diff --git a/rules/windows/process_creation/win_apt_chafer_mar18.yml b/rules/windows/process_creation/win_apt_chafer_mar18.yml
index 4fd4fa101..49b45faa8 100755
--- a/rules/windows/process_creation/win_apt_chafer_mar18.yml
+++ b/rules/windows/process_creation/win_apt_chafer_mar18.yml
@@ -74,7 +74,8 @@ detection:
         CommandLine|startswith:
             - 'C:\wsc.exe'
     selection_process2:
-        Image|endswith: '\Windows\Temp\DB\\*.exe'
+        Image|contains: '\Windows\Temp\DB\'
+        Image|endswith: '.exe'
     selection_process3:
         CommandLine|contains: '\nslookup.exe -q=TXT'
         ParentImage|contains: '\Autoit'