x1c]
            //   89cf                 | add                 esp, 0x74

        $sequence_102 = { 8b541304 83fa00 0f95c1 8b6c2460 83fd00 }
            // n = 5, score = 300
            //   8b541304             | mov                 dword ptr [edi + 0xcc], 0
            //   83fa00               | mov                 dword ptr [edi + 0xc8], 0
            //   0f95c1               | mov                 dword ptr [esp + 0x10], eax
            //   8b6c2460             | ret                 
            //   83fd00               | push                ebx

        $sequence_103 = { 813850450000 8b4c242c 894c243c 0f85c2000000 }
            // n = 4, score = 300
            //   813850450000         | mov                 dword ptr [esp], edx
            //   8b4c242c             | je                  0xfffffff8
            //   894c243c             | mov                 ecx, dword ptr [esp + 0x54]
            //   0f85c2000000         | mov                 dword ptr [esp + 0xc], ecx

        $sequence_104 = { 53 81ecb0000000 8b4508 8d4dd8 c745d800000000 8b504c }
            // n = 6, score = 300
            //   53                   | sub                 esp, 0x54
            //   81ecb0000000         | add                 esp, 0x54
            //   8b4508               | pop                 ebx
            //   8d4dd8               | pop                 esi
            //   c745d800000000       | pop                 edi
            //   8b504c               | pop                 ebp

        $sequence_105 = { 55 89e5 57 53 56 83ec38 }
            // n = 6, score = 300
            //   55                   | mov                 eax, dword ptr [ebp + 0xc]
            //   89e5                 | mov                 ecx, dword ptr [ebp + 8]
            //   57                   | add                 esp, 0x38
            //   53                   | pop                 esi
            //   56                   | pop                 ebx
            //   83ec38               | pop                 edi

        $sequence_106 = { 75e4 83c448 5e 5f }
            // n = 4, score = 300
            //   75e4                 | mov                 eax, dword ptr [ebp - 0x34]
            //   83c448               | add                 esp, 0x54
            //   5e                   | pop                 edi
            //   5f                   | mov                 ebp, esp

        $sequence_107 = { 897dd8 8b45d8 83c444 5b 5e }
            // n = 5, score = 200
            //   897dd8               | add                 esp, 0x54
            //   8b45d8               | pop                 edi
            //   83c444               | pop                 ebx
            //   5b                   | mov                 esi, dword ptr [ebp - 0x14]
            //   5e                   | mov                 dword ptr [edx + 0x3c], esi

        $sequence_108 = { 8d0dad306e00 890424 894c2404 e8???????? 8d0d44306e00 31d2 8b75f8 }
            // n = 7, score = 200
            //   8d0dad306e00         | lea                 ecx, [0x6e30ad]
            //   890424               | mov                 dword ptr [esp], eax
            //   894c2404             | mov                 dword ptr [esp + 4], ecx
            //   e8????????           |                     
            //   8d0d44306e00         | lea                 ecx, [0x6e3044]
            //   31d2                 | xor                 edx, edx
            //   8b75f8               | mov                 esi, dword ptr [ebp - 8]

        $sequence_109 = { c744240400000000 8955d8 e8???????? 8d0d04316e00 }
            // n = 4, score = 200
            //   c744240400000000     | mov                 dword ptr [esp + 4], 0
            //   8955d8               | mov                 dword ptr [ebp - 0x28], edx
            //   e8????????           |                     
            //   8d0d04316e00         | lea                 ecx, [0x6e3104]

        $sequence_110 = { 890c24 c744240400000000 8955ec e8???????? 8d0dad306e00 890424 }
            // n = 6, score = 200
            //   890c24               | mov                 dword ptr [esp], ecx
            //   c744240400000000     | mov                 dword ptr [esp + 4], 0
            //   8955ec               | mov                 dword ptr [ebp - 0x14], edx
            //   e8????????           |                     
            //   8d0dad306e00         | lea                 ecx, [0x6e30ad]
            //   890424               | mov                 dword ptr [esp], eax

        $sequence_111 = { 83c454 5f 5b 5e }
            // n = 4, score = 200
            //   83c454               | pop                 edi
            //   5f                   | pop                 esi
            //   5b                   | pop                 ebx
            //   5e                   | pop                 ebp

        $sequence_112 = { 8955dc e8???????? 8d0de8306e00 890424 }
            // n = 4, score = 200
            //   8955dc               | mov                 dword ptr [ebp - 0x24], edx
            //   e8????????           |                     
            //   8d0de8306e00         | lea                 ecx, [0x6e30e8]
            //   890424               | mov                 dword ptr [esp], eax

        $sequence_113 = { 8d0d44306e00 31d2 890c24 c744240400000000 8945f4 8955f0 e8???????? }
            // n = 7, score = 200
            //   8d0d44306e00         | lea                 ecx, [0x6e3044]
            //   31d2                 | xor                 edx, edx
            //   890c24               | mov                 dword ptr [esp], ecx
            //   c744240400000000     | mov                 dword ptr [esp + 4], 0
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   8955f0               | mov                 dword ptr [ebp - 0x10], edx
            //   e8????????           |                     

        $sequence_114 = { 89e5 57 56 53 81ecb0000000 8b4508 }
            // n = 6, score = 200
            //   89e5                 | mov                 ebp, esp
            //   57                   | push                edi
            //   56                   | push                esi
            //   53                   | push                ebx
            //   81ecb0000000         | sub                 esp, 0xb0
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]

        $sequence_115 = { 56 57 81ecb0000000 8b4508 }
            // n = 4, score = 200
            //   56                   | push                esi
            //   57                   | push                edi
            //   81ecb0000000         | sub                 esp, 0xb0
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]

        $sequence_116 = { 8b55f4 8b75ec 89723c c7424004000000 c742442c0c0200 }
            // n = 5, score = 200
            //   8b55f4               | mov                 eax, dword ptr [ebp - 0x20]
            //   8b75ec               | add                 esp, 0x38
            //   89723c               | pop                 edi
            //   c7424004000000       | pop                 esi
            //   c742442c0c0200       | add                 esp, 0x54

        $sequence_117 = { 8b45e0 83c438 5f 5e 5b 5d c3 }
            // n = 7, score = 200
            //   8b45e0               | sub                 esp, 0x38
            //   83c438               | mov                 eax, dword ptr [ebp + 0xc]
            //   5f                   | mov                 ecx, dword ptr [ebp + 8]
            //   5e                   | jne                 7
            //   5b                   | mov                 eax, dword ptr [ebp - 0x20]
            //   5d                   | add                 esp, 0x38
            //   c3                   | pop                 edi

        $sequence_118 = { 53 56 57 83ec38 }
            // n = 4, score = 200
            //   53                   | add                 esp, 0x54
            //   56                   | pop                 edi
            //   57                   | mov                 dword ptr [ebp - 0x60], eax
            //   83ec38               | mov                 dword ptr [ebp - 0x34], edx

        $sequence_119 = { c3 55 89e5 56 53 57 83ec20 }
            // n = 7, score = 200
            //   c3                   | push                edi
            //   55                   | sub                 esp, 0x20
            //   89e5                 | mov                 eax, dword ptr [ebp + 8]
            //   56                   | mov                 dword ptr [esp], eax
            //   53                   | xor                 eax, eax
            //   57                   | add                 esp, 0x20
            //   83ec20               | pop                 edi

        $sequence_120 = { c7424004000000 c742442c0c0200 c7424800b00400 8b7de4 }
            // n = 4, score = 200
            //   c7424004000000       | mov                 dword ptr [edx + 0x44], 0x20c2c
            //   c742442c0c0200       | mov                 dword ptr [edx + 0x48], 0x4b000
            //   c7424800b00400       | mov                 edi, dword ptr [ebp - 0x1c]
            //   8b7de4               | mov                 dword ptr [edi + 0xcc], 0

        $sequence_121 = { e9???????? 8b45e0 83c45c 5e 5f 5b }
            // n = 6, score = 200
            //   e9????????           |                     
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   83c45c               | add                 esp, 0x5c
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi
            //   5b                   | pop                 ebx

        $sequence_122 = { 8d0d44308400 31d2 8b75f8 89461c 890c24 c744240400000000 }
            // n = 6, score = 100
            //   8d0d44308400         | lea                 ecx, [0x843044]
            //   31d2                 | xor                 edx, edx
            //   8b75f8               | mov                 esi, dword ptr [ebp - 8]
            //   89461c               | mov                 dword ptr [esi + 0x1c], eax
            //   890c24               | mov                 dword ptr [esp], ecx
            //   c744240400000000     | mov                 dword ptr [esp + 4], 0

        $sequence_123 = { 890c24 c744240400000000 8955dc e8???????? 8d0de8302f00 890424 894c2404 }
            // n = 7, score = 100
            //   890c24               | mov                 dword ptr [esp], ecx
            //   c744240400000000     | mov                 dword ptr [esp + 4], 0
            //   8955dc               | mov                 dword ptr [ebp - 0x24], edx
            //   e8????????           |                     
            //   8d0de8302f00         | lea                 ecx, [0x2f30e8]
            //   890424               | mov                 dword ptr [esp], eax
            //   894c2404             | mov                 dword ptr [esp + 4], ecx

        $sequence_124 = { 56 83ec44 8b4508 8d0d30308400 31d2 890c24 }
            // n = 6, score = 100
            //   56                   | push                esi
            //   83ec44               | sub                 esp, 0x44
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8d0d30308400         | lea                 ecx, [0x843030]
            //   31d2                 | xor                 edx, edx
            //   890c24               | mov                 dword ptr [esp], ecx

        $sequence_125 = { 8a2c0575308400 83c001 38e9 8945a0 8955cc }
            // n = 5, score = 100
            //   8a2c0575308400       | mov                 ch, byte ptr [eax + 0x843075]
            //   83c001               | add                 eax, 1
            //   38e9                 | cmp                 cl, ch
            //   8945a0               | mov                 dword ptr [ebp - 0x60], eax
            //   8955cc               | mov                 dword ptr [ebp - 0x34], edx

        $sequence_126 = { 8d0d44302f00 31d2 8b75f8 89462c }
            // n = 4, score = 100
            //   8d0d44302f00         | lea                 ecx, [0x2f3044]
            //   31d2                 | xor                 edx, edx
            //   8b75f8               | mov                 esi, dword ptr [ebp - 8]
            //   89462c               | mov                 dword ptr [esi + 0x2c], eax

        $sequence_127 = { 89e5 8d055a238400 5d c3 }
            // n = 4, score = 100
            //   89e5                 | mov                 ebp, esp
            //   8d055a238400         | lea                 eax, [0x84235a]
            //   5d                   | pop                 ebp
            //   c3                   | ret                 

        $sequence_128 = { 83ec28 8b450c 8b4d08 8d155e308400 83ec04 }
            // n = 5, score = 100
            //   83ec28               | sub                 esp, 0x28
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8d155e308400         | lea                 edx, [0x84305e]
            //   83ec04               | sub                 esp, 4

    condition:
        7 of them and filesize < 1040384
}
Download all Yara Rules