One of the most common persistence mechanisms used by adversaries to survive the reboot is achieved by adding an entry to the run registry keys. The program that is added to the run registry key gets executed at system startup. The following is a list of the most commonly run registry keys. Malware can add itself to various auto-start locations in addition to the ones were are about to mention. The best way to get an idea of various auto-start locations is to use the AutoRuns utility by Sysinternals (https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns):

HKCUSoftwareMicrosoftWindowsCurrentVersionRun
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnce
HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce
HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun

In the following example, upon execution, the malware (bas.exe)  first drops an executable in the Windows directory (LSPRN.EXE) and then adds the following entry in the run registry key so that the malicious program can start every time the system starts. From the registry entries, it can be seen that malware is trying to make its binary look like a printer-related application:

[RegSetValue] bas.exe:2192 > HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerRunPrinterSecurityLayer = C:WindowsLSPRN.EXE

To detect the malware using this persistence method, you can monitor for the changes to the Run registry keys that are not associated with the known program. You can also use Sysinternal's AutoRuns utility to inspect the Auto-start locations for suspicious entries.