how do i end the proccess

Question

how do i end the proccess

someguy1412 opened this issue 4 months ago · comments

do42011 commented 4 months ago

Quasar version

1.4.1

Server installed .NET version

.NET 6.0

Server operating system

Windows 11/Server 2022

Client installed .NET version

.Net 6.0

Client operating system

Windows 11/Server 2022

Build configuration

Release

Describe the bug

i cannot end the process that was made by client built.exe

How to reproduce

open builder
build it
open the file

Expected behavior

cannot end the process
also it doesnt connect with quasar.exe

Actual behavior

.

Additional context

.

E O · Answer 1 · Tue Jan 23 2024 01:23:15 GMT+0800 (China Standard Time)

this is not a bug.

do42011 · Answer 2 · Tue Jan 23 2024 02:27:11 GMT+0800 (China Standard Time)

i dont care. how the fuck do you close it

MaxXor · Answer 3 · Tue Jan 23 2024 03:01:42 GMT+0800 (China Standard Time)

Simply kill it in task manager.

do42011 · Answer 4 · Tue Jan 23 2024 03:49:31 GMT+0800 (China Standard Time)

didnt work because it said access denied even tho im administrator

MaxXor · Answer 5 · Tue Jan 23 2024 04:07:42 GMT+0800 (China Standard Time)

Just reboot the PC then and remove it from autostart in task manager. However normally Quasar has no persistence options to hinder terminating the process. Where did you download Quasar from?

Yttrium tYcLief · Answer 6 · Thu Jan 25 2024 18:05:47 GMT+0800 (China Standard Time)

Just reboot the PC then and remove it from autostart in task manager. However normally Quasar has no persistence options to hinder terminating the process. Where did you download Quasar from?

Unrelated (I think) to this original issue, but related to this question - it seems to me like malicious actors are using custom builds of Quasar to infect machines and remotely access them. I caught this happening in the act on a machine I admin. I fully understand this is an open-source project, and greatly value that, but figured I should make you aware of the fact that it is now turning up in malicious situations.

Malwarebytes actually caught it as renamed processes hidden in manually-created Roaming folders. I've seen it named as NVIDIA.exe, explorer.exe, Discord.exe, and uTorrent.exe. These malicious versions of the binary use app icons of the apps they're trying to impersonate, but under the hood it's Quasar and the files even mention your name (MaxXor) in the description fields of their metadata.

When active, it seems bad actors are logging into these machines, firing up Chrome, and going for low-hanging fruit of directly accessing PayPal and other institutions. They can't get past 2FA, but they're hoping their prey have autofill for passwords and don't have 2FA, in which case they immediately try to drain accounts. In the instance above they accessed Gmail looking for leads, and then tried PayPal and Coinbase, all in a matter of minutes.

I really hope, for your sake, this practice doesn't get too widely-adopted, or else it's going to train antivirus heuristics that anything related to Quasar is a PUP.

I'd be interested in obtaining logs - how exactly are those stored? I see the documentation about setting a path, but it doesn't say much about the log format. There are (expectedly) a lot of nondescript log files on a typical system.