Entering a file path in the registry data under these registry keys will trigger execution when Windows starts, as can be seen in the following registry path for the Windows 64-bit versions
- HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
- HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce
- HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnceEx
- HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
- HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsNRunServicesOnce
- HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
- HKEY_LOCAL_MACHINESOFTWAREWow6432NodeWindowsCurrentVersionRun
Programs that are listed under these registry keys will trigger execution when the current user logs in, as can be seen in the following registry path:
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnceEx
- HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
- HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServicesOnce
- HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindowsRun
The keys names containing Once will have the listed programs that run only once. The malware may still persist if it keeps on placing its own file path under the RunOnce, RunOnceEx or RunServicesOnce keys.