Remote Thread Event Properties
The following event properties can be used with create remote thread events in uAQL queries (event type Process.CreateRemoteThread). In addition to the properties listed here, the common properties are applicable, too.
| Property name | uAQL Data Type | Description |
|---|---|---|
Thread.Id |
Integer | The thread identifier of the newly created thread. |
Thread.Timestamp |
Integer | Event Timestamp |
Thread.Process.Id |
Integer | The process identifier of the process that runs the newly created thread. |
Thread.Parent.Id |
Integer | The process identifier of the process that has initiated the remote thread. |
Thread.StartAddress |
Integer | The absolute address in virtual memory where the function is located. |
Thread.StartModule |
String | The name of the library where the function that was started is located in. |
Thread.StartFunctionName |
String | The name of the function that was started as entry point for the new thread. |