An example of malware which can live inside of the Windows registry and presistently spawn reverse shells. Just a simple PoC, AMSI does block this by default.
When the malware.reg file is installed, a run key is placed in the registry, and the encoded shell is stored in a seperate key.
Every time the PC restarts, the powershell command will run, and a reverse shell will be called to the encoded ip address.
Credits for the reverse shell to egre55: https://gist.github.com/egre55/c058744a4240af6515eb32b2d33fbed3