PowerShell Core DLL Loaded By Non PowerShell Process

Action1: actionname = "sa_imageloaded" AND (MESSAGE = "System.Management.Automation" OR ORIGINALFILENAME = "System.Management.Automation.dll" OR OBJECTNAME endswith "\System.Management.Automation.dll,\System.Management.Automation.ni.dll") AND (PROCESSNAME notendswith ":\Program Files\PowerShell\7\pwsh.exe,:\Windows\System32\dsac.exe,:\WINDOWS\System32\RemoteFXvGPUDisablement.exe,:\Windows\System32\runscripthelper.exe,:\WINDOWS\System32\sdiagnhost.exe,:\Windows\System32\ServerManager.exe,:\Windows\System32\SyncAppvPublishingServer.exe,:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe,:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,:\Windows\System32\winrshost.exe,:\Windows\System32\wsmprovhost.exe,:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe,:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe,:\Windows\SysWOW64\winrshost.exe,:\Windows\SysWOW64\wsmprovhost.exe" AND (PROCESSNAME notcontains ":\Windows\Microsoft.NET\Framework\,:\Windows\Microsoft.NET\FrameworkArm\,:\Windows\Microsoft.NET\FrameworkArm64\,:\Windows\Microsoft.NET\Framework64" OR PROCESSNAME notendswith "\mscorsvw.exe")) AND ((PROCESSNAME notcontains ":\Program Files (x86)\Microsoft SQL Server Management Studio,:\Program Files\Microsoft SQL Server Management Studio" OR PROCESSNAME notendswith "\IDE\Ssms.exe") AND (PROCESSNAME notcontains ":\Program Files (x86)\Microsoft SQL Server\,:\Program Files\Microsoft SQL Server" OR PROCESSNAME notendswith "\Tools\Binn\SQLPS.exe") AND PROCESSNAME notendswith "\Citrix\ConfigSync\ConfigSyncRun.exe" AND PROCESSNAME notcontains ":\Program Files (x86)\Microsoft Visual Studio\,:\Program Files\Microsoft Visual Studio" AND PROCESSNAME notcontains ":\ProgramData\chocolatey\choco.exe" AND (PROCESSNAME notcontains ":\Windows\Temp\asgard2-agent" OR PROCESSNAME notendswith "\thor64.exe,\thor.exe") AND isExist(PROCESSNAME)) select Action1.HOSTNAME,Action1.MESSAGE,Action1.PROCESSNAME,Action1.PRODUCT_NAME,Action1.OBJECTNAME