{
	"id": "27d31e01-438a-4ecd-9c19-6f166f41d4f8",
	"created_at": "2026-04-06T00:21:41.81214Z",
	"updated_at": "2026-04-10T03:20:05.109572Z",
	"deleted_at": null,
	"sha1_hash": "83333f92fb2a29eb4f14f0da3c6faf427a8ba3f0",
	"title": "Hiding in plain sight | Malwarebytes Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 715564,
	"plain_text": "Hiding in plain sight | Malwarebytes Labs\r\nBy Pieter Arntz\r\nPublished: 2013-10-17 · Archived: 2026-04-05 14:29:12 UTC\r\nA lot of programs we install on our computer are automatically run when Windows starts and loads.\r\nWhile this is not always necessary, there usually is not much harm in this.\r\nBut this behavior is also copied by malware writers to pass security checks. Their malicious program try to mimic\r\nlegitimate programs that you might expect in your Windows startup programs.\r\nWhy hide when you can pretend to be something useful?\r\nCopying the art of camouflage from the animal world, malware writers have been trying several methods over the\r\nyears to hide their registry entries in the open. Sometimes by using (pseudo-)random names and sometimes by\r\nusing locations that are relatively unknown to the general public. But also by pretending to be, or belong to,\r\nlegitimate programs.\r\nArguably there are some 57 ways to make a file get loaded automatically.\r\nThe majority of them are  found in the registry. Not all of them apply when Windows loads, some get triggered by\r\nother events.\r\nRunning Internet Explorer for example loads the Browser Helper Objects.\r\nSome of the most well-known and most used startup locations are the Run keys:\r\nhttps://blog.malwarebytes.com/cybercrime/2013/10/hiding-in-plain-sight/\r\nPage 1 of 2\n\nHKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun\r\nor HKEY_LOCAL_MACHINE SOFTWAREWow6432NodeMicrosoftWindowsCurrentVersionRun\r\nHKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun\r\nTogether with entries from the Windows startup folder and other possible registry entries these are listed in the\r\nStartup database by research engineer Paul Collins aka Pacman.\r\nThis database gives you information about the Name of the startup key, the name of the file that gets started,\r\nwhether the startup is needed, not necessary or even downright malicious. It also has a column where you can find\r\nextra information about the files. This can include a link to the site of the manufacturer or a link to a description of\r\nthe malware.\r\nAs you can tell from the screenshot (or if you do a search on the site for yourself) there are a few filenames that\r\nare very popular to disguise malware. These are typically entries that are very popular (like skype.exe) or entries\r\nthat look very much like a legitimate windows filename (i.e., svchost.exe).\r\nIf you check your own registry or make a log file with the startup information, a file like skype.exe may jump out\r\nat you if you have never installed the program. But if you showed that log to someone else, they might not know if\r\nyou use the program. That is why experienced and trained log readers pay attention to the folder the file is found\r\nin.\r\nDefault for the legitimate skype.exe is %ProgramFiles%SkypePhone where %ProgramFiles% is an environmental\r\nvariable that points to the Program Files directory, usually C:Program Files or C:Program Files (x86).\r\nAny skype.exe located in another folder should be looked at closer. Another important point is the name of the\r\nstartup. For the legitimate skype.exe (and many fake ones) the name is “Skype”, but there are others, like the\r\nmalware shown in the example that uses “Skype Update”. That may have been an attempt to make it look less\r\nconspicuous if the real Skype is present as well.\r\nIf you need to know more about Windows startup programs and especially how to identify them then we\r\nrecommend you visit Pacman’s Portal  – which is powered by Malwarebytes.\r\nThank you, Paul Collins, for your input.\r\nAbout the author\r\nWas a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich\r\nmahogany and leather-bound books.\r\nSource: https://blog.malwarebytes.com/cybercrime/2013/10/hiding-in-plain-sight/\r\nhttps://blog.malwarebytes.com/cybercrime/2013/10/hiding-in-plain-sight/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://blog.malwarebytes.com/cybercrime/2013/10/hiding-in-plain-sight/"
	],
	"report_names": [
		"hiding-in-plain-sight"
	],
	"threat_actors": [],
	"ts_created_at": 1775434901,
	"ts_updated_at": 1775791205,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/83333f92fb2a29eb4f14f0da3c6faf427a8ba3f0.pdf",
		"text": "https://archive.orkl.eu/83333f92fb2a29eb4f14f0da3c6faf427a8ba3f0.txt",
		"img": "https://archive.orkl.eu/83333f92fb2a29eb4f14f0da3c6faf427a8ba3f0.jpg"
	}
}