SYMBOLCOMMON_NAMEaka. SYNONYMS
win.isfb (Back to overview)

ISFB

aka: Gozi ISFB, IAP, Pandemyia
URLhaus                      

2006 Gozi v1.0, Gozi CRM, CRM, Papras
2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)

In September 2010, the source code of a particular Gozi CRM dll version was leaked. This led to two main branches: one became known as Gozi Prinimalka, which was merge with Pony and became Vawtrak/Neverquest.

The other branch became known as Gozi ISFB, or ISFB in short. Webinject functionality was added to this version.

There is one panel which often was used in combination with ISFB: IAP. The panel's login page comes with the title 'Login - IAP'. The body contains 'AUTHORIZATION', 'Name:', 'Password:' and a single button 'Sign in' in a minimal design. Often, the panel is directly accessible by entering the C2 IP address in a browser. But there are ISFB versions which are not directly using IAP. The bot accesses a gate, which is called the 'Dreambot' gate. See win.dreambot for further information.

ISFB often was protected by Rovnix. This led to a further complication in the naming scheme - many companies started to call ISFB Rovnix. Because the signatures started to look for Rovnix, other trojans protected by Rovnix (in particular ReactorBot and Rerdom) sometimes got wrongly labelled.

In April 2016 a combination of Gozi ISFB and Nymaim was detected. This breed became known as GozNym. The merge uses a shellcode-like version of Gozi ISFB, that needs Nymaim to run. The C2 communication is performed by Nymaim.

See win.gozi for additional historical information.

References
2020-06-02Lastline LabsJames Haughom, Stefano Ortolani
@online{haughom:20200602:evolution:3286d87, author = {James Haughom and Stefano Ortolani}, title = {{Evolution of Excel 4.0 Macro Weaponization}}, date = {2020-06-02}, organization = {Lastline Labs}, url = {https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/}, language = {English}, urldate = {2020-06-03} } Evolution of Excel 4.0 Macro Weaponization
Agent Tesla DanaBot ISFB TrickBot Zloader
2020-05-07Github (mlodic)Matteo Lodi
@online{lodi:20200507:ursnif:5654de4, author = {Matteo Lodi}, title = {{Ursnif beacon decryptor}}, date = {2020-05-07}, organization = {Github (mlodic)}, url = {https://github.com/mlodic/ursnif_beacon_decryptor}, language = {English}, urldate = {2020-05-07} } Ursnif beacon decryptor
Gozi ISFB
2020-03-30IntezerMichael Kajiloti
@online{kajiloti:20200330:fantastic:c01db60, author = {Michael Kajiloti}, title = {{Fantastic payloads and where we find them}}, date = {2020-03-30}, organization = {Intezer}, url = {https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them}, language = {English}, urldate = {2020-04-07} } Fantastic payloads and where we find them
Dridex Emotet ISFB TrickBot
2020-03-18ProofpointAxel F, Sam Scholten
@online{f:20200318:coronavirus:8fe12a3, author = {Axel F and Sam Scholten}, title = {{Coronavirus Threat Landscape Update}}, date = {2020-03-18}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update}, language = {English}, urldate = {2020-03-26} } Coronavirus Threat Landscape Update
Agent Tesla Get2 GuLoader ISFB Remcos
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-03-04} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Judgment Panda Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare
2020-01-23SANS ISC InfoSec ForumsBrad Duncan
@online{duncan:20200123:german:2c867b2, author = {Brad Duncan}, title = {{German language malspam pushes Ursnif}}, date = {2020-01-23}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/German+language+malspam+pushes+Ursnif/25732/}, language = {English}, urldate = {2020-01-26} } German language malspam pushes Ursnif
ISFB
2020-01-17Ken Sajo, Yasuhiro Takeda, Yusuke Niwa
@techreport{sajo:20200117:battle:2b146f5, author = {Ken Sajo and Yasuhiro Takeda and Yusuke Niwa}, title = {{Battle Against Ursnif Malspam Campaign targeting Japan}}, date = {2020-01-17}, institution = {}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf}, language = {English}, urldate = {2020-01-17} } Battle Against Ursnif Malspam Campaign targeting Japan
Cutwail ISFB TrickBot UrlZone
2019-12-24SophosSophosLabs Threat Research
@online{research:20191224:gozi:6cca2ca, author = {SophosLabs Threat Research}, title = {{Gozi V3: tracked by their own stealth}}, date = {2019-12-24}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2019/12/24/gozi-v3-tracked-by-their-own-stealth/}, language = {English}, urldate = {2020-01-13} } Gozi V3: tracked by their own stealth
ISFB
2019-12-23Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20191223:wireshark:11f95ab, author = {Brad Duncan}, title = {{Wireshark Tutorial: Examining Ursnif Infections}}, date = {2019-12-23}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-ursnif-infections/}, language = {English}, urldate = {2020-01-13} } Wireshark Tutorial: Examining Ursnif Infections
ISFB
2019-08-07FortinetXiaopeng Zhang
@online{zhang:20190807:new:2e838ee, author = {Xiaopeng Zhang}, title = {{New Ursnif Variant Spreading by Word Document}}, date = {2019-08-07}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html}, language = {English}, urldate = {2020-01-26} } New Ursnif Variant Spreading by Word Document
ISFB
2019-06-25VMRayTamas Boczan
@online{boczan:20190625:analyzing:fe5a161, author = {Tamas Boczan}, title = {{Analyzing Ursnif’s Behavior Using a Malware Sandbox}}, date = {2019-06-25}, organization = {VMRay}, url = {https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/}, language = {English}, urldate = {2019-12-17} } Analyzing Ursnif’s Behavior Using a Malware Sandbox
ISFB
2019-05-250ffset Blog0verfl0w_
@online{0verfl0w:20190525:analyzing:84874ea, author = {0verfl0w_}, title = {{Analyzing ISFB – The Second Loader}}, date = {2019-05-25}, organization = {0ffset Blog}, url = {https://0ffset.net/reverse-engineering/malware-analysis/analyzing-isfb-second-loader/}, language = {English}, urldate = {2020-01-13} } Analyzing ISFB – The Second Loader
ISFB
2019-04-06Youtube (hasherezade)hasherezade
@online{hasherezade:20190406:unpacking:dc6a1be, author = {hasherezade}, title = {{Unpacking ISFB (including the custom 'PX' format)}}, date = {2019-04-06}, organization = {Youtube (hasherezade)}, url = {https://www.youtube.com/watch?v=KvOpNznu_3w}, language = {English}, urldate = {2019-11-29} } Unpacking ISFB (including the custom 'PX' format)
ISFB
2019-04-05YoroiDavide Testa, Antonio Pirozzi
@online{testa:20190405:ursnif:4670538, author = {Davide Testa and Antonio Pirozzi}, title = {{Ursnif: The Latest Evolution of the Most Popular Banking Malware}}, date = {2019-04-05}, organization = {Yoroi}, url = {https://blog.yoroi.company/research/ursnif-the-latest-evolution-of-the-most-popular-banking-malware/}, language = {English}, urldate = {2019-10-23} } Ursnif: The Latest Evolution of the Most Popular Banking Malware
ISFB
2019-03-26YoroiZLAB-Yoroi
@online{zlabyoroi:20190326:ursnif:1d301b8, author = {ZLAB-Yoroi}, title = {{The Ursnif Gangs keep Threatening Italy}}, date = {2019-03-26}, organization = {Yoroi}, url = {https://blog.yoroi.company/research/the-ursnif-gangs-keep-threatening-italy/}, language = {English}, urldate = {2020-01-07} } The Ursnif Gangs keep Threatening Italy
ISFB
2019-03-130ffset Blog0verfl0w_
@online{0verfl0w:20190313:analysing:1f83706, author = {0verfl0w_}, title = {{Analysing ISFB – The First Loader}}, date = {2019-03-13}, organization = {0ffset Blog}, url = {https://0ffset.net/reverse-engineering/malware-analysis/analysing-isfb-loader/}, language = {English}, urldate = {2020-01-10} } Analysing ISFB – The First Loader
ISFB
2019-03-12CybereasonAssaf Dahan, Cybereason Nocturnus
@online{dahan:20190312:new:a435b52, author = {Assaf Dahan and Cybereason Nocturnus}, title = {{New Ursnif Variant targets Japan packed with new Features}}, date = {2019-03-12}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features}, language = {English}, urldate = {2019-11-28} } New Ursnif Variant targets Japan packed with new Features
ISFB UrlZone
2019-03-11MinervaMinerva Labs
@online{labs:20190311:attackers:013804a, author = {Minerva Labs}, title = {{Attackers Insert Themselves into the Email Conversation to Spread Malware}}, date = {2019-03-11}, organization = {Minerva}, url = {https://blog.minerva-labs.com/attackers-insert-themselves-into-the-email-conversation-to-spread-malware}, language = {English}, urldate = {2020-01-08} } Attackers Insert Themselves into the Email Conversation to Spread Malware
ISFB
2019-02-07YoroiZLAB-Yoroi
@online{zlabyoroi:20190207:ursnif:f25be00, author = {ZLAB-Yoroi}, title = {{Ursnif: Long Live the Steganography!}}, date = {2019-02-07}, organization = {Yoroi}, url = {https://blog.yoroi.company/research/ursnif-long-live-the-steganography/}, language = {English}, urldate = {2019-12-03} } Ursnif: Long Live the Steganography!
ISFB
2019-01-30CyberbitHod Gavriel
@online{gavriel:20190130:new:6e4ec87, author = {Hod Gavriel}, title = {{New Ursnif Malware Variant – a Stunning Matryoshka (Матрёшка)}}, date = {2019-01-30}, organization = {Cyberbit}, url = {https://www.cyberbit.com/blog/endpoint-security/new-ursnif-malware-variant/}, language = {English}, urldate = {2020-01-08} } New Ursnif Malware Variant – a Stunning Matryoshka (Матрёшка)
ISFB
2019-01-24Cisco TalosJohn Arneson
@online{arneson:20190124:cisco:58d9a8f, author = {John Arneson}, title = {{Cisco AMP tracks new campaign that delivers Ursnif}}, date = {2019-01-24}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/01/amp-tracks-ursnif.html}, language = {English}, urldate = {2019-10-12} } Cisco AMP tracks new campaign that delivers Ursnif
ISFB
2019-01-150ffset Blog0verfl0w_
@online{0verfl0w:20190115:analyzing:bf3b215, author = {0verfl0w_}, title = {{Analyzing COMmunication in Malware}}, date = {2019-01-15}, organization = {0ffset Blog}, url = {https://0ffset.net/reverse-engineering/analyzing-com-mechanisms-in-malware/}, language = {English}, urldate = {2020-01-06} } Analyzing COMmunication in Malware
ISFB
2019CSISBenoît Ancel, Peter Kruse
@techreport{ancel:2019:dreambot:e29023e, author = {Benoît Ancel and Peter Kruse}, title = {{Dreambot Business overview 2019}}, date = {2019}, institution = {CSIS}, url = {http://benkow.cc/DreambotSAS19.pdf}, language = {English}, urldate = {2019-12-10} } Dreambot Business overview 2019
ISFB
2018-12-18Trend MicroTrendmicro
@online{trendmicro:20181218:ursnif:cc5ce31, author = {Trendmicro}, title = {{URSNIF, EMOTET, DRIDEX and BitPaymer Gangs Linked by a Similar Loader}}, date = {2018-12-18}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/}, language = {English}, urldate = {2020-01-07} } URSNIF, EMOTET, DRIDEX and BitPaymer Gangs Linked by a Similar Loader
Dridex Emotet FriedEx ISFB
2018-05-17FidelisThreat Research Team
@online{team:20180517:gozi:f554055, author = {Threat Research Team}, title = {{Gozi V3 Technical Update}}, date = {2018-05-17}, organization = {Fidelis}, url = {https://www.fidelissecurity.com/threatgeek/threat-intelligence/gozi-v3-technical-update/}, language = {English}, urldate = {2020-01-08} } Gozi V3 Technical Update
ISFB
2018-03-19hasherezade
@online{hasherezade:20180319:unpacking:150cdac, author = {hasherezade}, title = {{Unpacking Ursnif}}, date = {2018-03-19}, url = {https://www.youtube.com/watch?v=jlc7Ahp8Iqg}, language = {English}, urldate = {2019-12-24} } Unpacking Ursnif
ISFB
2018-03-06Cisco TalosEdmund Brumaghin, Holger Unterbrink, Adam Weller
@online{brumaghin:20180306:gozi:6146f77, author = {Edmund Brumaghin and Holger Unterbrink and Adam Weller}, title = {{Gozi ISFB Remains Active in 2018, Leverages "Dark Cloud" Botnet For Distribution}}, date = {2018-03-06}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html}, language = {English}, urldate = {2019-12-17} } Gozi ISFB Remains Active in 2018, Leverages "Dark Cloud" Botnet For Distribution
ISFB
2018-02-07CylanceThreat Research Team
@online{team:20180207:threat:c0550bd, author = {Threat Research Team}, title = {{Threat Spotlight: URSNIF Infostealer Malware}}, date = {2018-02-07}, organization = {Cylance}, url = {https://www.cylance.com/en_us/blog/threat-spotlight-ursnif-infostealer-malware.html}, language = {English}, urldate = {2019-11-24} } Threat Spotlight: URSNIF Infostealer Malware
ISFB
2018-01-17SANS ISCbrad
@online{brad:20180117:reviewing:49ad844, author = {brad}, title = {{Reviewing the spam filters: Malspam pushing Gozi-ISFB}}, date = {2018-01-17}, organization = {SANS ISC}, url = {https://isc.sans.edu/forums/diary/Reviewing+the+spam+filters+Malspam+pushing+GoziISFB/23245}, language = {English}, urldate = {2019-12-20} } Reviewing the spam filters: Malspam pushing Gozi-ISFB
ISFB
2017-11-28FireEyeSandor Nemes, Abhay Vaish
@online{nemes:20171128:newly:b2b9018, author = {Sandor Nemes and Abhay Vaish}, title = {{Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection}}, date = {2017-11-28}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html}, language = {English}, urldate = {2019-12-20} } Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection
ISFB
2017-07-02CERT.PLMaciej Kotowicz
@online{kotowicz:20170702:isfb:2fe662b, author = {Maciej Kotowicz}, title = {{ISFB: Still Live and Kicking}}, date = {2017-07-02}, organization = {CERT.PL}, url = {https://journal.cecyf.fr/ojs/index.php/cybin/article/view/15}, language = {English}, urldate = {2020-01-13} } ISFB: Still Live and Kicking
ISFB
2017-05-29Lokalhost.plMaciej Kotowicz
@online{kotowicz:20170529:gozi:96e962d, author = {Maciej Kotowicz}, title = {{Gozi Tree}}, date = {2017-05-29}, organization = {Lokalhost.pl}, url = {https://lokalhost.pl/gozi_tree.txt}, language = {English}, urldate = {2020-01-08} } Gozi Tree
DreamBot Gozi ISFB Powersniff
2017-04-20MalwarebytesJérôme Segura
@online{segura:20170420:binary:eaa706a, author = {Jérôme Segura}, title = {{Binary Options malvertising campaign drops ISFB banking Trojan}}, date = {2017-04-20}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/}, language = {English}, urldate = {2019-12-20} } Binary Options malvertising campaign drops ISFB banking Trojan
ISFB
2016-11-01Ariel Koren's BlogAriel Koren
@online{koren:20161101:ursnif:a5e4fcd, author = {Ariel Koren}, title = {{Ursnif Malware: Deep Technical Dive}}, date = {2016-11-01}, organization = {Ariel Koren's Blog}, url = {https://arielkoren.com/blog/2016/11/01/ursnif-malware-deep-technical-dive/}, language = {English}, urldate = {2020-01-10} } Ursnif Malware: Deep Technical Dive
ISFB
2016-04-14SecurityIntelligenceLimor Kessem, Lior Keshet
@online{kessem:20160414:meet:16351ef, author = {Limor Kessem and Lior Keshet}, title = {{Meet GozNym: The Banking Malware Offspring of Gozi ISFB and Nymaim}}, date = {2016-04-14}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/}, language = {English}, urldate = {2020-01-06} } Meet GozNym: The Banking Malware Offspring of Gozi ISFB and Nymaim
ISFB Nymaim GozNym
2016-03-23Github (gbrindisi)gbrindisi
@online{gbrindisi:20160323:gozi:aa28233, author = {gbrindisi}, title = {{Gozi ISFB Sourceccode}}, date = {2016-03-23}, organization = {Github (gbrindisi)}, url = {https://github.com/gbrindisi/malware/tree/master/windows/gozi-isfb}, language = {English}, urldate = {2020-01-13} } Gozi ISFB Sourceccode
ISFB
Yara Rules
[TLP:WHITE] win_isfb_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_isfb_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb02 33c0 3bc7 7414 }
            // n = 4, score = 3000
            //   eb02                 | or                  eax, edx
            //   33c0                 | je                  0x7a
            //   3bc7                 | mov                 eax, dword ptr [edx]
            //   7414                 | inc                 ebx

        $sequence_1 = { 51 57 50 ffd6 85c0 }
            // n = 5, score = 2700
            //   51                   | je                  0x20
            //   57                   | mov                 eax, dword ptr [edx]
            //   50                   | inc                 ebx
            //   ffd6                 | mov                 cl, bl
            //   85c0                 | rol                 eax, cl

        $sequence_2 = { 50 33c0 e8???????? 3bc7 }
            // n = 4, score = 2400
            //   50                   | push                ebp
            //   33c0                 | mov                 ebp, esp
            //   e8????????           |                     
            //   3bc7                 | and                 esp, 0xfffffff8

        $sequence_3 = { 6a10 58 e8???????? 3bc7 }
            // n = 4, score = 2400
            //   6a10                 | sub                 esp, 0xc
            //   58                   | push                ebx
            //   e8????????           |                     
            //   3bc7                 | mov                 al, byte ptr [esi + 4]

        $sequence_4 = { ff7508 ff75f0 ff75f4 6822010000 e9???????? ff7508 }
            // n = 6, score = 2400
            //   ff7508               | xor                 edx, edx
            //   ff75f0               | dec                 esp
            //   ff75f4               | arpl                ax, ax
            //   6822010000           | mov                 eax, edi
            //   e9????????           |                     
            //   ff7508               | dec                 eax

        $sequence_5 = { 8b35???????? 7414 8d4dfc 51 }
            // n = 4, score = 2300
            //   8b35????????         |                     
            //   7414                 | cmovne              ecx, eax
            //   8d4dfc               | dec                 eax
            //   51                   | mov                 dword ptr [esp + 0x20], ebx

        $sequence_6 = { ff35???????? e8???????? 8bf0 3bf3 7443 6aff }
            // n = 6, score = 2200
            //   ff35????????         |                     
            //   e8????????           |                     
            //   8bf0                 | mov                 eax, edi
            //   3bf3                 | dec                 eax
            //   7443                 | add                 esp, 0x40
            //   6aff                 | inc                 ecx

        $sequence_7 = { e8???????? 83c40c e8???????? 3bc7 8945f0 }
            // n = 5, score = 2200
            //   e8????????           |                     
            //   83c40c               | xor                 eax, eax
            //   e8????????           |                     
            //   3bc7                 | cmp                 eax, edi
            //   8945f0               | je                  0x22

        $sequence_8 = { 85c0 740f 8b45fc 03c0 }
            // n = 4, score = 2200
            //   85c0                 | cmp                 eax, edi
            //   740f                 | push                eax
            //   8b45fc               | push                0x10
            //   03c0                 | pop                 eax

        $sequence_9 = { 3bc7 741b 50 33c0 }
            // n = 4, score = 2100
            //   3bc7                 | lea                 ecx, [ecx + esi*8 + 0x88]
            //   741b                 | jmp                 0xf
            //   50                   | lea                 ecx, [ecx + esi*8 + 0x78]
            //   33c0                 | add                 edi, ecx

        $sequence_10 = { 59 c20400 8325????????00 6a00 68???????? 6a01 }
            // n = 6, score = 2100
            //   59                   | pop                 ecx
            //   c20400               | ret                 4
            //   8325????????00       |                     
            //   6a00                 | push                0
            //   68????????           |                     
            //   6a01                 | push                1

        $sequence_11 = { 5e 8bc5 5d 5b 59 c20400 8325????????00 }
            // n = 7, score = 2100
            //   5e                   | pop                 esi
            //   8bc5                 | mov                 eax, ebp
            //   5d                   | pop                 ebp
            //   5b                   | pop                 ebx
            //   59                   | pop                 ecx
            //   c20400               | ret                 4
            //   8325????????00       |                     

        $sequence_12 = { ff15???????? 85c0 a3???????? 7402 ffe0 c20400 }
            // n = 6, score = 2000
            //   ff15????????         |                     
            //   85c0                 | push                eax
            //   a3????????           |                     
            //   7402                 | call                esi
            //   ffe0                 | test                eax, eax
            //   c20400               | push                edi

        $sequence_13 = { 5b c20400 55 8bec 83ec0c a1???????? 8365f800 }
            // n = 7, score = 1800
            //   5b                   | mov                 eax, 0x10000
            //   c20400               | dec                 eax
            //   55                   | mov                 dword ptr [esp + 0x20], eax
            //   8bec                 | dec                 eax
            //   83ec0c               | test                ebx, ebx
            //   a1????????           |                     
            //   8365f800             | mov                 edx, 8

        $sequence_14 = { 8901 8b45fc 5f 5e 5b c9 c20800 }
            // n = 7, score = 1800
            //   8901                 | push                eax
            //   8b45fc               | cmp                 edi, ebx
            //   5f                   | pop                 eax
            //   5e                   | cmp                 eax, ebx
            //   5b                   | je                  0xa
            //   c9                   | push                eax
            //   c20800               | cmp                 edi, ebx

        $sequence_15 = { 3c05 7506 84e4 7704 3ac0 }
            // n = 5, score = 1700
            //   3c05                 | je                  0x11
            //   7506                 | push                0x10
            //   84e4                 | pop                 eax
            //   7704                 | cmp                 eax, edi
            //   3ac0                 | push                eax

        $sequence_16 = { 8d45f8 50 e8???????? 8bf8 3bfb }
            // n = 5, score = 1700
            // 
            //   50                   | push                eax
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   3bfb                 | cmp                 edi, ebx

        $sequence_17 = { 3bc3 7512 e8???????? 3bc3 }
            // n = 4, score = 1700
            //   3bc3                 | cmp                 eax, ebx
            //   7512                 | jne                 0x14
            //   e8????????           |                     
            //   3bc3                 | cmp                 eax, ebx

        $sequence_18 = { b8???????? 7505 b8???????? 53 bb60ea0000 }
            // n = 5, score = 1700
            //   b8????????           |                     
            //   7505                 | jne                 7
            //   b8????????           |                     
            //   53                   | push                ebx
            //   bb60ea0000           | mov                 ebx, 0xea60

        $sequence_19 = { e8???????? 8bd8 85db 895df4 0f84c7000000 56 }
            // n = 6, score = 1700
            //   e8????????           |                     
            //   8bd8                 | mov                 ebx, eax
            //   85db                 | test                ebx, ebx
            //   895df4               | mov                 dword ptr [ebp - 0xc], ebx
            //   0f84c7000000         | je                  0xcd
            //   56                   | push                esi

        $sequence_20 = { 895df4 0f84c7000000 56 53 ff15???????? 53 }
            // n = 6, score = 1700
            //   895df4               | mov                 dword ptr [ebp - 0xc], ebx
            //   0f84c7000000         | je                  0xcd
            //   56                   | push                esi
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   53                   | push                ebx

        $sequence_21 = { 83ec14 8364240400 53 8b5d0c 837b240c }
            // n = 5, score = 1600
            //   83ec14               | inc                 ecx
            //   8364240400           | movzx               eax, byte ptr [ecx + 2]
            //   53                   | dec                 eax
            //   8b5d0c               | add                 ebx, edi
            //   837b240c             | inc                 ecx

        $sequence_22 = { 8bc6 5e c9 c21000 55 8bec 83ec14 }
            // n = 7, score = 1600
            //   8bc6                 | push                0xff676980
            //   5e                   | push                dword ptr [ebp - 0x10]
            //   c9                   | push                dword ptr [ebp - 0xc]
            //   c21000               | push                0x122
            //   55                   | push                dword ptr [ebp + 8]
            //   8bec                 | push                0
            //   83ec14               | push                0

        $sequence_23 = { 8a4604 2404 f6d8 1bc0 83e006 }
            // n = 5, score = 1600
            //   8a4604               | mov                 esi, eax
            //   2404                 | mov                 dword ptr [edx], esi
            //   f6d8                 | add                 edx, 4
            //   1bc0                 | dec                 dword ptr [esp + 0xc]
            //   83e006               | jne                 0x2d

        $sequence_24 = { 894b34 8b4b24 2b4b28 894c2410 8b4b34 f6c140 }
            // n = 6, score = 1600
            //   894b34               | pop                 eax
            //   8b4b24               | cmp                 eax, edi
            //   2b4b28               | push                eax
            //   894c2410             | push                0x10
            //   8b4b34               | pop                 eax
            //   f6c140               | cmp                 eax, edi

        $sequence_25 = { 6a08 5e 5f 8bc6 5e c9 }
            // n = 6, score = 1600
            //   6a08                 | and                 dword ptr [esp + 4], 0
            //   5e                   | push                ebx
            //   5f                   | mov                 ebx, dword ptr [ebp + 0xc]
            //   8bc6                 | cmp                 dword ptr [ebx + 0x24], 0xc
            //   5e                   | mov                 edi, dword ptr [ebx]
            //   c9                   | mov                 dword ptr [esp + 0x1c], edi

        $sequence_26 = { e8???????? 8b07 c6400731 8b74241c 8b1e 6a00 }
            // n = 6, score = 1600
            //   e8????????           |                     
            //   8b07                 | dec                 eax
            //   c6400731             | lea                 ecx, [ebx + eax*8]
            //   8b74241c             | inc                 ecx
            //   8b1e                 | movzx               eax, byte ptr [ecx + 3]
            //   6a00                 | dec                 eax

        $sequence_27 = { ff15???????? 8b442414 8b4c240c 8907 8b442418 894110 }
            // n = 6, score = 1600
            //   ff15????????         |                     
            //   8b442414             | lea                 ecx, [ebx + eax*8]
            //   8b4c240c             | inc                 ecx
            //   8907                 | mov                 ebx, eax
            //   8b442418             | dec                 eax
            //   894110               | add                 ebx, edi

        $sequence_28 = { 6a00 ff37 ff15???????? 2b442414 50 }
            // n = 5, score = 1600
            //   6a00                 | push                edi
            //   ff37                 | push                eax
            //   ff15????????         |                     
            //   2b442414             | call                esi
            //   50                   | test                eax, eax

        $sequence_29 = { 2b442414 50 8b07 03442418 50 }
            // n = 5, score = 1600
            //   2b442414             | inc                 ecx
            //   50                   | movzx               eax, byte ptr [ecx + 1]
            //   8b07                 | xor                 edx, edx
            //   03442418             | dec                 eax
            //   50                   | lea                 ecx, [ebx + eax*8]

        $sequence_30 = { 8b35???????? 50 83c60a e8???????? 5f 5e }
            // n = 6, score = 1500
            //   8b35????????         |                     
            //   50                   | push                eax
            //   83c60a               | add                 esi, 0xa
            //   e8????????           |                     
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_31 = { 6a01 33db 53 ff35???????? }
            // n = 4, score = 1500
            //   6a01                 | cmp                 esi, ebx
            //   33db                 | je                  0x47
            //   53                   | push                -1
            //   ff35????????         |                     

        $sequence_32 = { 85c0 740d 8906 83c604 47 83ff03 }
            // n = 6, score = 1500
            //   85c0                 | je                  0x11
            //   740d                 | mov                 eax, dword ptr [ebp - 4]
            //   8906                 | test                eax, eax
            //   83c604               | je                  4
            //   47                   | jmp                 eax
            //   83ff03               | ret                 4

        $sequence_33 = { 6a0d 58 e8???????? 85c0 740d 8906 }
            // n = 6, score = 1500
            //   6a0d                 | pop                 esi
            //   58                   | mov                 eax, ebp
            //   e8????????           |                     
            //   85c0                 | pop                 ebp
            //   740d                 | pop                 ebx
            //   8906                 | pop                 ecx

        $sequence_34 = { 488bcf c744242860ea0000 4c0f45c8 48895c2420 e8???????? }
            // n = 5, score = 1500
            //   488bcf               | add                 esi, 0xa
            //   c744242860ea0000     | pop                 edi
            //   4c0f45c8             | push                eax
            //   48895c2420           | add                 esi, 0xa
            //   e8????????           |                     

        $sequence_35 = { 3bc7 8945e0 0f8417020000 8b0d???????? 33cb }
            // n = 5, score = 1400
            //   3bc7                 | mov                 ebp, esp
            //   8945e0               | sub                 esp, 0xc
            //   0f8417020000         | and                 dword ptr [ebp - 8], 0
            //   8b0d????????         |                     
            //   33cb                 | ret                 4

        $sequence_36 = { 8b483c 03c8 0fb74106 8365f800 53 8945fc 0fb74114 }
            // n = 7, score = 1400
            //   8b483c               | push                dword ptr [ebp - 0xc]
            //   03c8                 | push                0x122
            //   0fb74106             | push                dword ptr [ebp + 8]
            //   8365f800             | push                0
            //   53                   | push                0
            //   8945fc               | push                0x122
            //   0fb74114             | push                dword ptr [ebp + 8]

        $sequence_37 = { 750e 837d0800 7408 ff7508 }
            // n = 4, score = 1400
            //   750e                 | mov                 ebx, 0x7f
            //   837d0800             | jmp                 0x13
            //   7408                 | mov                 ebx, 0x7e
            //   ff7508               | mov                 ecx, 0x10e

        $sequence_38 = { 7421 ff75f8 e8???????? 8b45fc 5f 5e }
            // n = 6, score = 1400
            //   7421                 | and                 dword ptr [ebp - 8], 0
            //   ff75f8               | push                edi
            //   e8????????           |                     
            //   8b45fc               | lea                 eax, [ebp - 8]
            //   5f                   | push                4
            //   5e                   | push                eax

        $sequence_39 = { 50 57 6a01 ff75e0 68???????? e8???????? }
            // n = 6, score = 1400
            //   50                   | push                eax
            //   57                   | push                edi
            //   6a01                 | push                1
            //   ff75e0               | push                dword ptr [ebp - 0x20]
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_40 = { 33ff eb0b 33ff eb03 }
            // n = 4, score = 1400
            //   33ff                 | dec                 eax
            //   eb0b                 | add                 esi, 8
            //   33ff                 | cmp                 ebp, 5
            //   eb03                 | jb                  0xffffffc6

        $sequence_41 = { 488b0d???????? 448bc3 33d2 41c1e003 ff15???????? 4885c0 488be8 }
            // n = 7, score = 1400
            //   488b0d????????       |                     
            //   448bc3               | xor                 eax, eax
            //   33d2                 | cmp                 eax, edi
            //   41c1e003             | je                  0x1a
            //   ff15????????         |                     
            //   4885c0               | jmp                 0xa
            //   488be8               | xor                 eax, eax

        $sequence_42 = { 53 8bc6 e8???????? 85c0 7516 }
            // n = 5, score = 1400
            //   53                   | jmp                 0x20
            //   8bc6                 | mov                 ebx, 0x7f
            //   e8????????           |                     
            //   85c0                 | jmp                 0x20
            //   7516                 | dec                 eax

        $sequence_43 = { be01000000 8bc6 4883c440 415e }
            // n = 4, score = 1400
            //   be01000000           | test                eax, eax
            //   8bc6                 | je                  0x1e
            //   4883c440             | push                ecx
            //   415e                 | push                edi

        $sequence_44 = { 8d740818 8b4508 3b460c 7247 }
            // n = 4, score = 1400
            //   8d740818             | push                1
            //   8b4508               | xor                 ebx, ebx
            //   3b460c               | push                ebx
            //   7247                 | push                1

        $sequence_45 = { 8b5e10 8d4438ff 4f f7d7 }
            // n = 4, score = 1400
            //   8b5e10               | xor                 ebx, ebx
            //   8d4438ff             | push                ebx
            //   4f                   | mov                 esi, eax
            //   f7d7                 | cmp                 esi, ebx

        $sequence_46 = { 53 b800080000 50 56 }
            // n = 4, score = 1400
            //   53                   | push                ebx
            //   b800080000           | mov                 ebx, eax
            //   50                   | test                ebx, ebx
            //   56                   | mov                 dword ptr [ebp - 0xc], ebx

        $sequence_47 = { 7408 ff7508 e8???????? 8bc7 }
            // n = 4, score = 1400
            //   7408                 | add                 esi, 8
            //   ff7508               | cmp                 ebp, 5
            //   e8????????           |                     
            //   8bc7                 | jb                  0xffffffca

        $sequence_48 = { 415c 5f 5e 5d 5b c3 8b4754 }
            // n = 7, score = 1400
            //   415c                 | cmp                 eax, edi
            //   5f                   | mov                 dword ptr [ebp - 0x20], eax
            //   5e                   | je                  0x224
            //   5d                   | jmp                 4
            //   5b                   | xor                 eax, eax
            //   c3                   | cmp                 eax, edi
            //   8b4754               | je                  0x1a

        $sequence_49 = { 8b4608 8b513c 8b5e10 8d4438ff }
            // n = 4, score = 1400
            //   8b4608               | ret                 4
            //   8b513c               | push                ebp
            //   8b5e10               | mov                 ebp, esp
            //   8d4438ff             | sub                 esp, 0xc

        $sequence_50 = { ff15???????? 50 ff15???????? 215df8 e9???????? }
            // n = 5, score = 1400
            //   ff15????????         |                     
            //   50                   | je                  0x47
            //   ff15????????         |                     
            //   215df8               | push                dword ptr [ebp - 0x10]
            //   e9????????           |                     

        $sequence_51 = { 83780800 7437 668179046486 7509 8d8cf188000000 eb04 8d4cf178 }
            // n = 7, score = 1400
            //   83780800             | and                 dword ptr [ebp - 8], 0
            //   7437                 | ret                 4
            //   668179046486         | push                ebp
            //   7509                 | mov                 ebp, esp
            //   8d8cf188000000       | sub                 esp, 0xc
            //   eb04                 | and                 dword ptr [ebp - 8], 0
            //   8d4cf178             | ret                 4

        $sequence_52 = { 03f9 57 50 e8???????? }
            // n = 4, score = 1400
            //   03f9                 | push                ebp
            //   57                   | mov                 ebp, esp
            //   50                   | sub                 esp, 0xc
            //   e8????????           |                     

        $sequence_53 = { ff15???????? a1???????? 85c0 7407 83ee64 }
            // n = 5, score = 1400
            //   ff15????????         |                     
            //   a1????????           |                     
            //   85c0                 | test                eax, eax
            //   7407                 | je                  9
            //   83ee64               | sub                 esi, 0x64

        $sequence_54 = { 83c40c 8b45f8 8b4d0c c6043000 8901 8b4510 }
            // n = 6, score = 1400
            //   83c40c               | push                0
            //   8b45f8               | push                0x122
            //   8b4d0c               | push                dword ptr [ebp + 8]
            //   c6043000             | push                0
            //   8901                 | push                0
            //   8b4510               | pop                 ebx

        $sequence_55 = { 50 8d4508 50 53 8bc6 }
            // n = 5, score = 1400
            //   50                   | mov                 ebx, 0x7f
            //   8d4508               | jmp                 0x13
            //   50                   | cmp                 ebp, 5
            //   53                   | jb                  0xffffffc6
            //   8bc6                 | jmp                 0x13

        $sequence_56 = { 752f 8b450c 8930 eb33 6a00 }
            // n = 5, score = 1400
            //   752f                 | mov                 edi, ebp
            //   8b450c               | dec                 ecx
            //   8930                 | cmp                 eax, ebp
            //   eb33                 | je                  0x23
            //   6a00                 | mov                 edi, dword ptr [eax]

        $sequence_57 = { 6a00 ff35???????? ffd7 85c0 8945f0 0f844b020000 a1???????? }
            // n = 7, score = 1400
            //   6a00                 | push                eax
            //   ff35????????         |                     
            //   ffd7                 | push                edi
            //   85c0                 | push                dword ptr [ebp + 8]
            //   8945f0               | push                4
            //   0f844b020000         | push                eax
            //   a1????????           |                     

        $sequence_58 = { 488bcf ff15???????? 4c8964dd00 83c301 4885ff }
            // n = 5, score = 1400
            //   488bcf               | mov                 esi, eax
            //   ff15????????         |                     
            //   4c8964dd00           | xor                 ebx, ebx
            //   83c301               | push                ebx
            //   4885ff               | mov                 esi, eax

        $sequence_59 = { 7406 50 e8???????? 3bfb 7414 a1???????? }
            // n = 6, score = 1300
            //   7406                 | push                dword ptr [ebp - 0x10]
            //   50                   | push                dword ptr [ebp - 0xc]
            //   e8????????           |                     
            //   3bfb                 | push                0x122
            //   7414                 | push                dword ptr [ebp + 8]
            //   a1????????           |                     

        $sequence_60 = { 50 8bd7 e8???????? eb02 33c0 3bc3 7413 }
            // n = 7, score = 1300
            //   50                   | push                dword ptr [ebp - 0xc]
            //   8bd7                 | push                0x122
            //   e8????????           |                     
            //   eb02                 | push                dword ptr [ebp + 8]
            //   33c0                 | push                0
            //   3bc3                 | push                0
            //   7413                 | push                dword ptr [ebp + 8]

        $sequence_61 = { 75cf 33ff 3bf7 741c }
            // n = 4, score = 1300
            //   75cf                 | jne                 0xffffffd1
            //   33ff                 | xor                 edi, edi
            //   3bf7                 | cmp                 esi, edi
            //   741c                 | je                  0x1e

        $sequence_62 = { 6641b85c00 33d2 488bcd ff15???????? }
            // n = 4, score = 1300
            //   6641b85c00           | push                esi
            //   33d2                 | mov                 esi, ecx
            //   488bcd               | add                 eax, 0xfffffefe
            //   ff15????????         |                     

        $sequence_63 = { 50 83c604 e8???????? 3bfb }
            // n = 4, score = 1300
            //   50                   | mov                 dword ptr [ebp - 0x20], eax
            //   83c604               | je                  0x226
            //   e8????????           |                     
            //   3bfb                 | call                edi

        $sequence_64 = { b90e010000 41b800000100 4889442420 e8???????? e9???????? }
            // n = 5, score = 1300
            //   b90e010000           | add                 eax, 0xfffffefe
            //   41b800000100         | xor                 ebx, ebx
            //   4889442420           | xor                 ecx, ecx
            //   e8????????           |                     
            //   e9????????           |                     

        $sequence_65 = { 8d043f 50 e8???????? 8bf0 85f6 75cf 33ff }
            // n = 7, score = 1300
            //   8d043f               | lea                 eax, [edi + edi]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   75cf                 | jne                 0xffffffd1
            //   33ff                 | xor                 edi, edi

        $sequence_66 = { ffd6 8b4df4 66c7015c00 eb0f 68???????? }
            // n = 5, score = 1300
            //   ffd6                 | jmp                 4
            //   8b4df4               | xor                 eax, eax
            //   66c7015c00           | cmp                 eax, edi
            //   eb0f                 | je                  0x1c
            //   68????????           |                     

        $sequence_67 = { 83fd05 72c1 eb0c bb7f000000 }
            // n = 4, score = 1300
            //   83fd05               | mov                 ebx, 0x57
            //   72c1                 | cmp                 ebp, 5
            //   eb0c                 | jb                  0xffffffc3
            //   bb7f000000           | jmp                 0xe

        $sequence_68 = { bf04010000 e8???????? 8bf0 85f6 7453 57 }
            // n = 6, score = 1300
            //   bf04010000           | mov                 edi, 0x104
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   7453                 | je                  0x55
            //   57                   | push                edi

        $sequence_69 = { 8bd5 488bcf bb57000000 e8???????? }
            // n = 4, score = 1300
            //   8bd5                 | mov                 edx, ebp
            //   488bcf               | dec                 eax
            //   bb57000000           | mov                 ecx, edi
            //   e8????????           |                     

        $sequence_70 = { 4c8bc3 33d2 ff15???????? 488bdf 8bf7 483bdf }
            // n = 6, score = 1300
            //   4c8bc3               | je                  0x49
            //   33d2                 | push                -1
            //   ff15????????         |                     
            //   488bdf               | pop                 ebx
            //   8bf7                 | pop                 ecx
            //   483bdf               | ret                 4

        $sequence_71 = { 3bc3 740f 8b35???????? 50 83c604 }
            // n = 5, score = 1300
            //   3bc3                 | je                  0x1f2
            //   740f                 | push                0
            //   8b35????????         |                     
            //   50                   | call                edi
            //   83c604               | test                eax, eax

        $sequence_72 = { e8???????? 85c0 742d ff75fc 6a0d }
            // n = 5, score = 1300
            //   e8????????           |                     
            //   85c0                 | mov                 esi, eax
            //   742d                 | cmp                 esi, ebx
            //   ff75fc               | je                  0x49
            //   6a0d                 | push                -1

        $sequence_73 = { 7505 894720 eb0b 8b4f30 84c9 0f8992000000 }
            // n = 6, score = 1200
            //   7505                 | push                dword ptr [ebp - 0x10]
            //   894720               | push                dword ptr [ebp - 0xc]
            //   eb0b                 | push                0x122
            //   8b4f30               | push                dword ptr [ebp + 8]
            //   84c9                 | push                dword ptr [ebp - 0xc]
            //   0f8992000000         | push                0x122

        $sequence_74 = { 83e103 740d 51 50 ff7510 e8???????? 83c40c }
            // n = 7, score = 1200
            //   83e103               | and                 ecx, 3
            //   740d                 | je                  0xf
            //   51                   | push                ecx
            //   50                   | push                eax
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_75 = { 8b7d10 0155fc 83451004 83c004 }
            // n = 4, score = 1200
            //   8b7d10               | jne                 0xb
            //   0155fc               | xor                 ebx, ebx
            //   83451004             | mov                 dword ptr [ebp + 8], ebx
            //   83c004               | jmp                 0xe

        $sequence_76 = { f6400408 752e 53 e8???????? 6a01 6a01 }
            // n = 6, score = 1200
            //   f6400408             | mov                 dword ptr [ebp - 0xc], ebx
            //   752e                 | je                  0xee
            //   53                   | push                esi
            //   e8????????           |                     
            //   6a01                 | mov                 ebx, eax
            //   6a01                 | test                ebx, ebx

        $sequence_77 = { 84c9 0f8992000000 8b4f30 f6c104 7414 }
            // n = 5, score = 1200
            //   84c9                 | cmp                 eax, edi
            //   0f8992000000         | je                  0x13
            //   8b4f30               | cmp                 eax, edi
            //   f6c104               | je                  0x1f
            //   7414                 | push                eax

        $sequence_78 = { 33db 6a01 e8???????? 85db 7423 8b0d???????? 0fb701 }
            // n = 7, score = 1200
            //   33db                 | push                dword ptr [ebp - 0xc]
            //   6a01                 | push                0x122
            //   e8????????           |                     
            //   85db                 | push                dword ptr [ebp + 8]
            //   7423                 | push                0
            //   8b0d????????         |                     
            //   0fb701               | push                0

        $sequence_79 = { 53 ff35???????? 8bd7 ff75fc }
            // n = 4, score = 1200
            //   53                   | push                ecx
            //   ff35????????         |                     
            //   8bd7                 | push                edi
            //   ff75fc               | push                eax

        $sequence_80 = { e8???????? 3bfe 740e 57 56 }
            // n = 5, score = 1200
            //   e8????????           |                     
            //   3bfe                 | mov                 dword ptr [ebp - 0xc], ebx
            //   740e                 | je                  0x10a
            //   57                   | mov                 ebx, eax
            //   56                   | test                ebx, ebx

        $sequence_81 = { c744242000010000 ff15???????? 4883f8ff 488bf8 7442 }
            // n = 5, score = 1200
            //   c744242000010000     | add                 esi, 8
            //   ff15????????         |                     
            //   4883f8ff             | cmp                 ebp, 5
            //   488bf8               | jb                  0xffffffca
            //   7442                 | jmp                 0x17

        $sequence_82 = { eb0a 81fb03010000 7502 33db }
            // n = 4, score = 1200
            //   eb0a                 | dec                 ecx
            //   81fb03010000         | mov                 ecx, esp
            //   7502                 | dec                 ecx
            //   33db                 | mov                 edi, ebp

        $sequence_83 = { e8???????? 8bf8 85ff 0f845d010000 8b4730 a808 }
            // n = 6, score = 1200
            //   e8????????           |                     
            //   8bf8                 | push                eax
            //   85ff                 | add                 esp, 0xc
            //   0f845d010000         | cmp                 eax, edi
            //   8b4730               | mov                 dword ptr [ebp - 0x10], eax
            //   a808                 | push                edi

        $sequence_84 = { 83451004 83c004 49 8917 75e9 8b4e10 }
            // n = 6, score = 1200
            //   83451004             | add                 dword ptr [ebp + 0x10], 4
            //   83c004               | add                 eax, 4
            //   49                   | dec                 ecx
            //   8917                 | mov                 dword ptr [edi], edx
            //   75e9                 | jne                 0xffffffeb
            //   8b4e10               | mov                 ecx, dword ptr [esi + 0x10]

        $sequence_85 = { ff7510 57 ff750c 53 e8???????? 3bfe }
            // n = 6, score = 1200
            //   ff7510               | push                dword ptr [ebp + 8]
            //   57                   | cmp                 eax, ebx
            //   ff750c               | jne                 0x16
            //   53                   | cmp                 eax, ebx
            //   e8????????           |                     
            //   3bfe                 | cmp                 eax, ebx

        $sequence_86 = { ff7510 e8???????? 83c40c c745fc01000000 8b4610 c6040300 837e1004 }
            // n = 7, score = 1200
            //   ff7510               | mov                 ecx, edi
            //   e8????????           |                     
            //   83c40c               | mov                 dword ptr [esp + 0x28], 0xea60
            //   c745fc01000000       | dec                 esp
            //   8b4610               | cmovne              ecx, eax
            //   c6040300             | dec                 eax
            //   837e1004             | mov                 dword ptr [esp + 0x20], ebx

        $sequence_87 = { ff35???????? 8945f8 ff15???????? 8bd8 3bde }
            // n = 5, score = 1200
            //   ff35????????         |                     
            //   8945f8               | je                  0x47
            //   ff15????????         |                     
            //   8bd8                 | push                -1
            //   3bde                 | push                0xff676980

        $sequence_88 = { e8???????? 33f6 3975fc 7410 ff75fc 56 ff35???????? }
            // n = 7, score = 1200
            //   e8????????           |                     
            //   33f6                 | mov                 dword ptr [ebp - 0xc], ebx
            //   3975fc               | je                  0xfc
            //   7410                 | push                esi
            //   ff75fc               | mov                 ebx, eax
            //   56                   | test                ebx, ebx
            //   ff35????????         |                     

        $sequence_89 = { 8b8c2490000000 83bc248800000000 4c8b442440 488b542448 894c2430 }
            // n = 5, score = 1200
            //   8b8c2490000000       | pop                 ebp
            //   83bc248800000000     | pop                 ebx
            //   4c8b442440           | pop                 ecx
            //   488b542448           | ret                 4
            //   894c2430             | pop                 ecx

        $sequence_90 = { 53 e8???????? 85c0 0f8544010000 8b472c a801 }
            // n = 6, score = 1200
            //   53                   | je                  0x21
            //   e8????????           |                     
            //   85c0                 | push                eax
            //   0f8544010000         | xor                 eax, eax
            //   8b472c               | jmp                 4
            //   a801                 | xor                 eax, eax

        $sequence_91 = { 0f85d7000000 8b4604 6a00 ff750c ff7508 ff36 }
            // n = 6, score = 1200
            //   0f85d7000000         | xor                 eax, eax
            //   8b4604               | cmp                 eax, edi
            //   6a00                 | je                  0x21
            //   ff750c               | push                eax
            //   ff7508               | xor                 eax, eax
            //   ff36                 | jmp                 4

        $sequence_92 = { ff15???????? 53 56 ff35???????? ff15???????? 5b 5f }
            // n = 7, score = 1200
            //   ff15????????         |                     
            //   53                   | je                  0x18d
            //   56                   | push                esi
            //   ff35????????         |                     
            //   ff15????????         |                     
            //   5b                   | push                ebx
            //   5f                   | jne                 0xdc

        $sequence_93 = { 8b4e10 8365fc00 c1e902 895d10 }
            // n = 4, score = 1200
            //   8b4e10               | mov                 ebx, 0xea60
            //   8365fc00             | jne                 0x18
            //   c1e902               | push                ebx
            //   895d10               | mov                 ebx, 0xea60

        $sequence_94 = { a3???????? a3???????? a3???????? a1???????? 83e0fb 0bc2 }
            // n = 6, score = 1200
            //   a3????????           |                     
            //   a3????????           |                     
            //   a3????????           |                     
            //   a1????????           |                     
            //   83e0fb               | je                  0x224
            //   0bc2                 | push                edi

        $sequence_95 = { 7417 8b10 2b55fc 8b7d10 0155fc }
            // n = 5, score = 1200
            //   7417                 | je                  0x19
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   2b55fc               | sub                 edx, dword ptr [ebp - 4]
            //   8b7d10               | mov                 edi, dword ptr [ebp + 0x10]
            //   0155fc               | add                 dword ptr [ebp - 4], edx

        $sequence_96 = { 750f ff37 e8???????? 85c0 0f8586000000 }
            // n = 5, score = 1200
            //   750f                 | xor                 eax, eax
            //   ff37                 | xor                 eax, eax
            //   e8????????           |                     
            //   85c0                 | cmp                 eax, edi
            //   0f8586000000         | je                  0x1f

        $sequence_97 = { 85c0 0f8586000000 8b4720 8b4e04 6a00 }
            // n = 5, score = 1200
            //   85c0                 | pop                 eax
            //   0f8586000000         | cmp                 eax, edi
            //   8b4720               | je                  0xb
            //   8b4e04               | xor                 eax, eax
            //   6a00                 | cmp                 eax, edi

        $sequence_98 = { eb02 33c0 5f f7d0 5e c3 55 }
            // n = 7, score = 1200
            //   eb02                 | jmp                 0xa
            //   33c0                 | jne                 9
            //   5f                   | xor                 ebx, ebx
            //   f7d0                 | mov                 dword ptr [ebp + 8], ebx
            //   5e                   | jmp                 0xa
            //   c3                   | mov                 ebx, dword ptr [ebp + 8]
            //   55                   | test                eax, eax

        $sequence_99 = { 740e 4103ee 4883c608 83fd05 72c1 }
            // n = 5, score = 1100
            //   740e                 | cmp                 ebx, ebp
            //   4103ee               | inc                 ecx
            //   4883c608             | add                 ebp, esi
            //   83fd05               | dec                 eax
            //   72c1                 | add                 esi, 8

        $sequence_100 = { 410fb64101 33d2 488d0cc3 48890d???????? 410fb64102 488d0cc3 48890d???????? }
            // n = 7, score = 1100
            //   410fb64101           | push                dword ptr [ebp + 8]
            //   33d2                 | push                dword ptr [ebp - 0x10]
            //   488d0cc3             | push                dword ptr [ebp - 0xc]
            //   48890d????????       |                     
            //   410fb64102           | push                0x122
            //   488d0cc3             | push                dword ptr [ebp + 8]
            //   48890d????????       |                     

        $sequence_101 = { 85d2 4d8bf1 458bf8 8bc2 }
            // n = 4, score = 1100
            //   85d2                 | je                  0x1a
            //   4d8bf1               | jmp                 0xa
            //   458bf8               | xor                 eax, eax
            //   8bc2                 | cmp                 eax, edi

        $sequence_102 = { c3 418bd8 4803df 410fb64101 33d2 488d0cc3 }
            // n = 6, score = 1100
            //   c3                   | push                dword ptr [ebp - 0xc]
            //   418bd8               | push                0x122
            //   4803df               | push                dword ptr [ebp + 8]
            //   410fb64101           | jmp                 4
            //   33d2                 | xor                 eax, eax
            //   488d0cc3             | cmp                 eax, edi

        $sequence_103 = { 8bc6 e8???????? 56 ff7510 }
            // n = 4, score = 1100
            //   8bc6                 | add                 ebp, esi
            //   e8????????           |                     
            //   56                   | dec                 eax
            //   ff7510               | add                 esi, 8

        $sequence_104 = { 33d2 ff15???????? 8b05???????? 418bdd }
            // n = 4, score = 1100
            //   33d2                 | mov                 edi, ebp
            //   ff15????????         |                     
            //   8b05????????         |                     
            //   418bdd               | dec                 ecx

        $sequence_105 = { 448be8 418b4310 41394308 410f474308 4533c0 }
            // n = 5, score = 1100
            //   448be8               | dec                 eax
            //   418b4310             | lea                 ecx, [ebx + eax*8]
            //   41394308             | inc                 ecx
            //   410f474308           | movzx               eax, byte ptr [ecx + 2]
            //   4533c0               | dec                 eax

        $sequence_106 = { ff15???????? 488bcf 48870d???????? 483bcf 7405 }
            // n = 5, score = 1100
            //   ff15????????         |                     
            //   488bcf               | push                ebx
            //   48870d????????       |                     
            //   483bcf               | mov                 eax, esi
            //   7405                 | mov                 eax, dword ptr [esi]

        $sequence_107 = { 50 57 e8???????? e9???????? 68???????? }
            // n = 5, score = 1100
            //   50                   | dec                 eax
            //   57                   | add                 esi, 8
            //   e8????????           |                     
            //   e9????????           |                     
            //   68????????           |                     

        $sequence_108 = { 33d2 498bcc 498bfd e8???????? 493bc5 7405 }
            // n = 6, score = 1100
            //   33d2                 | mov                 ebx, 0x7f
            //   498bcc               | mov                 dword ptr [esp + 0x20], 0x100
            //   498bfd               | dec                 eax
            //   e8????????           |                     
            //   493bc5               | cmp                 eax, -1
            //   7405                 | dec                 eax

        $sequence_109 = { 85c0 7507 33db 895d08 eb03 8b5d08 }
            // n = 6, score = 1100
            //   85c0                 | push                0x122
            //   7507                 | push                dword ptr [ebp + 8]
            //   33db                 | push                dword ptr [ebp - 0x10]
            //   895d08               | push                dword ptr [ebp - 0xc]
            //   eb03                 | push                0x122
            //   8b5d08               | push                dword ptr [ebp + 8]

        $sequence_110 = { 8a4b1c 488b4558 4c8b4d30 4c8b4510 }
            // n = 4, score = 1100
            //   8a4b1c               | cmp                 ebp, 5
            //   488b4558             | jb                  0xffffffc6
            //   4c8b4d30             | jmp                 0x13
            //   4c8b4510             | mov                 ebx, 0x7f

        $sequence_111 = { 5b c9 c20400 51 56 ff74240c }
            // n = 6, score = 1100
            //   5b                   | inc                 ecx
            //   c9                   | add                 ebp, esi
            //   c20400               | dec                 eax
            //   51                   | add                 esi, 8
            //   56                   | cmp                 ebp, 5
            //   ff74240c             | jb                  0xffffffcd

        $sequence_112 = { 50 8bc8 e8???????? ff7518 }
            // n = 4, score = 1100
            //   50                   | lea                 ecx, [ebx + eax*8]
            //   8bc8                 | inc                 ecx
            //   e8????????           |                     
            //   ff7518               | movzx               eax, byte ptr [ecx + 2]

        $sequence_113 = { 410fb64102 488d0cc3 48890d???????? 410fb64103 488d0cc3 48890d???????? }
            // n = 6, score = 1100
            //   410fb64102           | ret                 
            //   488d0cc3             | mov                 eax, dword ptr [edi + 0x54]
            //   48890d????????       |                     
            //   410fb64103           | test                al, 4
            //   488d0cc3             | mov                 esi, 1
            //   48890d????????       |                     

        $sequence_114 = { 33d2 ff15???????? 483bc3 4c8be8 }
            // n = 4, score = 1100
            //   33d2                 | jmp                 0x13
            //   ff15????????         |                     
            //   483bc3               | mov                 ebx, 0x7e
            //   4c8be8               | inc                 ecx

        $sequence_115 = { 33d2 ff15???????? 4885db 740c 4c8b0d???????? }
            // n = 5, score = 1100
            //   33d2                 | push                dword ptr [ebp - 0xc]
            //   ff15????????         |                     
            //   4885db               | push                0x122
            //   740c                 | push                dword ptr [ebp + 8]
            //   4c8b0d????????       |                     

        $sequence_116 = { 8bc7 4883c440 415e 415d 415c }
            // n = 5, score = 1100
            //   8bc7                 | push                ebx
            //   4883c440             | push                esi
            //   415e                 | mov                 esi, ecx
            //   415d                 | add                 eax, 0xfffffefe
            //   415c                 | xor                 ebx, ebx

        $sequence_117 = { ff15???????? 8b4d08 57 e8???????? 8bd8 }
            // n = 5, score = 1100
            //   ff15????????         |                     
            //   8b4d08               | test                eax, eax
            //   57                   | jne                 9
            //   e8????????           |                     
            //   8bd8                 | xor                 ebx, ebx

        $sequence_118 = { 488bce ff15???????? 488b0d???????? 33d2 4c63c0 }
            // n = 5, score = 1100
            //   488bce               | mov                 esi, ecx
            //   ff15????????         |                     
            //   488b0d????????       |                     
            //   33d2                 | add                 eax, 0xfffffefe
            //   4c63c0               | xor                 ebx, ebx

        $sequence_119 = { 89742420 e8???????? 8bf0 eb05 }
            // n = 4, score = 1100
            //   89742420             | cmp                 edi, ebx
            //   e8????????           |                     
            //   8bf0                 | je                  0x19
            //   eb05                 | cmp                 eax, ebx

        $sequence_120 = { 4533c9 4533c0 33d2 c705????????01000000 ff15???????? }
            // n = 5, score = 1100
            //   4533c9               | mov                 dword ptr [ebp - 0x10], ebx
            //   4533c0               | mov                 dword ptr [ebp - 8], 0x57
            //   33d2                 | mov                 edi, 0x119
            //   c705????????01000000     |     
            //   ff15????????         |                     

        $sequence_121 = { e8???????? 488bcf ff15???????? 488b5c2430 }
            // n = 4, score = 1000
            //   e8????????           |                     
            //   488bcf               | mov                 ecx, 0x10e
            //   ff15????????         |                     
            //   488b5c2430           | inc                 ecx

        $sequence_122 = { c705????????01000000 ff15???????? 488b0d???????? ff15???????? 488bcf }
            // n = 5, score = 1000
            //   c705????????01000000     |     
            //   ff15????????         |                     
            //   488b0d????????       |                     
            //   ff15????????         |                     
            //   488bcf               | cmp                 edi, ebx

        $sequence_123 = { 8bf0 8932 83c204 ff4c240c 75e6 }
            // n = 5, score = 1000
            //   8bf0                 | mov                 eax, dword ptr [ebp + 0x10]
            //   8932                 | xor                 edx, edx
            //   83c204               | dec                 eax
            //   ff4c240c             | cmp                 eax, ebx
            //   75e6                 | dec                 esp

        $sequence_124 = { 75e6 5e 5b c20800 }
            // n = 4, score = 1000
            //   75e6                 | cmp                 ebp, 5
            //   5e                   | jb                  0xffffffc6
            //   5b                   | jmp                 0x13
            //   c20800               | inc                 ecx

        $sequence_125 = { 8b02 43 8acb d3c0 33c6 33442410 8bf0 }
            // n = 7, score = 1000
            //   8b02                 | jne                 0xa
            //   43                   | xor                 ebx, ebx
            //   8acb                 | pop                 ebx
            //   d3c0                 | leave               
            //   33c6                 | ret                 4
            //   33442410             | push                ecx
            //   8bf0                 | push                esi

        $sequence_126 = { 8bc3 5b c3 a1???????? 83c040 50 }
            // n = 6, score = 1000
            //   8bc3                 | mov                 esi, eax
            //   5b                   | cmp                 esi, ebx
            //   c3                   | test                eax, eax
            //   a1????????           |                     
            //   83c040               | je                  0x13
            //   50                   | push                eax

        $sequence_127 = { 0f84eb000000 83780408 0f84d9000000 488bcb }
            // n = 4, score = 1000
            //   0f84eb000000         | push                edi
            //   83780408             | cmp                 eax, edi
            //   0f84d9000000         | je                  0x16
            //   488bcb               | lea                 ecx, [ebp - 4]

        $sequence_128 = { ff15???????? 4885c0 488bd8 742b }
            // n = 4, score = 1000
            //   ff15????????         |                     
            //   4885c0               | mov                 esi, eax
            //   488bd8               | cmp                 esi, ebx
            //   742b                 | je                  0x49

        $sequence_129 = { 488bce e8???????? 488b5c2440 488b742448 488bc7 4883c430 5f }
            // n = 7, score = 1000
            //   488bce               | ret                 4
            //   e8????????           |                     
            //   488b5c2440           | push                0
            //   488b742448           | cmp                 eax, edi
            //   488bc7               | je                  0x16
            //   4883c430             | lea                 ecx, [ebp - 4]
            //   5f                   | push                ecx

        $sequence_130 = { 8bf1 05fefeffff 33db 33c9 }
            // n = 4, score = 1000
            //   8bf1                 | push                edi
            //   05fefeffff           | push                eax
            //   33db                 | add                 esp, 0xc
            //   33c9                 | cmp                 eax, edi

        $sequence_131 = { 83c304 3b3e 72dc 8b45fc 5f 5b }
            // n = 6, score = 1000
            //   83c304               | xor                 eax, eax
            //   3b3e                 | cmp                 eax, edi
            //   72dc                 | mov                 edx, ebx
            //   8b45fc               | jmp                 6
            //   5f                   | xor                 eax, eax
            //   5b                   | cmp                 eax, edi

        $sequence_132 = { ff7008 ff750c ff7508 e8???????? 0945fc }
            // n = 5, score = 1000
            //   ff7008               | mov                 edx, ebx
            //   ff750c               | jmp                 4
            //   ff7508               | xor                 eax, eax
            //   e8????????           |                     
            //   0945fc               | cmp                 eax, edi

        $sequence_133 = { e8???????? 8d45fc 50 8b4508 e8???????? 85c0 }
            // n = 6, score = 1000
            //   e8????????           |                     
            //   8d45fc               | cmp                 eax, ebx
            //   50                   | jne                 0x16
            //   8b4508               | cmp                 eax, ebx
            //   e8????????           |                     
            //   85c0                 | mov                 ebx, eax

        $sequence_134 = { eb13 ff75fc 6a00 ff35???????? ff15???????? 33db }
            // n = 6, score = 1000
            //   eb13                 | mov                 dword ptr [ebp - 0xc], ebx
            //   ff75fc               | je                  0xe6
            //   6a00                 | push                esi
            //   ff35????????         |                     
            //   ff15????????         |                     
            //   33db                 | mov                 dword ptr [ebp - 0xc], ebx

        $sequence_135 = { 8ac3 5b c9 c20400 53 56 8bf0 }
            // n = 7, score = 1000
            //   8ac3                 | pop                 ebx
            //   5b                   | pop                 ecx
            //   c9                   | ret                 4
            //   c20400               | push                0
            //   53                   | pop                 ecx
            //   56                   | ret                 4
            //   8bf0                 | push                0

        $sequence_136 = { 488bcf ff15???????? 85c0 7508 ff15???????? 8bd8 }
            // n = 6, score = 900
            //   488bcf               | push                0xff676980
            //   ff15????????         |                     
            //   85c0                 | pop                 ecx
            //   7508                 | ret                 4
            //   ff15????????         |                     
            //   8bd8                 | push                0

        $sequence_137 = { 50 ff5108 ff75f4 e8???????? }
            // n = 4, score = 900
            //   50                   | je                  0x1b
            //   ff5108               | je                  0x11
            //   ff75f4               | push                eax
            //   e8????????           |                     

        $sequence_138 = { 4c8bc7 33d2 ff15???????? 33ff 4885ff }
            // n = 5, score = 900
            //   4c8bc7               | jmp                 0xe
            //   33d2                 | cmp                 ebp, 5
            //   ff15????????         |                     
            //   33ff                 | jb                  0xffffffc6
            //   4885ff               | jmp                 0x13

        $sequence_139 = { 741d 3dd2100000 7416 a1???????? }
            // n = 4, score = 900
            //   741d                 | je                  0x11
            //   3dd2100000           | push                eax
            //   7416                 | add                 esi, 4
            //   a1????????           |                     

        $sequence_140 = { 8d45fc 50 ff750c 33ff ff7508 217dfc }
            // n = 6, score = 900
            //   8d45fc               | push                1
            //   50                   | jmp                 4
            //   ff750c               | xor                 eax, eax
            //   33ff                 | cmp                 eax, edi
            //   ff7508               | je                  0x23
            //   217dfc               | push                eax

        $sequence_141 = { 4533c9 4889442428 215c2420 4533c0 }
            // n = 4, score = 900
            //   4533c9               | mov                 dword ptr [esp + 0x20], ebx
            //   4889442428           | test                eax, eax
            //   215c2420             | mov                 dword ptr [esp + 0x28], 0xea60
            //   4533c0               | dec                 esp

        $sequence_142 = { 832700 458be0 bb08000000 e8???????? 85c0 }
            // n = 5, score = 900
            //   832700               | test                eax, eax
            //   458be0               | mov                 ebx, eax
            //   bb08000000           | dec                 esp
            //   e8????????           |                     
            //   85c0                 | cmovne              ecx, eax

        $sequence_143 = { e9???????? 33c9 bb26040000 48870d???????? 4885c9 }
            // n = 5, score = 900
            //   e9????????           |                     
            //   33c9                 | dec                 eax
            //   bb26040000           | mov                 dword ptr [esp + 0x20], ebx
            //   48870d????????       |                     
            //   4885c9               | test                eax, eax

        $sequence_144 = { 488bce ff15???????? 4c8d4c2450 4c8d442458 }
            // n = 4, score = 900
            //   488bce               | inc                 ecx
            //   ff15????????         |                     
            //   4c8d4c2450           | pop                 esp
            //   4c8d442458           | pop                 edi

        $sequence_145 = { ff15???????? 4c8d4c2450 4c8d442458 8d5001 488bce e8???????? }
            // n = 6, score = 900
            //   ff15????????         |                     
            //   4c8d4c2450           | mov                 esi, 1
            //   4c8d442458           | mov                 eax, esi
            //   8d5001               | dec                 eax
            //   488bce               | add                 esp, 0x40
            //   e8????????           |                     

        $sequence_146 = { 488bc8 41b905000000 488bd8 ff15???????? }
            // n = 4, score = 900
            //   488bc8               | cmovne              ecx, eax
            //   41b905000000         | dec                 eax
            //   488bd8               | mov                 dword ptr [esp + 0x20], ebx
            //   ff15????????         |                     

        $sequence_147 = { 488364243000 448d4301 4533c9 ba000000c0 }
            // n = 4, score = 900
            //   488364243000         | mov                 esi, eax
            //   448d4301             | cmp                 esi, ebx
            //   4533c9               | je                  0x49
            //   ba000000c0           | push                -1

        $sequence_148 = { 4883c208 413bca 7ce6 413bca }
            // n = 4, score = 900
            //   4883c208             | lea                 ecx, [ebx + eax*8]
            //   413bca               | inc                 ecx
            //   7ce6                 | movzx               eax, byte ptr [ecx + 3]
            //   413bca               | dec                 eax

        $sequence_149 = { 7416 a1???????? 83c004 50 }
            // n = 4, score = 900
            //   7416                 | push                eax
            //   a1????????           |                     
            //   83c004               | cmp                 edi, ebx
            //   50                   | je                  0x19

        $sequence_150 = { 488d4c246c 66ba2e00 ff15???????? 488bf0 488d44246c }
            // n = 5, score = 900
            //   488d4c246c           | mov                 edx, dword ptr [esp + 0x48]
            //   66ba2e00             | inc                 esp
            //   ff15????????         |                     
            //   488bf0               | mov                 eax, eax
            //   488d44246c           | mov                 ebx, eax

        $sequence_151 = { ff15???????? eb14 488b0d???????? 4c8bc7 }
            // n = 4, score = 900
            //   ff15????????         |                     
            //   eb14                 | mov                 dword ptr [esp + 0x20], ebx
            //   488b0d????????       |                     
            //   4c8bc7               | test                eax, eax

        $sequence_152 = { ff35???????? ffd3 8bd8 85db 7476 }
            // n = 5, score = 900
            //   ff35????????         |                     
            //   ffd3                 | je                  0x18
            //   8bd8                 | cmp                 eax, ebx
            //   85db                 | je                  0x11
            //   7476                 | push                eax

        $sequence_153 = { 8d442430 50 8d442428 50 8d442428 }
            // n = 5, score = 900
            //   8d442430             | xor                 eax, eax
            //   50                   | cmp                 eax, ebx
            //   8d442428             | je                  0x23
            //   50                   | push                eax
            //   8d442428             | cmp                 edi, ebx

        $sequence_154 = { 4d8bc4 33d2 ff15???????? 4d85ed 7412 488b0d???????? 4d8bc5 }
            // n = 7, score = 800
            //   4d8bc4               | jb                  0xffffffc3
            //   33d2                 | jmp                 0x10
            //   ff15????????         |                     
            //   4d85ed               | mov                 ebx, 0x7f
            //   7412                 | jmp                 0x10
            //   488b0d????????       |                     
            //   4d8bc5               | mov                 ebx, 0x7e

        $sequence_155 = { e9???????? 488bcb ff15???????? a810 }
            // n = 4, score = 800
            //   e9????????           |                     
            //   488bcb               | mov                 ebx, 0xea60
            //   ff15????????         |                     
            //   a810                 | push                ebx

        $sequence_156 = { 0fba261f 0f92c0 f6d8 1bc0 }
            // n = 4, score = 800
            //   0fba261f             | push                1
            //   0f92c0               | push                dword ptr [esp + 0x10]
            //   f6d8                 | pop                 ebx
            //   1bc0                 | pop                 ecx

        $sequence_157 = { b922010000 e9???????? b90a010000 e9???????? }
            // n = 4, score = 800
            //   b922010000           | cmp                 eax, edi
            //   e9????????           |                     
            //   b90a010000           | mov                 dword ptr [ebp - 0x20], eax
            //   e9????????           |                     

        $sequence_158 = { 418bcd e8???????? e9???????? b909010000 }
            // n = 4, score = 800
            //   418bcd               | add                 esp, 0xc
            //   e8????????           |                     
            //   e9????????           |                     
            //   b909010000           | cmp                 eax, edi

        $sequence_159 = { 488364242000 4c8d8c2480000000 448bc6 498bd5 }
            // n = 4, score = 800
            //   488364242000         | ret                 4
            //   4c8d8c2480000000     | push                0
            //   448bc6               | pop                 ecx
            //   498bd5               | ret                 4

        $sequence_160 = { 4533c0 33d2 33db ff15???????? 85c0 8bf8 }
            // n = 6, score = 800
            //   4533c0               | pop                 ecx
            //   33d2                 | ret                 4
            //   33db                 | push                0
            //   ff15????????         |                     
            //   85c0                 | push                1
            //   8bf8                 | pop                 esi

        $sequence_161 = { 803f2a 750b 4883c701 83c3ff }
            // n = 4, score = 800
            //   803f2a               | test                eax, eax
            //   750b                 | dec                 eax
            //   4883c701             | mov                 ebx, eax
            //   83c3ff               | je                  0x30

        $sequence_162 = { 4c8b05???????? 41be01000000 33c9 418bd6 ff15???????? }
            // n = 5, score = 800
            //   4c8b05????????       |                     
            //   41be01000000         | push                ebx
            //   33c9                 | mov                 ebx, 0xea60
            //   418bd6               | push                ebx
            //   ff15????????         |                     

        $sequence_163 = { 4c63c0 33d2 4983c00c ff15???????? }
            // n = 4, score = 800
            //   4c63c0               | mov                 ebx, 0xea60
            //   33d2                 | jne                 0xf
            //   4983c00c             | push                ebx
            //   ff15????????         |                     

        $sequence_164 = { 4533c0 33d2 ff15???????? 85c0 7511 ff15???????? }
            // n = 6, score = 800
            //   4533c0               | mov                 eax, 0x800
            //   33d2                 | push                eax
            //   ff15????????         |                     
            //   85c0                 | push                esi
            //   7511                 | jne                 7
            //   ff15????????         |                     

        $sequence_165 = { 53 56 8bf1 05fefeffff }
            // n = 4, score = 800
            //   53                   | je                  0x4e
            //   56                   | mov                 eax, dword ptr [ebp - 4]
            //   8bf1                 | add                 eax, eax
            //   05fefeffff           | mov                 edx, ebx

        $sequence_166 = { 895df4 895df0 c745f857000000 bf19010000 }
            // n = 4, score = 800
            //   895df4               | cmp                 ebx, 0x103
            //   895df0               | jne                 0xa
            //   c745f857000000       | xor                 ebx, ebx
            //   bf19010000           | leave               

        $sequence_167 = { 488b0d???????? 448bc0 8bd8 33d2 4983c001 }
            // n = 5, score = 800
            //   488b0d????????       |                     
            //   448bc0               | jne                 8
            //   8bd8                 | test                ah, ah
            //   33d2                 | ja                  0xa
            //   4983c001             | dec                 eax

        $sequence_168 = { a1???????? 25efff0000 0bc2 e9???????? }
            // n = 4, score = 800
            //   a1????????           |                     
            //   25efff0000           | pop                 esi
            //   0bc2                 | pop                 ebx
            //   e9????????           |                     

        $sequence_169 = { 6a03 8935???????? 8935???????? 8935???????? }
            // n = 4, score = 800
            //   6a03                 | jne                 0xfffffff3
            //   8935????????         |                     
            //   8935????????         |                     
            //   8935????????         |                     

        $sequence_170 = { 488bd5 ff15???????? 85c0 7423 48215c2420 442be6 }
            // n = 6, score = 700
            //   488bd5               | dec                 esp
            //   ff15????????         |                     
            //   85c0                 | lea                 ecx, [esp + 0x50]
            //   7423                 | dec                 esp
            //   48215c2420           | lea                 eax, [esp + 0x58]
            //   442be6               | lea                 edx, [eax + 1]

        $sequence_171 = { 7433 ff15???????? 3db7000000 751d }
            // n = 4, score = 700
            //   7433                 | push                0
            //   ff15????????         |                     
            //   3db7000000           | pop                 ebp
            //   751d                 | pop                 ebx

        $sequence_172 = { 56 57 4154 4155 4156 4883ec50 488bf1 }
            // n = 7, score = 700
            //   56                   | mov                 dword ptr [esp + 4], eax
            //   57                   | mov                 ecx, 1
            //   4154                 | lea                 edx, [0x25354a]
            //   4155                 | mov                 ebx, dword ptr [eax + 0x1c]
            //   4156                 | mov                 ecx, dword ptr [ecx + 0x50]
            //   4883ec50             | mov                 dword ptr [esp], 0
            //   488bf1               | mov                 dword ptr [esp + 4], ecx

        $sequence_173 = { ff15???????? 488b0d???????? 4889040f 4883c708 492bf6 }
            // n = 5, score = 700
            //   ff15????????         |                     
            //   488b0d????????       |                     
            //   4889040f             | mov                 dword ptr [ebp - 0xb0], eax
            //   4883c708             | mov                 dword ptr [ebp - 0xb4], ecx
            //   492bf6               | mov                 dword ptr [ebp - 0xb8], edx

        $sequence_174 = { 488bf8 7464 48215c2420 8bee 4c8d8c2480000000 }
            // n = 5, score = 700
            //   488bf8               | lea                 eax, [esp + 0x58]
            //   7464                 | lea                 edx, [eax + 1]
            //   48215c2420           | dec                 eax
            //   8bee                 | mov                 ecx, esi
            //   4c8d8c2480000000     | test                eax, eax

        $sequence_175 = { 4903ed 448bc6 488bc8 488bd5 ff15???????? }
            // n = 5, score = 700
            //   4903ed               | dec                 esp
            //   448bc6               | lea                 ecx, [esp + 0x50]
            //   488bc8               | dec                 esp
            //   488bd5               | lea                 eax, [esp + 0x58]
            //   ff15????????         |                     

        $sequence_176 = { c20400 55 8bec 83e4f8 83ec0c a1???????? 53 }
            // n = 7, score = 700
            //   c20400               | push                dword ptr [esp + 0xc]
            //   55                   | mov                 esi, ecx
            //   8bec                 | add                 eax, 0xfffffefe
            //   83e4f8               | xor                 ebx, ebx
            //   83ec0c               | xor                 ecx, ecx
            //   a1????????           |                     
            //   53                   | push                3

        $sequence_177 = { 488d542438 488bcb e8???????? eb02 33c0 85c0 }
            // n = 6, score = 700
            //   488d542438           | je                  0x1f
            //   488bcb               | push                eax
            //   e8????????           |                     
            //   eb02                 | xor                 eax, eax
            //   33c0                 | cmp                 eax, edi
            //   85c0                 | je                  0x1d

        $sequence_178 = { eb23 6a02 5e 68???????? }
            // n = 4, score = 600
            //   eb23                 | dec                 esp
            //   6a02                 | cmovne              ecx, eax
            //   5e                   | dec                 eax
            //   68????????           |                     

        $sequence_179 = { e8???????? 85c0 751a ff7620 }
            // n = 4, score = 600
            //   e8????????           |                     
            //   85c0                 | dec                 esp
            //   751a                 | cmovne              ecx, eax
            //   ff7620               | dec                 eax

        $sequence_180 = { e8???????? 4883c428 c3 488d82204a0000 }
            // n = 4, score = 600
            //   e8????????           |                     
            //   4883c428             | push                dword ptr [ebp - 0x10]
            //   c3                   | push                dword ptr [ebp - 0xc]
            //   488d82204a0000       | push                0x122

        $sequence_181 = { eb05 bb08000000 4c8d9c24c0000000 8bc3 }
            // n = 4, score = 600
            //   eb05                 | pop                 ecx
            //   bb08000000           | ret                 4
            //   4c8d9c24c0000000     | pop                 ecx
            //   8bc3                 | ret                 4

        $sequence_182 = { 85c0 7409 21b42410020000 eb0d }
            // n = 4, score = 600
            //   85c0                 | push                eax
            //   7409                 | xor                 eax, eax
            //   21b42410020000       | jmp                 4
            //   eb0d                 | xor                 eax, eax

        $sequence_183 = { e8???????? e9???????? 8d45f8 50 8d450c }
            // n = 5, score = 600
            //   e8????????           |                     
            //   e9????????           |                     
            //   8d45f8               | cmp                 ebx, edi
            //   50                   | xor                 edx, edx
            //   8d450c               | dec                 eax

        $sequence_184 = { c3 488d82204a0000 488982284a0000 488900 }
            // n = 4, score = 600
            //   c3                   | mov                 ebp, esp
            //   488d82204a0000       | sub                 esp, 0xc
            //   488982284a0000       | and                 dword ptr [ebp - 8], 0
            //   488900               | ret                 4

        $sequence_185 = { 4c8d9c24f0010000 498b5b28 498b7330 498be3 415d 415c }
            // n = 6, score = 600
            //   4c8d9c24f0010000     | xor                 eax, eax
            //   498b5b28             | cmp                 eax, edi
            //   498b7330             | je                  0x21
            //   498be3               | push                eax
            //   415d                 | cmp                 eax, edi
            //   415c                 | je                  0x1f

        $sequence_186 = { ff15???????? 85ff 7406 57 e8???????? }
            // n = 5, score = 600
            //   ff15????????         |                     
            //   85ff                 | mov                 ebx, edi
            //   7406                 | mov                 esi, edi
            //   57                   | dec                 eax
            //   e8????????           |                     

        $sequence_187 = { 33d2 ff15???????? 493bc6 488bf8 }
            // n = 4, score = 500
            //   33d2                 | pop                 eax
            //   ff15????????         |                     
            //   493bc6               | cmp                 eax, edi
            //   488bf8               | push                eax

        $sequence_188 = { 488b0d???????? 4c8bc5 33d2 ff15???????? e9???????? }
            // n = 5, score = 500
            //   488b0d????????       |                     
            //   4c8bc5               | push                ebx
            //   33d2                 | mov                 ebx, 0xea60
            //   ff15????????         |                     
            //   e9????????           |                     

        $sequence_189 = { 33d2 33c9 e8???????? 85c0 0f8561010000 8b4348 a801 }
            // n = 7, score = 500
            //   33d2                 | push                eax
            //   33c9                 | push                edi
            //   e8????????           |                     
            //   85c0                 | push                dword ptr [ebp + 8]
            //   0f8561010000         | push                eax
            //   8b4348               | push                edi
            //   a801                 | push                dword ptr [ebp + 8]

        $sequence_190 = { 0f85e8000000 488b4608 488b0e 4533c9 448bc5 498bd4 }
            // n = 6, score = 500
            //   0f85e8000000         | push                ebx
            //   488b4608             | push                dword ptr [ebp + 0xc]
            //   488b0e               | push                ebx
            //   4533c9               | mov                 ebx, 0xea60
            //   448bc5               | push                ebx
            //   498bd4               | jne                 7

        $sequence_191 = { 84c0 0f89a3000000 8b434c a804 7415 397b44 }
            // n = 6, score = 500
            //   84c0                 | jne                 0x11
            //   0f89a3000000         | push                ebx
            //   8b434c               | mov                 ebx, 0xea60
            //   a804                 | push                ebx
            //   7415                 | lea                 eax, [ebp - 8]
            //   397b44               | push                4

        $sequence_192 = { 488d4c2430 448bcf 4533c0 e8???????? 483bc3 488905???????? 0f8403010000 }
            // n = 7, score = 500
            //   488d4c2430           | push                0x10
            //   448bcf               | pop                 eax
            //   4533c0               | cmp                 eax, edi
            //   e8????????           |                     
            //   483bc3               | jmp                 7
            //   488905????????       |                     
            //   0f8403010000         | xor                 eax, eax

        $sequence_193 = { 0f8480010000 448b484c 41f6c108 7415 4c8d40cc 33d2 }
            // n = 6, score = 500
            //   0f8480010000         | push                ebx
            //   448b484c             | mov                 ebx, 0xea60
            //   41f6c108             | push                ebx
            //   7415                 | jne                 0x10
            //   4c8d40cc             | push                ebx
            //   33d2                 | mov                 ebx, 0xea60

        $sequence_194 = { 7427 488d542420 b901020000 ff15???????? 85c0 }
            // n = 5, score = 400
            //   7427                 | xor                 eax, eax
            //   488d542420           | cmp                 eax, edi
            //   b901020000           | je                  0x1a
            //   ff15????????         |                     
            //   85c0                 | inc                 cx

        $sequence_195 = { 488bc8 e8???????? 48898424e0010000 4885c0 }
            // n = 4, score = 400
            //   488bc8               | xor                 edx, edx
            //   e8????????           |                     
            //   48898424e0010000     | dec                 eax
            //   4885c0               | cmp                 eax, ebx

        $sequence_196 = { 4c8be8 4885c0 7508 8d5f08 e9???????? }
            // n = 5, score = 400
            //   4c8be8               | pop                 ebx
            //   4885c0               | pop                 ecx
            //   7508                 | ret                 4
            //   8d5f08               | push                0
            //   e9????????           |                     

        $sequence_197 = { 33ff e8???????? 4c8be8 4885c0 }
            // n = 4, score = 400
            //   33ff                 | pop                 ebx
            //   e8????????           |                     
            //   4c8be8               | pop                 ecx
            //   4885c0               | ret                 4

        $sequence_198 = { e8???????? 488bf8 4885c0 7427 488d542420 }
            // n = 5, score = 400
            //   e8????????           |                     
            //   488bf8               | mov                 ebx, eax
            //   4885c0               | je                  0x40
            //   7427                 | inc                 cx
            //   488d542420           | mov                 eax, 0xd233005c

        $sequence_199 = { 488d4b07 4c8d442470 488d542440 e8???????? 8bd8 85c0 }
            // n = 6, score = 400
            //   488d4b07             | push                -1
            //   4c8d442470           | push                ebx
            //   488d542440           | mov                 esi, eax
            //   e8????????           |                     
            //   8bd8                 | cmp                 esi, ebx
            //   85c0                 | je                  0x47

        $sequence_200 = { 448d4256 ff15???????? 4c8be0 4885c0 0f8405010000 }
            // n = 5, score = 400
            //   448d4256             | pop                 ecx
            //   ff15????????         |                     
            //   4c8be0               | ret                 4
            //   4885c0               | push                0
            //   0f8405010000         | pop                 ecx

        $sequence_201 = { 488bcd 89442428 488b842410020000 4889442420 e8???????? 8bd8 85c0 }
            // n = 7, score = 400
            //   488bcd               | je                  0x49
            //   89442428             | mov                 esi, eax
            //   488b842410020000     | cmp                 esi, ebx
            //   4889442420           | je                  0x47
            //   e8????????           |                     
            //   8bd8                 | mov                 eax, ebp
            //   85c0                 | pop                 ebp

        $sequence_202 = { 30c0 85f6 57 884c2413 0f869c000000 eb04 }
            // n = 6, score = 300
            //   30c0                 | add                 esi, 4
            //   85f6                 | cmp                 edi, ebx
            //   57                   | je                  0x1c
            //   884c2413             | push                eax
            //   0f869c000000         | mov                 edx, edi
            //   eb04                 | jmp                 6

        $sequence_203 = { 3010 40 c1ca08 e2e4 c9 }
            // n = 5, score = 300
            //   3010                 | je                  0x23
            //   40                   | mov                 edx, edi
            //   c1ca08               | jmp                 4
            //   e2e4                 | xor                 eax, eax
            //   c9                   | cmp                 eax, ebx

        $sequence_204 = { 8b3a 83c204 8b0a 83e908 83c204 85c9 }
            // n = 6, score = 300
            //   8b3a                 | je                  0x23
            //   83c204               | push                eax
            //   8b0a                 | push                eax
            //   83e908               | cmp                 edi, ebx
            //   83c204               | je                  0x18
            //   85c9                 | cmp                 eax, ebx

        $sequence_205 = { 8b4d0c 8b5510 31db 90 }
            // n = 4, score = 300
            //   8b4d0c               | je                  0x11
            //   8b5510               | push                eax
            //   31db                 | add                 esi, 4
            //   90                   | push                eax

        $sequence_206 = { 66837b0200 7451 0fb70b 0fb76b02 }
            // n = 4, score = 300
            //   66837b0200           | add                 esi, 4
            //   7451                 | cmp                 edi, ebx
            //   0fb70b               | je                  0x1b
            //   0fb76b02             | cmp                 eax, ebx

        $sequence_207 = { 8974241c 894c2418 56 57 51 90 8b742428 }
            // n = 7, score = 300
            //   8974241c             | je                  8
            //   894c2418             | push                eax
            //   56                   | cmp                 edi, ebx
            //   57                   | je                  0x1b
            //   51                   | add                 esi, 4
            //   90                   | cmp                 edi, ebx
            //   8b742428             | je                  0x18

        $sequence_208 = { 01d1 894c2414 8b4c2424 01c1 83c304 }
            // n = 5, score = 300
            //   01d1                 | xor                 eax, eax
            //   894c2414             | cmp                 eax, ebx
            //   8b4c2424             | je                  0x1d
            //   01c1                 | cmp                 eax, ebx
            //   83c304               | je                  0x11

        $sequence_209 = { 5e 01d5 01d3 b101 3b5c2428 0f8266ffffff 5f }
            // n = 7, score = 300
            //   5e                   | je                  8
            //   01d5                 | push                eax
            //   01d3                 | cmp                 edi, ebx
            //   b101                 | mov                 edx, edi
            //   3b5c2428             | jmp                 4
            //   0f8266ffffff         | xor                 eax, eax
            //   5f                   | cmp                 eax, ebx

        $sequence_210 = { 0f1101 8b8558ffffff c1e004 01c6 8b8554ffffff c1e003 }
            // n = 6, score = 100
            //   0f1101               | test                eax, eax
            //   8b8558ffffff         | push                eax
            //   c1e004               | push                0x10
            //   01c6                 | pop                 eax
            //   8b8554ffffff         | cmp                 eax, edi
            //   c1e003               | push                eax

        $sequence_211 = { 83e001 898544ffffff 89f8 c1e81f c1ef1d 83e701 }
            // n = 6, score = 100
            //   83e001               | push                dword ptr [ebp + 8]
            //   898544ffffff         | push                eax
            //   89f8                 | push                edi
            //   c1e81f               | push                dword ptr [ebp + 8]
            //   c1ef1d               | cmp                 eax, ebx
            //   83e701               | jne                 0x16

        $sequence_212 = { 894dec 8955e8 8975e4 8945e0 0f84f2000000 8b45f0 83f800 }
            // n = 7, score = 100
            //   894dec               | xor                 eax, eax
            //   8955e8               | cmp                 eax, edi
            //   8975e4               | push                0x10
            //   8945e0               | pop                 eax
            //   0f84f2000000         | cmp                 eax, edi
            //   8b45f0               | push                dword ptr [ebp - 0x10]
            //   83f800               | push                dword ptr [ebp - 0xc]

        $sequence_213 = { 89e2 894a04 c70204010000 8b15???????? 8985e8fdffff 898de4fdffff ffd2 }
            // n = 7, score = 100
            //   89e2                 | mov                 dword ptr [ebp - 0xc], ebx
            //   894a04               | je                  0xde
            //   c70204010000         | push                esi
            //   8b15????????         |                     
            //   8985e8fdffff         | push                ebx
            //   898de4fdffff         | push                ebx
            //   ffd2                 | mov                 dword ptr [ebp - 0xc], ebx

        $sequence_214 = { 890c24 c744240400000000 8955d4 e8???????? 8d0d96318702 890424 894c2404 }
            // n = 7, score = 100
            //   890c24               | push                eax
            //   c744240400000000     | push                edi
            //   8955d4               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   8d0d96318702         | push                4
            //   890424               | push                eax
            //   894c2404             | push                edi

        $sequence_215 = { 68???????? 8bbd6cffffff 57 898564ffffff }
            // n = 4, score = 100
            //   68????????           |                     
            //   8bbd6cffffff         | je                  0xe4
            //   57                   | push                esi
            //   898564ffffff         | mov                 ebx, eax

        $sequence_216 = { 8b4d08 8d153e342500 8d75d4 c645d44c }
            // n = 4, score = 100
            //   8b4d08               | je                  0x1a
            //   8d153e342500         | jmp                 0xa
            //   8d75d4               | xor                 eax, eax
            //   c645d44c             | cmp                 eax, edi

        $sequence_217 = { 89854cfdffff 8b854cfdffff 81c4d0020000 5f 5b 5e }
            // n = 6, score = 100
            //   89854cfdffff         | je                  0xea
            //   8b854cfdffff         | push                esi
            //   81c4d0020000         | push                ebx
            //   5f                   | push                ebx
            //   5b                   | lea                 eax, [ebp - 8]
            //   5e                   | push                4

        $sequence_218 = { 8b581c 8b4950 c7042400000000 894c2404 c744240800100000 c744240c04000000 897dec }
            // n = 7, score = 100
            //   8b581c               | call                esi
            //   8b4950               | test                eax, eax
            //   c7042400000000       | je                  0x27
            //   894c2404             | push                ecx
            //   c744240800100000     | push                edi
            //   c744240c04000000     | push                eax
            //   897dec               | call                esi

        $sequence_219 = { 8d0d84308702 31d2 8b75f0 894620 890c24 }
            // n = 5, score = 100
            //   8d0d84308702         | test                ebx, ebx
            //   31d2                 | mov                 dword ptr [ebp - 0xc], ebx
            //   8b75f0               | je                  0xd9
            //   894620               | test                ebx, ebx
            //   890c24               | mov                 dword ptr [ebp - 0xc], ebx

        $sequence_220 = { c74424040d000000 c744240801000000 8bb550fdffff 8974240c 898548fdffff }
            // n = 5, score = 100
            //   c74424040d000000     | test                ebx, ebx
            //   c744240801000000     | mov                 dword ptr [ebp - 0xc], ebx
            //   8bb550fdffff         | je                  0xd2
            //   8974240c             | push                esi
            //   898548fdffff         | test                ebx, ebx

        $sequence_221 = { 894c2408 e8???????? 8b45a0 890424 c744240400040000 c744240802000000 8b4d8c }
            // n = 7, score = 100
            //   894c2408             | dec                 eax
            //   e8????????           |                     
            //   8b45a0               | lea                 ecx, [eax + 1]
            //   890424               | mov                 dx, 0x20
            //   c744240400040000     | jmp                 4
            //   c744240802000000     | xor                 eax, eax
            //   8b4d8c               | cmp                 eax, edi

        $sequence_222 = { 8b45dc 8b08 8b55ec 39d1 894de0 7419 ebd6 }
            // n = 7, score = 100
            //   8b45dc               | mov                 dword ptr [esp + 0x20], ebx
            //   8b08                 | test                eax, eax
            //   8b55ec               | mov                 ebx, 1
            //   39d1                 | dec                 ecx
            //   894de0               | mov                 ecx, esp
            //   7419                 | jmp                 0xc
            //   ebd6                 | add                 ebx, 1

        $sequence_223 = { b901000000 8d956cfdffff 891424 c74424040d000000 }
            // n = 4, score = 100
            //   b901000000           | mov                 byte ptr [eax + 0x1a], 0
            //   8d956cfdffff         | mov                 eax, dword ptr [esp + 0xc]
            //   891424               | test                eax, eax
            //   c74424040d000000     | jmp                 4

        $sequence_224 = { 890424 8b853cffffff 89442404 e8???????? b901000000 8d154a352500 }
            // n = 6, score = 100
            //   890424               | test                eax, eax
            //   8b853cffffff         | je                  0x1e
            //   89442404             | push                ecx
            //   e8????????           |                     
            //   b901000000           | push                edi
            //   8d154a352500         | push                eax

        $sequence_225 = { 898550ffffff 898d4cffffff 899548ffffff 89bd44ffffff e8???????? }
            // n = 5, score = 100
            //   898550ffffff         | mov                 dword ptr [esp + 0x28], 0xea60
            //   898d4cffffff         | dec                 esp
            //   899548ffffff         | cmovne              ecx, eax
            //   89bd44ffffff         | dec                 eax
            //   e8????????           |                     

    condition:
        7 of them and filesize < 2940928
}
Download all Yara Rules