Malware can hide in numerous Windows locations. Scanning them regularly is essential for effective detection and removal.

The most common hiding places for malicious code are:

Memory

Fileless malware lives entirely in memory, so it does not leave a forensic footprint on the hard drive. This strategy has one drawback: A reboot wipes it from RAM, forcing the attackers to regain access. To survive a restart, some fileless threats add registry keys that automatically reload the payload into memory.

Legitimate processes

Some malware uses process injection (also called process hollowing) to inject malicious code into a legitimate process. Process hollowing involves creating a new process in a suspended state, replacing its memory with malicious code, and then resuming it.

Boot records

Bootkits infect the volume boot record or master boot record. This means that they can survive reboots and even a complete re-installation of the operating system. Bootkits run before Windows has loaded, and because they are outside the Windows filesystem they are invisible to standard tools and processes that run on top of Windows.

NTFS Alternative Data Streams (ADS)

Alternate Data Streams (ADS) are a feature of NTFS that stores extra file information—metadata, comments, and more. It acts as a hidden storage area, and malware authors abuse it to hide and run malicious code.

AppData and ProgramData folders

Located at C:\Users\%username%\AppData and C:\ProgramData, the AppData and ProgramData folders are hidden by default and filled with enough obscure files that malware can hide without raising suspicion.

Some malware also abuses the C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup folder for persistence because files stored here are launched when the user logs in. 

System32 and SysWOW64 folders

The C:\Windows\System32 and C:\Windows\SysWOW64 folders are home to essential system files. Malware with sufficient privileges can reside here, masquerading as legitimate system components. Since the contents of these folders are critical to the computer’s operation, users are likely to avoid interacting with files in these folders, and may be reluctant to delete them, which offers malware a layer of passive concealment.

Recycle bins

Like AppData and ProgramData, the $Recycle.Bin folder is hidden by default. Malware can hide in—and even execute from—your Recycle Bin.

Temp folders

The C:\Windows\Temp folder is often overlooked—users assume it only contains harmless, temporary files.

Image, audio, and other data files

Steganography is the technique of hiding data, such as a malicious payload, inside other unrelated data, such as a picture or music file. For example, Duqu malware embedded its payload within JPEG images and WAV files.

How ThreatDown helps

ThreatDown’s proactive, always-on protection keeps your systems safe by scanning the places that malware likes to hide.