{"id":4446,"date":"2025-05-24T13:44:14","date_gmt":"2025-05-24T21:44:14","guid":{"rendered":"https:\/\/www.antivirusaz.com\/faq\/?post_type=ht_kb&#038;p=4446"},"modified":"2025-05-24T13:44:34","modified_gmt":"2025-05-24T21:44:34","slug":"what-is-process-hollowing","status":"publish","type":"ht_kb","link":"https:\/\/www.antivirusaz.com\/faq\/art\/what-is-process-hollowing\/","title":{"rendered":"What is process hollowing?"},"content":{"rendered":"<p><strong>Process hollowing<\/strong> is a stealthy malware technique where a legitimate process is launched in a suspended state, its memory is emptied, and then replaced with <a href=\"\/security-center\/malware.html\">malicious code<\/a>. The process is then resumed\u2014<em>appearing normal to the system and antivirus software<\/em>, even though it&#8217;s now running malware.<\/p>\n<p>This method is commonly used by <a href=\"\/security-center\/trojans.html\"><strong>trojans<\/strong><\/a>, <a href=\"\/security-center\/ransomware.html\"><strong>ransomware<\/strong><\/a>, and <a href=\"\/faq\/art\/what-is-fileless-malware\/\"><strong>fileless malware<\/strong><\/a> to <strong>evade detection<\/strong>. Because the malware runs under the name of a trusted program (like <code>explorer.exe<\/code> or <code>svchost.exe<\/code>), it\u2019s harder for users or security tools to notice anything suspicious.<\/p>\n<p>Process hollowing is a favorite in advanced persistent threats (APTs) and red-team tools due to its effectiveness at bypassing defenses.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Process hollowing is a stealthy malware technique where a legitimate process is launched in a suspended state, its memory is emptied, and then replaced with malicious code. The process is then resumed\u2014appearing normal to the system and antivirus software, even though it&#8217;s now running malware. This method is commonly used by trojans, ransomware, and fileless [&hellip;]<\/p>\n","protected":false},"author":1,"comment_status":"open","ping_status":"closed","template":"","format":"standard","meta":{"footnotes":""},"ht-kb-category":[12],"ht-kb-tag":[581,580],"class_list":["post-4446","ht_kb","type-ht_kb","status-publish","format-standard","hentry","ht_kb_category-threats-vulnerabilities","ht_kb_tag-hollowing","ht_kb_tag-process-hollowing"],"blocksy_meta":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>What is process hollowing?<\/title>\n<meta name=\"description\" content=\"Process hollowing is a stealth technique where malware hides inside legit processes to evade detection. Learn how it works and why it\u2019s used in cyberattacks.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.antivirusaz.com\/faq\/art\/what-is-process-hollowing\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"What is process hollowing?\" \/>\n<meta property=\"og:description\" content=\"Process hollowing is a stealth technique where malware hides inside legit processes to evade detection. Learn how it works and why it\u2019s used in cyberattacks.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.antivirusaz.com\/faq\/art\/what-is-process-hollowing\/\" \/>\n<meta property=\"og:site_name\" content=\"Antivirus and Security Software FAQs &amp; Blog\" \/>\n<meta property=\"article:modified_time\" content=\"2025-05-24T21:44:34+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.antivirusaz.com\/faq\/wp-content\/uploads\/2023\/02\/antivirusaz-faq-blog-logo.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1536\" \/>\n\t<meta property=\"og:image:height\" content=\"512\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.antivirusaz.com\\\/faq\\\/art\\\/what-is-process-hollowing\\\/\",\"url\":\"https:\\\/\\\/www.antivirusaz.com\\\/faq\\\/art\\\/what-is-process-hollowing\\\/\",\"name\":\"What is process hollowing?\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.antivirusaz.com\\\/faq\\\/#website\"},\"datePublished\":\"2025-05-24T21:44:14+00:00\",\"dateModified\":\"2025-05-24T21:44:34+00:00\",\"description\":\"Process hollowing is a stealth technique where malware hides inside legit processes to evade detection. Learn how it works and why it\u2019s used in cyberattacks.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.antivirusaz.com\\\/faq\\\/art\\\/what-is-process-hollowing\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.antivirusaz.com\\\/faq\\\/art\\\/what-is-process-hollowing\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.antivirusaz.com\\\/faq\\\/art\\\/what-is-process-hollowing\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.antivirusaz.com\\\/faq\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"What is process hollowing?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.antivirusaz.com\\\/faq\\\/#website\",\"url\":\"https:\\\/\\\/www.antivirusaz.com\\\/faq\\\/\",\"name\":\"Antivirus and Security Software FAQs & Blog\",\"description\":\"Frequently asked questions about antivirus and security software, and other computer security related issues.\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.antivirusaz.com\\\/faq\\\/#organization\"},\"alternateName\":\"AntivirusAZ.com FAQs & Blog\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.antivirusaz.com\\\/faq\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.antivirusaz.com\\\/faq\\\/#organization\",\"name\":\"AntiVirusAZ.com\",\"url\":\"https:\\\/\\\/www.antivirusaz.com\\\/faq\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.antivirusaz.com\\\/faq\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.antivirusaz.com\\\/faq\\\/wp-content\\\/uploads\\\/2023\\\/02\\\/antivirusaz-faq-blog-logo.png\",\"contentUrl\":\"https:\\\/\\\/www.antivirusaz.com\\\/faq\\\/wp-content\\\/uploads\\\/2023\\\/02\\\/antivirusaz-faq-blog-logo.png\",\"width\":1536,\"height\":512,\"caption\":\"AntiVirusAZ.com\"},\"image\":{\"@id\":\"https:\\\/\\\/www.antivirusaz.com\\\/faq\\\/#\\\/schema\\\/logo\\\/image\\\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"What is process hollowing?","description":"Process hollowing is a stealth technique where malware hides inside legit processes to evade detection. Learn how it works and why it\u2019s used in cyberattacks.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.antivirusaz.com\/faq\/art\/what-is-process-hollowing\/","og_locale":"en_US","og_type":"article","og_title":"What is process hollowing?","og_description":"Process hollowing is a stealth technique where malware hides inside legit processes to evade detection. Learn how it works and why it\u2019s used in cyberattacks.","og_url":"https:\/\/www.antivirusaz.com\/faq\/art\/what-is-process-hollowing\/","og_site_name":"Antivirus and Security Software FAQs &amp; Blog","article_modified_time":"2025-05-24T21:44:34+00:00","og_image":[{"width":1536,"height":512,"url":"https:\/\/www.antivirusaz.com\/faq\/wp-content\/uploads\/2023\/02\/antivirusaz-faq-blog-logo.png","type":"image\/png"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.antivirusaz.com\/faq\/art\/what-is-process-hollowing\/","url":"https:\/\/www.antivirusaz.com\/faq\/art\/what-is-process-hollowing\/","name":"What is process hollowing?","isPartOf":{"@id":"https:\/\/www.antivirusaz.com\/faq\/#website"},"datePublished":"2025-05-24T21:44:14+00:00","dateModified":"2025-05-24T21:44:34+00:00","description":"Process hollowing is a stealth technique where malware hides inside legit processes to evade detection. Learn how it works and why it\u2019s used in cyberattacks.","breadcrumb":{"@id":"https:\/\/www.antivirusaz.com\/faq\/art\/what-is-process-hollowing\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.antivirusaz.com\/faq\/art\/what-is-process-hollowing\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.antivirusaz.com\/faq\/art\/what-is-process-hollowing\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.antivirusaz.com\/faq\/"},{"@type":"ListItem","position":2,"name":"What is process hollowing?"}]},{"@type":"WebSite","@id":"https:\/\/www.antivirusaz.com\/faq\/#website","url":"https:\/\/www.antivirusaz.com\/faq\/","name":"Antivirus and Security Software FAQs & Blog","description":"Frequently asked questions about antivirus and security software, and other computer security related issues.","publisher":{"@id":"https:\/\/www.antivirusaz.com\/faq\/#organization"},"alternateName":"AntivirusAZ.com FAQs & Blog","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.antivirusaz.com\/faq\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.antivirusaz.com\/faq\/#organization","name":"AntiVirusAZ.com","url":"https:\/\/www.antivirusaz.com\/faq\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.antivirusaz.com\/faq\/#\/schema\/logo\/image\/","url":"https:\/\/www.antivirusaz.com\/faq\/wp-content\/uploads\/2023\/02\/antivirusaz-faq-blog-logo.png","contentUrl":"https:\/\/www.antivirusaz.com\/faq\/wp-content\/uploads\/2023\/02\/antivirusaz-faq-blog-logo.png","width":1536,"height":512,"caption":"AntiVirusAZ.com"},"image":{"@id":"https:\/\/www.antivirusaz.com\/faq\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/www.antivirusaz.com\/faq\/wp-json\/wp\/v2\/ht-kb\/4446","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.antivirusaz.com\/faq\/wp-json\/wp\/v2\/ht-kb"}],"about":[{"href":"https:\/\/www.antivirusaz.com\/faq\/wp-json\/wp\/v2\/types\/ht_kb"}],"author":[{"embeddable":true,"href":"https:\/\/www.antivirusaz.com\/faq\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.antivirusaz.com\/faq\/wp-json\/wp\/v2\/comments?post=4446"}],"version-history":[{"count":1,"href":"https:\/\/www.antivirusaz.com\/faq\/wp-json\/wp\/v2\/ht-kb\/4446\/revisions"}],"predecessor-version":[{"id":4447,"href":"https:\/\/www.antivirusaz.com\/faq\/wp-json\/wp\/v2\/ht-kb\/4446\/revisions\/4447"}],"wp:attachment":[{"href":"https:\/\/www.antivirusaz.com\/faq\/wp-json\/wp\/v2\/media?parent=4446"}],"wp:term":[{"taxonomy":"ht_kb_category","embeddable":true,"href":"https:\/\/www.antivirusaz.com\/faq\/wp-json\/wp\/v2\/ht-kb-category?post=4446"},{"taxonomy":"ht_kb_tag","embeddable":true,"href":"https:\/\/www.antivirusaz.com\/faq\/wp-json\/wp\/v2\/ht-kb-tag?post=4446"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}