((EventID:4656 ObjectName:\\lsass.exe (AccessMask:0x40* OR AccessMask:0x1400* OR AccessMask:0x100000* OR AccessMask:0x1410* OR AccessMask:0x1010* OR AccessMask:0x1438* OR AccessMask:0x143a* OR AccessMask:0x1418* OR AccessMask:0x1f0fff* OR AccessMask:0x1f1fff* OR AccessMask:0x1f2fff* OR AccessMask:0x1f3fff*)) OR (EventID:4663 ObjectName:\\lsass.exe (AccessList:4484* OR AccessList:4416*))) (-(((ProcessName:\\csrss.exe OR ProcessName:\\GamingServices.exe OR ProcessName:\\lsm.exe OR ProcessName:\\MicrosoftEdgeUpdate.exe OR ProcessName:\\minionhost.exe OR ProcessName:\\MRT.exe OR ProcessName:\\MsMpEng.exe OR ProcessName:\\perfmon.exe OR ProcessName:\\procexp.exe OR ProcessName:\\procexp64.exe OR ProcessName:\\svchost.exe OR ProcessName:\\taskmgr.exe OR ProcessName:\\thor.exe OR ProcessName:\\thor64.exe OR ProcessName:\\vmtoolsd.exe OR ProcessName:\\VsTskMgr.exe OR ProcessName:\\wininit.exe OR ProcessName:\\wmiprvse.exe OR ProcessName:RtkAudUService64) (ProcessName:\:\\Program\ Files\ \(x86\)\\* OR ProcessName:\:\\Program\ Files\\* OR ProcessName:\:\\ProgramData\\Microsoft\\Windows\ Defender\\Platform\\* OR ProcessName:\:\\Windows\\SysNative\\* OR ProcessName:\:\\Windows\\System32\\* OR ProcessName:\:\\Windows\\SysWow64\\* OR ProcessName:\:\\Windows\\Temp\\asgard2\-agent\\*)) OR ProcessName:\:\\Program\ Files* OR (ProcessName:\:\\Windows\\System32\\taskhostw.exe OR ProcessName:\:\\Windows\\System32\\msiexec.exe OR ProcessName:\:\\Windows\\CCM\\CcmExec.exe) OR (ProcessName:\:\\Windows\\Sysmon64.exe AccessList:%%4484*) OR (ProcessName:\:\\Windows\\Temp\\asgard2\-agent\-sc\\aurora\\* ProcessName:\\aurora\-agent\-64.exe AccessList:%%4484*) OR (ProcessName:\\x64\\SCENARIOENGINE.EXE AccessList:%%4484*) OR ((ProcessName:\:\\Users\\* ProcessName:\\AppData\\Local\\Temp\\is\-*) ProcessName:\\avira_system_speedup.tmp AccessList:%%4484*) OR (ProcessName:\:\\Windows\\Temp\\* ProcessName:\\avira_speedup_setup_update.tmp AccessList:%%4484*) OR (ProcessName:\:\\Windows\\System32\\snmp.exe AccessList:%%4484*) OR (ProcessName:\:\\Windows\\SystemTemp\\* ProcessName:\\GoogleUpdate.exe AccessList:%%4484*))) (-((ProcessName:\\procmon64.exe OR ProcessName:\\procmon.exe) AccessList:%%4484*))