WinSCP 6.5 creates suspicious files in Windows-Folder :: Support Forum

forumuser
Joined:: 2025-04-14
Posts:: 2

WinSCP 6.5 creates suspicious files in Windows-Folder

2025-04-14 10:15

Hello,
I was surprised when my endpoint protection alerted me about a trojan file named is-IRMP3.exe in C:\Windows.
When I checked the folder, I see this 3 files:

is-IRMP3.exe
is-IRMP3.lst
is-IRMP3.msg

They have the same date as the day WinSCP 6.5 was installed on the machine.
The content of the is-IRMP3.lst and exe files are attached.
What exactly happened here?

is-irmp3exe.png (27.44 KB)

is-irmp3lst.png (15.4 KB)

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 41,929
Location:: Prague, Czechia

Re: WinSCP 6.5 creates suspicious files in Windows-Folder

2025-04-17

The installer needed to upgrade DragExt64.dll shell extension. As the extension was already loaded (and thus locked), it could not be replaced at the time of the installation. As the replacement was not critical, the installer delayed the replacement until the next Windows restart (instead of forcing you to restart immediately). Those files are support files for the replacement and registration. The .lst file actually even says that. They should get removed the next time you restart your computer.

Reply with quote

forumuser

2025-04-18 06:55

Thanks for the information. But where does the weird name IRMP3 come from? what does it mean? why is this not named something more like winscp?

Reply with quote

WinSCP 6.5 creates suspicious files in Windows-Folder

WinSCP 6.5 creates suspicious files in Windows-Folder

Re: WinSCP 6.5 creates suspicious files in Windows-Folder

Documentation

Support

Associations

Follow Us