Could be difficult. It depends if your server is headless (without a desktop), or whether it has a desktop environment installed and running. But I expect if it’s without a running desktop, then there is a process on your machine which is running and downloading it when deleted. If there is a desktop environment, then it would be an infected web browser, which is downloading it in the background.
You can try installing the chkrootkit or rkhunter packages, and run these to see if it will find any type of issues, but they might not find it. You will have to check the running process list and filter out known processes and see if there is anything else suspicious running other than the girmx process. If running a desktop environment, depending on whatever it is, I would stop the display manager so that the desktop is no longer running, check/verify running processes for anything suspicious, then remove girmx again, and see if it returns.
That’s all I can really suggest at the moment but if it keeps coming back and you cannot find what is causing it, your only real way forward is to backup your gitlab installation, and then clean install your server from scratch and install gitlab again and restore your data related to gitlab. If the rootkit scanning packages find anything, that could help make it easier, but it might not find anything. Usually these are best to be installed before a machine is infected, as it has a database of the packages/processes installed and running to verify against.