diff --git a/rules/windows/process_creation/win_susp_gup.yml b/rules/windows/process_creation/win_susp_gup.yml
index aef75ec4e..5ee09618e 100644
--- a/rules/windows/process_creation/win_susp_gup.yml
+++ b/rules/windows/process_creation/win_susp_gup.yml
@@ -15,7 +15,11 @@ detection:
     selection:
         Image: '*\GUP.exe'
     filter:
-        Image: '*\updater\*'
+        Image:
+            - 'C:\Users\*\AppData\Local\Notepad++\updater\gup.exe'
+            - 'C:\Users\*\AppData\Roaming\Notepad++\updater\gup.exe'
+            - 'C:\Program Files\Notepad++\updater\gup.exe'
+            - 'C:\Program Files (x86)\Notepad++\updater\gup.exe'
     condition: selection and not filter
 falsepositives:
     - Execution of tools named GUP.exe and located in folders different than Notepad++\updater