diff --git a/Windows_API_Function.yar b/Windows_API_Function.yar
index 956bace..236b292 100644
--- a/Windows_API_Function.yar
+++ b/Windows_API_Function.yar
@@ -68,5 +68,8 @@ rule Windows_API_Function
         or
         /* trigger = 'PE' */
         (uint16be(uint32(0x3c)) == 0x5045)
+        or
+        /* MSI */
+        (uint32be(0x0) == 0xd0cf11e0)
     )
 }
\ No newline at end of file