Most trojans, worms, backdoors, and such make sure they will be run after a reboot by introducing autorun keys and values into the Windows registry. Some of these registry locations are better documented than others and some are more commonly used than others. One of the first steps to take when doing forensic analysis is to check the most obvious places in the registry for modifications.
What are the most commonly used registry launchpoints then? We wanted to find out so we picked a collection of several thousand samples of malware and checked which launchpoints they were using. The results are presented in the diagram below. It should be noted that some of the samples used multiple launchpoints.
Read the rest here: