I am using ESET Internet Security and renewed to 12.1.31.0. I have scheduled a scan immediately after each update with "Smart Scan" profile. Other than Windows\System, Windows\System32, Windows\Temp .. which are the critical places where a ransomware or malware can hide?
To answer your question generally speaking, malware can run from anywhere. Without getting into the "nitty gritty" of that, the most important area to monitor for program execution from is the C:\Users\xxxxxx\AppData\* folders/directories. And if your create a HIPS rule for this, you will get alerts since many installers for example create temp .exe files in C:\Users\xxxxxx\AppData\Local\Temp directory. This really is not necessary since Eset has a default scan set up to do the same after every module update.