Modules correspond to executable (and potentially non-executable) content, and are loaded as a contiguous region of memory into the address space of a process. Each process will have the main image loaded as a module and shared libraries (DLLs in Windows) and their dependencies.

Actions

Action Description
load A module load event occurs when a PE image (dll or exe) is loaded into a process.
unload When the module is unloaded from memory, upon destruction of the process or by calling an API such as FreeLibrary, the unload event is triggered.

Fields

Field Description Example
base_address A hex address indicating where the module is loaded into the process’s virtual address space 0xFFFFF8000405F000
fqdn The fully qualified domain name of the host. Contains the hostname appended with the domain. HOST1.EXAMPLE_DOMAIN.COM
hostname The hostname of the active host, without the domain. HOST1
image_path The file system location of the process image. C:\path\to\example.exe
md5_hash The MD5 hash of the contents of the file located at module_path. The field is in hex notation, without the 0x prefix. 5eb63bbbe01eeed093cb22bb8f5acdc3
module_path The full file system path to the module loaded into the memory space of the process. C:\windows\system32\kernel32.exe
module_name The name of the file where the module is loaded on disk. This is also the string that is used internally by the program to lookup information about the module. kernel32.exe
pid Process ID of the process in which the module is loaded (or unloaded). 738
sha1_hash The SHA1 hash of the contents of the file located at image_path. 2aae6c35c94fcfb415dbe95f408b9ce91ee846ed
sha256_hash The SHA256 hash of the contents of the file located at image_path. 68e656b251e67e8358bef8483ab0d51c6619f3e7a1a9f0e75838d41ff368f728
signer The name of the organization which signed the module. Microsoft Corporation
tid The thread ID of the thread responsible for the load or unload event. 50

Coverage Map

  base_address fqdn hostname image_path md5_hash module_name module_path pid sha1_hash sha256_hash signer tid
load   Sysmon (2.0) Sysmon (3.1) Sysmon (3.2) Sysmon (2.0) Sysmon (3.1) Sysmon (3.2) Sysmon (2.0) Sysmon (3.1) Sysmon (3.2) Sysmon (2.0) Sysmon (3.1) Sysmon (3.2) Sysmon (2.0) Sysmon (3.1) Sysmon (3.2)   Sysmon (2.0) Sysmon (3.1) Sysmon (3.2) Sysmon (2.0) Sysmon (3.1) Sysmon (3.2) Sysmon (2.0) Sysmon (3.1) Sysmon (3.2)    
unload