(Image:\\fltMC.exe OR OriginalFileName:fltMC.exe) (CommandLine:unload* CommandLine:sysmon*)