Analyzing the very same binary (AggregatorHost.exe) that makes the persistence trick described in my previous post work, I noticed that there is one more Registry entry we can use as a persistence mechanism:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\TestHooks\TestUndockedAggregatorDll=<malware>

Same as in the previous post, it loads with a system start.