Image:\\reg.exe (CommandLine:reg* CommandLine:\ add\ *) (CommandLine:Software\\Microsoft\\Windows\\CurrentVersion\\Run* OR CommandLine:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run* OR CommandLine:\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run*)