(Image:\\reg.exe OR OriginalFileName:reg.exe) CommandLine:query* (CommandLine:currentVersion\\windows* OR CommandLine:winlogon\\* OR CommandLine:currentVersion\\shellServiceObjectDelayLoad* OR CommandLine:currentVersion\\run* OR CommandLine:currentVersion\\policies\\explorer\\run* OR CommandLine:currentcontrolset\\services*)