HKLM\Software\VMWare, Inc\VMWare Tools\InstallPath
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved
HKLM\SYSTEM\CurrentControlSet\Services
HKLM\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder
HKLM\SYSTEM\CurrentControlSet\Enum\Root
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender
HKLM\SOFTWARE\Microsoft\Windows Defender
HKCR\exefile\shell\open\command
HKCR\batfile\shell\open\command
HKCR\cmdfile\shell\open\command
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
HKLM\SECURITY\Policy\Secrets
Processes
It is possible in some instances that a sample may look for existing processes that suggest it is being executed in the context of a Hypervisor or analysis environment. In such cases, you may need to patch the file, or make modifications to meet the conditions such that the sample can execute in full.
VMWare Processes
TPAutoConSvc.exe
VGAuthService.exe
VMWareService.exe
Vm3dservice.exe
Vmtoolsd.exe
Vmwaretray.exe
Vmwareuser.exe
Common VirtualBox Processes
VBoxControl.exe
VBoxService.exe
VBoxTray.exe
Reversing tool Processes
procmon.exe
tcpview.exe
wireshark.exe
etc.
It is possible in some instances that a sample may look for known Windows binaries to inject code to. LOLBin stands for Living off the land binaries. Below is a list of commonly targeted Windows LOLBins
mshta.exe
wscript.exe
cscript.exe
powershell.exe
pwsh.exe
forfiles.exe
regsvr32.exe
rundll32.exe
regasm.exe
regsvcs.exe
installutil.exe
msbuild.exe
certutil.exe
wmic.exe
eventvwr.exe
CompMgmtLauncher.exe
fodhelper.exe
mavinject.exe
windeploy.exe
Folders & Files
Registry
It is possible in some instances that a sample may look for various paths to determine if it is running inside the context of a hypervisor or analysis environment
VMWare
C:\Windows\System32\drivers\vm*
C:\Windows\System32\vm*
C:\Windows\SysWOW64\vm*
C:\Program Files\VMWare\
C:\Program Files\Common Files\VMWare\
VirtualBox
C:\Windows\System32\VBox*
C:\Windows\System32\drivers\VBox*
C:\Program Files\Oracle\VirtualBox Guest Additions\
Below are a set of common paths that a sample may write to, read from or make system changes to
%ProgramData%\*
%Public%\*
%Temp%\*
%AppData%\*
AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*
%LocalAppData%\*
%USERPROFILE%\Downloads\*
%USERPROFILE%\Documents\*
%USERPROFILE%\AppData\LocalLow\*
%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start
%WINDIR%\Temp\*
%WINDIR%\Tasks\*
%WINDIR%\System32\Tasks\*
%WINDIR%\Prefetch\*
%WINDIR%\Fonts\*
%Recycle.Bin%\*
You may want to search for strings related to the registry, processes or paths at the initial-triage or in-execution/interactive stages