This detection rule identifies instances when a non-Python process loads the "Python Core" image. This activity is a potential indicator of a malicious Python script that might have been compiled using Py2Exe, enabling the execution of Python code in a standalone Windows executable format. The rule specifically checks for image loads that contain 'Python' and that originate from standard installation paths commonly associated with Python distributions. The detection condition enforces that while the image description must include 'Python Core', the actual image must not match certain filters that typically signify legitimate operations, such as those pertaining to expected binary paths. This rule is crucial for identifying potential abuse of Python environments in a Windows ecosystem, particularly where attackers may look to obfuscate their actions by mimicking legitimate processes.