scorz wroteWireshark is your friend (or any other network-sniffer)
Start sniffing, and filter the IP address to 185.91.98.18 & 185.91.98.19. And then retrieve the ports that are used for the transfer.
You can then get the PID (process ID) using these ports.
Unix-Like: it's " netstat -tulpn | grep -e :<port> " " netstat -tulpn | grep -e :80 "
Window: " netstat -abo | findstr <port> " " netstat -abo | findstr 80 "
And after that remove the file. If it appeared again, maybe there is some script on your os re-running it. (Windows registry?)
It's on port 80 and I used you command line. I can't get any resuts using -abo, only -ao or -ano and it misses the file name using the port :(
Ok I closed the Zonealarm firewall and given Currports data it's firefox the culprit!
Even closed it's sending data to ''Berytech''!!