diff --git a/rules/windows/malware/win_mal_ursnif.yml b/rules/windows/malware/win_mal_ursnif.yml
index facc8f8dc..3b19d5120 100644
--- a/rules/windows/malware/win_mal_ursnif.yml
+++ b/rules/windows/malware/win_mal_ursnif.yml
@@ -15,7 +15,7 @@ logsource:
 detection:
     selection:
         EventID: 13
-        TargetObject: 'HKU\Software\AppDataLow\Software\Microsoft\\*'
+        TargetObject: '*\Software\AppDataLow\Software\Microsoft\\*'
     condition: selection
 falsepositives:
     - Unknown