diff --git a/rules/proxy/proxy_ua_malware.yml b/rules/proxy/proxy_ua_malware.yml
index de2641b07..bdfa6f6ac 100644
--- a/rules/proxy/proxy_ua_malware.yml
+++ b/rules/proxy/proxy_ua_malware.yml
@@ -56,6 +56,8 @@ detection:
         # Ursnif
         - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)'
         - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)'
+        # Emotet
+        - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3)'  # https://twitter.com/webbthewombat/status/1225827092132179968
         # Others
         - '* pxyscand*'
         - '* asd'
diff --git a/rules/windows/sysmon/sysmon_hack_dumpert.yml b/rules/windows/sysmon/sysmon_hack_dumpert.yml
index 2a6f24ba0..329cc7201 100644
--- a/rules/windows/sysmon/sysmon_hack_dumpert.yml
+++ b/rules/windows/sysmon/sysmon_hack_dumpert.yml
@@ -30,6 +30,6 @@ logsource:
     service: sysmon
 detection:
     selection:
-        EventID: 13
+        EventID: 11
         TargetFilename: C:\Windows\Temp\dumpert.dmp
     condition: selection
\ No newline at end of file