Often, we can see registry changes related to a run entry or other activities, such as disabling Task Manager in the memory:
Registry entry strings in memory
The strings in the preceding image show that the malware wants to disable Task Manager and password changes. Also, there is a registry key related to a run entry.