A system and method generating a database of tuple addresses associated with a computer program, the method comprising fetching from a repository of sample files a sample file suitable for running by the computer program, and performing dynamic learning of the sample file to obtain tuple addresses used by the computer program in loading of the sample file, the dynamic learning comprising while loading of the sample file by the computer program, monitoring loaded processes and modules, for each loaded process, tracing process branches, upon identification of a mispredicted branch, getting an address tuple of the mispredicted branch, and identifying a module to which the tuple belongs based on the module's base address.