3. Now, organize Task Manager by PID by clicking over PID from columns names as shown below. This will make things easier to read for the next step.
4. Open command prompt from start menu. Enter command as "netstat -ano". It will display all the processes which are listening or establishing connection to network.
Only look for ESTABLISHED connections (it would be established if its a RAT or malicious), read the PID and crosscheck into Task Manager. Notice in my example that the only established connections use the PID 424. Lets take a look at what that is:
As we can see, its Firefox. Now lets say you notice the PID reads something like "svchost.exe". You should open the file location by right clicking it and pressing Open File Location and either scan it with Virustotal or check to see if in its legit location (if it was in Appdata or Program Files and it is svchost.exe, then you may have a problem).