Module

Modules correspond to executable (and potentially non-executable) content, and are loaded as a contiguous region of memory into the address space of a process. Each process will have the main image loaded as a module and shared libraries (DLLs in Windows) and their dependencies.

Actions

Action	Description
load	A module load event occurs when a PE image (dll or exe) is loaded into a process.
unload	When the module is unloaded from memory, upon destruction of the process or by calling an API such as FreeLibrary, the unload event is triggered.

Fields

Field	Description	Example
base_address	A hex address indicating where the module is loaded into the process’s virtual address space	`0xFFFFF8000405F000`
fqdn	The fully qualified domain name of the host. Contains the hostname appended with the domain.	`HOST1.EXAMPLE_DOMAIN.COM`
hostname	The hostname of the active host, without the domain.	`HOST1`
image_path	The file system location of the process image.	`C:\path\to\example.exe`
md5_hash	The MD5 hash of the contents of the file located at `module_path`. The field is in hex notation, without the 0x prefix.	`5eb63bbbe01eeed093cb22bb8f5acdc3`
module_path	The full file system path to the module loaded into the memory space of the process.	`C:\windows\system32\kernel32.exe`
module_name	The name of the file where the module is loaded on disk. This is also the string that is used internally by the program to lookup information about the module.	`kernel32.exe`
pid	Process ID of the process in which the module is loaded (or unloaded).	`738`
sha1_hash	The SHA1 hash of the contents of the file located at `image_path`.	`2aae6c35c94fcfb415dbe95f408b9ce91ee846ed`
sha256_hash	The SHA256 hash of the contents of the file located at `image_path`.	`68e656b251e67e8358bef8483ab0d51c6619f3e7a1a9f0e75838d41ff368f728`
signer	The name of the organization which signed the module.	`Microsoft Corporation`
tid	The thread ID of the thread responsible for the load or unload event.	`50`

Coverage Map

	base_address	fqdn	hostname	image_path	md5_hash	module_name	module_path	pid	sha1_hash	sha256_hash	signer	tid
load		Sysmon (2.0) Sysmon (3.1) Sysmon (3.2)	Sysmon (2.0) Sysmon (3.1) Sysmon (3.2)	Sysmon (2.0) Sysmon (3.1) Sysmon (3.2)	Sysmon (2.0) Sysmon (3.1) Sysmon (3.2)	Sysmon (2.0) Sysmon (3.1) Sysmon (3.2)		Sysmon (2.0) Sysmon (3.1) Sysmon (3.2)	Sysmon (2.0) Sysmon (3.1) Sysmon (3.2)	Sysmon (2.0) Sysmon (3.1) Sysmon (3.2)
unload