Suspicious Microsoft OneNote Child Process

Action1: actionname = "Process started" AND PARENTPROCESSNAME endswith "\onenote.exe" AND (((ORIGINALFILENAME = "bitsadmin.exe,CertOC.exe,CertUtil.exe,Cmd.Exe,CMSTP.EXE,cscript.exe,curl.exe,HH.exe,IEExec.exe,InstallUtil.exe,javaw.exe,Microsoft.Workflow.Compiler.exe,msdt.exe,MSHTA.EXE" OR ORIGINALFILENAME = "msiexec.exe,Msxsl.exe,odbcconf.exe,pcalua.exe,PowerShell.EXE,RegAsm.exe,RegSvcs.exe,REGSVR32.exe,RUNDLL32.exe,schtasks.exe,ScriptRunner.exe,wmic.exe,WorkFolders.exe,wscript.exe") OR (PROCESSNAME endswith "\AppVLP.exe,\bash.exe,\bitsadmin.exe,\certoc.exe,\certutil.exe,\cmd.exe,\cmstp.exe,\control.exe,\cscript.exe,\curl.exe,\forfiles.exe,\hh.exe,\ieexec.exe,\installutil.exe,\javaw.exe,\mftrace.exe,\Microsoft.Workflow.Compiler.exe,\msbuild.exe,\msdt.exe,\mshta.exe" OR PROCESSNAME endswith "\msidb.exe,\msiexec.exe,\msxsl.exe,\odbcconf.exe,\pcalua.exe,\powershell.exe,\pwsh.exe,\regasm.exe,\regsvcs.exe,\regsvr32.exe,\rundll32.exe,\schtasks.exe,\scrcons.exe,\scriptrunner.exe,\sh.exe,\svchost.exe,\verclsid.exe,\wmic.exe,\workfolders.exe,\wscript.exe")) OR (PROCESSNAME endswith "\explorer.exe" AND COMMANDLINE contains ".hta,.vb,.wsh,.js,.ps,.scr,.pif,.bat,.cmd") OR PROCESSNAME contains "\AppData\,\Users\Public\,\ProgramData\,\Windows\Tasks\,\Windows\Temp\,\Windows\System32\Tasks") AND ((PROCESSNAME notendswith "\AppData\Local\Microsoft\Teams\current\Teams.exe" OR COMMANDLINE notendswith "-Embedding") AND (PROCESSNAME notcontains "\AppData\Local\Microsoft\OneDrive" OR PROCESSNAME notendswith "\FileCoAuth.exe" OR COMMANDLINE notendswith "-Embedding")) select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME