The detection rule identifies the creation of Virtual Hard Disk (VHD) files, which have extensions ".vhd" or ".vhdx", initiated by various web browser processes. These files are often exploited by malware to conceal malicious payloads and avoid detection by conventional security measures. The rule specifically monitors processes from popular browsers, including Brave, Chrome, Firefox, Internet Explorer, Maxthon, Microsoft Edge, Opera, Safari, SeaMonkey, Vivaldi, and Whale. When a browser attempts to save or download a file containing the string ".vhd" in its filename, the rule triggers an alert that could indicate a potential evasion tactic by malware. One must note that legitimate user activity, such as downloading VHD files for valid purposes, will also result in false positives for this detection.