diff --git a/Defense evasion/qakbot-campaign-process-injection.md b/Defense evasion/qakbot-campaign-process-injection.md
index 0b27b320..7ae2a97f 100644
--- a/Defense evasion/qakbot-campaign-process-injection.md	
+++ b/Defense evasion/qakbot-campaign-process-injection.md	
@@ -9,12 +9,10 @@ The following query detects if Qakbot has injected code into the *ping.exe* proc
 ## Query
 
 ```Kusto
-DeviceProcessEvents
-| where FileName == "esentutl.exe"
-| where ProcessCommandLine has "WebCache"
-| where ProcessCommandLine has_any ("V01", "/s", "/d")
-| project ProcessCommandLine, InitiatingProcessParentFileName, 
-DeviceId, Timestamp
+DeviceImageLoadEvents
+| where InitiatingProcessFileName =~ "ping.exe"
+| where FileName =~ "vaultcli.dll"
+| project InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, DeviceId, Timestamp
 ```
 
 ## Category