rule YAKKA3_Campaign_Jan_20_CMSTP_Bypass {
	meta:
		description = "Yara Rule for Yakka3 campaign CMSTP Bypass"
		author = "Cybaze Zlab_Yoroi"
		last_updated = "2020-01-23"
		tlp = "white"
		category = "informational"
	strings:
		$s1 = "cmstp.exe" ascii wide
		$s2 = "CurrentVersion" ascii wide
		$s3 = "INF" ascii wide
		$a1 = { 0A 06 8E 69 2D 06 7E 18 }
	condition:
		uint16(0) == 0x5A4D and all of them
}