The malware creates a new registry entry in the Run key of the Windows Registry under HKCU (HKEY_CURRENT_USER). This registry entry ensures that a PowerShell script (yrnwr.ps1) located in the System Update folder inside the misleading LocalLow directory is executed at every user login.