diff --git a/README.md b/README.md
index 376f30b..a229274 100644
--- a/README.md
+++ b/README.md
@@ -1484,7 +1484,7 @@ While KVC employs evasion techniques, its operations can still leave forensic ar
       * **Event ID 4624:** Logon - shows logons associated with Sticky Keys backdoor (`SYSTEM` logon from `winlogon.exe` context).
   * **File System Artifacts:**
       * **`kvc.exe`, `kvc_pass.exe`:** The executables themselves.
-      * **Temporary Driver:** `kvc.sys` briefly present in a system location (likely DriverStore FileRepository or System32\\drivers) during atomic operations.
+      * **Temporary Driver:** `kvc.sys` is briefly present in `C:\Windows\System32\DriverStore\FileRepository\avc.inf_amd64_XXXXXXXXXXXX\` during atomic operations. This location is dynamically resolved at runtime by querying the actual subdirectory name (e.g., `avc.inf_amd64_12ca23d60da30d59`), which varies per system. Importantly, this directory is protected by ACLs that grant write access only to **TrustedInstaller**, not to standard administrators - KVC must elevate to TI privileges before placing the driver here.
       * **Hijacked DLL:** `ExplorerFrame<U+200B>.dll` in `C:\Windows\System32` when watermark removal is active.
       * **Memory Dumps:** `.dmp` files created by `kvc dump` in the specified or default (`Downloads`) location.
       * **Credential Reports:** `.html`, `.txt`, `.json` files generated by `kvc export secrets` or `kvc bp` in the specified or default (`Downloads`) location.