Skip to content
This repository has been archived by the owner on Mar 17, 2024. It is now read-only.

how do i end the proccess #1238

Closed
someguy1412 opened this issue Jan 22, 2024 · 6 comments
Closed

how do i end the proccess #1238

someguy1412 opened this issue Jan 22, 2024 · 6 comments
Labels
invalid

Comments

@someguy1412
Copy link

Quasar version

1.4.1

Server installed .NET version

.NET 6.0

Server operating system

Windows 11/Server 2022

Client installed .NET version

.Net 6.0

Client operating system

Windows 11/Server 2022

Build configuration

Release

Describe the bug

i cannot end the process that was made by client built.exe

How to reproduce

open builder
build it
open the file

Expected behavior

cannot end the process
also it doesnt connect with quasar.exe

Actual behavior

.

Additional context

.
@edcdecl
Copy link

edcdecl commented Jan 22, 2024

this is not a bug.

@someguy1412
Copy link
Author

i dont care. how the fuck do you close it

@MaxXor
Copy link
Contributor

MaxXor commented Jan 22, 2024

Simply kill it in task manager.

@MaxXor MaxXor closed this as not planned Won't fix, can't repro, duplicate, stale Jan 22, 2024
@MaxXor MaxXor added invalid and removed bug labels Jan 22, 2024
@someguy1412
Copy link
Author

didnt work because it said access denied even tho im administrator

@MaxXor
Copy link
Contributor

MaxXor commented Jan 22, 2024

Just reboot the PC then and remove it from autostart in task manager. However normally Quasar has no persistence options to hinder terminating the process. Where did you download Quasar from?

@Yttrium-tYcLief
Copy link

Yttrium-tYcLief commented Jan 25, 2024
edited

Just reboot the PC then and remove it from autostart in task manager. However normally Quasar has no persistence options to hinder terminating the process. Where did you download Quasar from?

Unrelated (I think) to this original issue, but related to this question - it seems to me like malicious actors are using custom builds of Quasar to infect machines and remotely access them. I caught this happening in the act on a machine I admin. I fully understand this is an open-source project, and greatly value that, but figured I should make you aware of the fact that it is now turning up in malicious situations.

Malwarebytes actually caught it as renamed processes hidden in manually-created Roaming folders. I've seen it named as NVIDIA.exe, explorer.exe, Discord.exe, and uTorrent.exe. These malicious versions of the binary use app icons of the apps they're trying to impersonate, but under the hood it's Quasar and the files even mention your name (MaxXor) in the description fields of their metadata.

When active, it seems bad actors are logging into these machines, firing up Chrome, and going for low-hanging fruit of directly accessing PayPal and other institutions. They can't get past 2FA, but they're hoping their prey have autofill for passwords and don't have 2FA, in which case they immediately try to drain accounts. In the instance above they accessed Gmail looking for leads, and then tried PayPal and Coinbase, all in a matter of minutes.

I really hope, for your sake, this practice doesn't get too widely-adopted, or else it's going to train antivirus heuristics that anything related to Quasar is a PUP.

I'd be interested in obtaining logs - how exactly are those stored? I see the documentation about setting a path, but it doesn't say much about the log format. There are (expectedly) a lot of nondescript log files on a typical system.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
invalid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Yttrium-tYcLief @MaxXor @edcdecl @someguy1412