The analytic rule identifies instances where the Windows Explorer process (explorer.exe) is executed with a URL in its command line, suggesting potential malicious behavior by adversaries such as those employing DCRat malware. This detection leverages logs from Endpoint Detection and Response (EDR) agents focusing on process execution, as the invocation of URLs directly through explorer.exe is uncommon and warrants scrutiny. If confirmed as malicious, this behavior may enable attackers to download and execute harmful payloads, risking system security and integrity. The detection algorithm excludes benign parent processes like `userinit.exe` or `svchost.exe`, focusing instead on the command line inputs that indicate URL activity. By leveraging key data sources such as Sysmon Event ID 1 and Windows Event Log Security ID 4688, organizations can effectively monitor for these anomalous processes and act swiftly against potential compromises.