diff --git a/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml b/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml
index a212e029d..af19982e2 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml
@@ -4,15 +4,20 @@ status: experimental
 description: Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications
 author: frack113
 references:
-    - https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/
     - https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support
+    - https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7
+    - https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/
+    - https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/
 date: 2022/07/16
+modified: 2022/07/16
 logsource:
     category: process_creation
     product: windows
 detection:
     selection:
-        Image|endswith: '\ntvdm.exe'
+        Image|endswith: 
+            - '\ntvdm.exe'
+            - '\csrstub.exe'
     condition: selection
 falsepositives:
     - Legitimate use