This rule focuses on detecting suspicious behavior associated with the `esentutl.exe` utility, which is commonly used as a legitimate tool in Windows for managing Extensible Storage Engine (ESE) databases. However, threat actors, specifically the Qbot malware, abuse this utility to extract sensitive browser data from Internet Explorer and Microsoft Edge. The detection logic targets command-line arguments that indicate possible malicious activity, particularly looking for invocations of `esentutl.exe` that involve the `-r` flag and interactions with web cache locations. The presence of the aforementioned command-line patterns, along with the image's filename conditions, raises alerts for potential data theft operations regarding browser information, requiring further review by security analysts. The rule is aimed at monitoring for such malicious instances and is defined under a medium severity level due to potential false positives from legitimate uses.