How to find the process which is looking up a URL / calling DNS?

General
1

Hello everyone
Does anyone know how I can find out which process/service is executing a DNS query?
Background: I recently got PiHole and I noticed in the log that my PC makes the following DNS call every 2 minutes:
Apr 13 01:26:10 dnsmasq[485]: 473 192.168.1.131/59943 query[A] filecrypt.cc from 192.168.1.131
Apr 13 01:26:10 dnsmasq[485]: 473 192.168.1.131/59943 forwarded filecrypt.cc to 8.8.4.4
Apr 13 01:26:10 dnsmasq[485]: 473 192.168.1.131/59943 forwarded filecrypt.cc to 8.8.8.8.8
Apr 13 01:26:10 dnsmasq[485]: 473 192.168.1.131/59943 reply filecrypt.cc is 193.23.181.136

What I tried:

  • first of all, I stopped all visible programs, services and irrelevant (user) processes):
  • CMD => netstat -a -o => :frowning:
  • Resource Manager + Task Manager => :frowning:
  • Full scan with anti-malware bytes (no finds)
  • Microsoft Network Monitor => The DNS call is logged, but without process.exe
    image
    image1395×67 6.48 KB

I am really curious which service / process resolves filecrypt.cc every 2 minutes.

How could I proceed?

Kind regards

Co1m

2

You can't do it at pi-hole level.

Pi-hole really does not have the ability to see what process is calling that DNS request. No DNS server for that matter can do it.

What I would recommend is installing a firewall application (i use Comodo Firewall for the exact same reasons, to see what's calling home and from what process) on your machine and set it up in monitor mode.

You'll get your answer in ... 2 minutes :slight_smile:

1 Like
3

Check this link.

From this report it seems that the website is running a mining script on your PC :slight_smile:

The scripts are tied strictly to your browser and they run for as long as you keep your browser open.

Might be something else though like this:

https://www.eff.org/https-everywhere/atlas/domains/filecrypt.cc.html

4

WireShark the sucker ?!

No need for silly Firewall software :slight_smile: