LoFP LoFP / software that illegally integrates megasync in a renamed form

Techniques

Sample rules

Renamed MegaSync Execution

Description

Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.

Detection logic

condition: selection and not filter
filter:
  Image|endswith: \megasync.exe
selection:
  OriginalFileName: megasync.exe