diff --git a/rules/windows/process_creation/win_susp_regedit_trustedinstaller.yml b/rules/windows/process_creation/win_susp_regedit_trustedinstaller.yml
index 0d2367ab..f6dc1360 100644
--- a/rules/windows/process_creation/win_susp_regedit_trustedinstaller.yml
+++ b/rules/windows/process_creation/win_susp_regedit_trustedinstaller.yml
@@ -1,6 +1,6 @@
 title: Regedit as Trusted Installer
 id: 883835a7-df45-43e4-bf1d-4268768afda4
-description: Detects a regedit started with TrustedInstaller privileges
+description: Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe
 references:
     - https://twitter.com/1kwpeter/status/1397816101455765504
 author: Florian Roth
@@ -11,7 +11,9 @@ logsource:
 detection:
     selection:
         Image|endswith: '\regedit.exe'
-        ParentImage|endswith: '\TrustedInstaller.exe'
+        ParentImage|endswith: 
+            - '\TrustedInstaller.exe'
+            - '\ProcessHacker.exe'
     condition: selection
 falsepositives:
     - Unlikely