diff --git a/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml b/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml
index 3afd9ff24ce..09ba23aa9c6 100644
--- a/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml
+++ b/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml
@@ -11,7 +11,7 @@ references:
     - https://github.com/ORCx41/DeleteShadowCopies
 author: frack113
 date: 2023-02-17
-modified: 2023-03-28
+modified: 2025-01-01
 tags:
     - attack.defense-evasion
     - attack.impact
@@ -31,6 +31,7 @@ detection:
               - 'C:\Windows\SysWOW64\'
               - 'C:\Windows\Temp\{' # Installers
               - 'C:\Windows\WinSxS\'
+              - 'C:\ProgramData\Package Cache\{'  # NSIS "$TEMP" var Installers
     filter_program_files:
         # When using this rule in your environment replace the "Program Files" folder by the exact applications you know use this. Examples would be software such as backup solutions
         Image|startswith: