The installer in created in Inno Setup. We have no control over the naming of those temporary files. The part of the name after is- (= Inno Setup) is random.

i also found this file called is-akmpf.exe on another device but without the lst and msg files.
looks like the name is generated on every installation?

Thanks for the information. But where does the weird name IRMP3 come from? What does it mean? Why is this not named something more like WinSCP?

The installer needed to upgrade DragExt64.dll shell extension. As the extension was already loaded (and thus locked), it could not be replaced at the time of the installation. As the replacement was not critical, the installer delayed the replacement until the next Windows restart (instead of forcing you to restart immediately). Those files are support files for the replacement and registration. The .lst file actually even says that. They should get removed the next time you restart your computer.

Hello,
I was surprised when my endpoint protection alerted me about a trojan file named is-IRMP3.exe in C:\Windows.
When I checked the folder, I see this 3 files:

They have the same date as the day WinSCP 6.5 was installed on the machine.
The content of the is-IRMP3.lst and exe files are attached.
What exactly happened here?