(Image:\\reg.exe OR OriginalFileName:reg.exe) CommandLine:add* (CommandLine:\\software\\Microsoft\\Windows\\CurrentVersion\\Run* OR CommandLine:\\software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run* OR CommandLine:\\software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run* OR CommandLine:\\software\\Microsoft\\Windows\ NT\\CurrentVersion\\Winlogon\\Userinit* OR CommandLine:\\software\\Microsoft\\Windows\ NT\\CurrentVersion\\Winlogon\\Shell* OR CommandLine:\\software\\Microsoft\\Windows\ NT\\CurrentVersion\\Windows* OR CommandLine:\\system\\CurrentControlSet\\Control\\SafeBoot\\AlternateShell*)