((Image:\\Sysmon64.exe OR Image:\\Sysmon.exe) OR Description:System\ activity\ monitor) (CommandLine:\-u* OR CommandLine:\/u* OR CommandLine:–u* OR CommandLine:—u* OR CommandLine:―u*)