diff --git a/rules/windows/process_creation/proc_creation_win_susp_file_download_via_gfxdownloadwrapper.yml b/rules/windows/process_creation/proc_creation_win_susp_file_download_via_gfxdownloadwrapper.yml
index aa78f8cbc..98bc09e1c 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_file_download_via_gfxdownloadwrapper.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_file_download_via_gfxdownloadwrapper.yml
@@ -6,7 +6,7 @@ references:
     - https://lolbas-project.github.io/lolbas/Binaries/GfxDownloadWrapper/
 author: Victor Sergeev, oscd.community
 date: 2020/10/09
-modified: 2021/11/27
+modified: 2022/01/06
 tags:
     - attack.command_and_control
     - attack.t1105
@@ -18,7 +18,9 @@ detection:
         Image|endswith: '\GfxDownloadWrapper.exe'
     filter:
         CommandLine|contains: 'gameplayapi.intel.com'
-        ParentImage|endswith: '\GfxDownloadWrapper.exe'
+        ParentImage|endswith: 
+            - '\GfxDownloadWrapper.exe'
+            - '\igfxEM.exe'
     condition: image_path and not filter
 fields:
     - CommandLine