APT29 Threat Hunting with Splunk: Demonstrate Your Skills - Question 10

In relation towards the question :

A PowerShell script was initially executed to extract encoded data from an image file. What is the full ParentCommandLine field value used to execute this?

I am pretty lost and where I should be looking for, as searching for the zipped file activities did not bring up any notable powershell scripts

I also tried inputting: 

C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psm1 as well which did not work