LoFP / legitimate downloads of \".vhd\" files would also trigger this

condition: selection
selection:
  Image|endswith:
  - \brave.exe
  - \chrome.exe
  - \firefox.exe
  - \iexplore.exe
  - \maxthon.exe
  - \MicrosoftEdge.exe
  - \msedge.exe
  - \msedgewebview2.exe
  - \opera.exe
  - \safari.exe
  - \seamonkey.exe
  - \vivaldi.exe
  - \whale.exe
  TargetFilename|contains: .vhd