If you find it in AppData\Local\Temp or AppData\Roaming , remove it immediately. If it’s signed by Microsoft (almost impossible, but check anyway), leave it alone. When in doubt, upload to VirusTotal and ask on security forums like BleepingComputer.