diff --git a/host-interaction/process/get-process-filename.yml b/host-interaction/process/get-process-filename.yml
index 31baee22..bb310fd9 100644
--- a/host-interaction/process/get-process-filename.yml
+++ b/host-interaction/process/get-process-filename.yml
@@ -15,14 +15,22 @@ rule:
     examples:
       - cb948b13a5046a692ec3ed8cc16a9566:0x140013ee2
   features:
-    - and:
-      # example:
-      # mov     rax, gs:60h     ; TEB.ProcessEnvironmentBlock
-      # mov     rcx, [rax+18h]  ; PEB64.Ldr
-      # mov     rax, [rcx+20h]  ; PEB_LDR_DATA.InMemoryOrderModuleList.Flink
-      # mov     rcx, [rax+50h]  ; LDR_DATA_TABLE_ENTRY.FullDllName.Buffer
-      - arch: amd64
-      - characteristic: peb access
-      - offset: 0x18 = PEB->Ldr
-      - offset: 0x20 = PEB->Ldr->InMemoryOrderModuleList->Flink
-      - offset: 0x50 = PEB->Ldr->InMemoryOrderModuleList->Flink->FullDllName
+    - or:
+      - and:
+        - arch: i386
+        - characteristic: peb access
+        - offset: 0x0C = PEB->Ldr
+        - offset: 0x14 = PEB->Ldr->InMemoryOrderModuleList->Flink
+        - offset: 0x28 = PEB->Ldr->InMemoryOrderModuleList->Flink->FullDllName
+
+      - and:
+        # example:
+        # mov     rax, gs:60h     ; TEB.ProcessEnvironmentBlock
+        # mov     rcx, [rax+18h]  ; PEB64.Ldr
+        # mov     rax, [rcx+20h]  ; PEB_LDR_DATA.InMemoryOrderModuleList.Flink
+        # mov     rcx, [rax+50h]  ; LDR_DATA_TABLE_ENTRY.FullDllName.Buffer
+        - arch: amd64
+        - characteristic: peb access
+        - offset: 0x18 = PEB->Ldr
+        - offset: 0x20 = PEB->Ldr->InMemoryOrderModuleList->Flink
+        - offset: 0x50 = PEB->Ldr->InMemoryOrderModuleList->Flink->FullDllName