NogysgN Application - What is it?

Hello! I was modifying my startup program list and noticed a .exe I've never seen before called NogysgN. The location on my machine is:

c:\ProgramData\YmrpslH\HntyfkP\NogsysgN.exe

It's differentiated from the rest of the items on the list for two reasons: 1) My primary drive is listed as a lowercase letter, unlike other program locations listed, and 2) Program locations are notated with parentheses ("C:\...\...\"), whereas this application is unmarked. The publisher for the program is listed as "Unknown."

Google searches yield zero results for "NogsysgN," which is surprising; in fact, it's the first time I've been unable to identify a process using Google as a starting point, lol. Whatever program this is, it was marked to boot on startup, so I've disabled it to be cautious and will run a full system security scan to see if Avast identifies it as anything I need to be aware of.

If anybody knows what this application is, or has this running on their Windows machines, please let me know and maybe we can work to identify this thing.

The red flags I'm getting are the facts that the program location formatting is odd, the path to the application is built from arbitrary strings, and it seems no one has posted about this anywhere before. All help offered is appreciated!

Best,

Alec

fseal said:

The contents of the file can only change so much so a malware or virus scanner should be able to detect it still...

I would think so too, but Avast didn't locate anything on my system scan. I think I'll run Malwarebytes before I try and get in that directory. Thanks for confirming my paranoia, fseal

fseal said:

A /possible/ explanation is that it is the temp output of a down-loader program or something. The kind of thing that would be created, then when DL is complete moved and renamed. Though ususaly \temp or some other folder under the product name would normally be used...

I'd be tempted to load the program in a binary editor and look for strings that might identify it as something you meant to DL at one time...

I've thought about the possibility of it being temp output, but kind of dismissed it for the reason you pointed out (that it's not stored in any kind of \temp folder) and also because it was enabled to boot on startup. Wouldn't that indicate some kind of need for repetitive functionality? When I check all of my running processes, nothing shows up that's unnecessary or out of the ordinary.

A good suggestion though, if my second system scan for malware doesn't come up with anything, I'll open it up in an editor and dig around. Thanks for the idea!

Jacee said:

Upload the file in c:\ProgramData\YmrpslH\HntyfkP\NogsysgN.exe to Jotti and have it scanned for malware.
Jotti's malware scan

Not familiar with that program, but if Malwarebytes doesn't catch anything, I'll definitely give it a shot, before I open it up in an editor, thanks for the tip, Jacee!

fseal said:

Ugh yeah, running a program out of the program data folder is also very suspicious. :/

You have removed it form the startup already right? :)

Lol, yeah, definitely removed it from startup right off the bat!

Okay, here are the results pulled up from a Malwarebytes' system scan:



While the precise location of NogsysgN.exe isn't listed here, the command location, HKCU\SOFTWARE\Windows\CurrentVersion\Run, the registry location of that third item in the list is pretty close. Going to get rid of these, run the path through Jotti's (on suggestion from Jacee) and see what happens after a reboot before trying to open in an editor.

Considering I run fairly regular system scans and don't visit too many suspicious websites (lol ), I'm surprised to see that at least three of these could have pretty nasty consequences. Unsurprisingly, I've never had any problems like this on my Linux machine.