Au_.exe has been confirmed to be an integral part of the NSIS installation package, not a virus
When uninstalling 360safe, it will indeed connect to port 80 of the following address.
60.195.253.85
Catch the packet as follows:
Source address: 10.1.5.189 Port: 1214 Destination address: 60.195.253.85 Port: 80 TTL: 64 PacketSize: 64
Protocol: TCP �
0x02 0x04 0x05 0xAC 0x01 0x03 0x03 0x02 0x01 0x01 0x08 0x0A 0x00 0x00 0x00 0x00 ................
0x00 0x00 0x00 0x00 0x01 0x01 0x04 0x02 ........
Source address: 10.1.5.189 Port: 1214 Destination address: 60.195.253.85 Port: 80 TTL: 64 PacketSize: 52
Protocol: TCP �
01 01 08 0A 00 32 7A 78 59 FD D1 35 .....2zxY..5
Source address: 60.195.253.85 Port: 80 Destination address: 10.1.5.189 Port: 1214 TTL: 50 PacketSize: 60
Protocol: TCP �
0x02 0x04 0x05 0x18 0x01 0x03 0x03 0x00 0x01 0x01 0x08 0x0A 0x59 0xFD 0xD1 0x35 ............Y..5
0x00 0x00 0x00 0x00 ....
Source address: 10.1.5.189 Port: 1214 Destination address: 60.195.253.85 Port: 80 TTL: 64 PacketSize: 352
Protocol: TCP �
0x01 0x01 0x08 0x0A 0x00 0x32 0x7A 0x78 0x59 0xFD 0xD1 0x35 0x47 0x45 0x54 0x20 .....2zxY..5GET
0x2F 0x72 0x65 0x67 0x2F 0x73 0x61 0x66 0x65 0x5F 0x75 0x6E 0x69 0x2E 0x68 0x74 /reg/safe_uni.ht
0x6D 0x3F 0x70 0x61 0x72 0x74 0x6E 0x65 0x72 0x3D 0x68 0x5F 0x68 0x6F 0x6D 0x65 m?partner=h_home
0x26 0x76 0x65 0x72 0x3D 0x32 0x2E 0x30 0x2E 0x30 0x2E 0x33 0x30 0x30 0x33 0x26 &ver=2.0.0.3003&
0x74 0x3D 0x33 0x33 0x30 0x38 0x32 0x37 0x31 0x38 0x37 0x20 0x48 0x54 0x54 0x50 t=330827187 HTTP
0x2F 0x31 0x2E 0x31 0x0D 0x0A 0x41 0x63 0x63 0x65 0x70 0x74 0x3A 0x20 0x2A 0x2F /1.1..Accept: */
0x2A 0x0D 0x0A 0x41 0x63 0x63 0x65 0x70 0x74 0x2D 0x45 0x6E 0x63 0x6F 0x64 0x69 *..Accept-Encodi
0x6E 0x67 0x3A 0x20 0x67 0x7A 0x69 0x70 0x2C 0x20 0x64 0x65 0x66 0x6C 0x61 0x74 ng: gzip, deflat
0x65 0x0D 0x0A 0x55 0x73 0x65 0x72 0x2D 0x41 0x67 0x65 0x6E 0x74 0x3A 0x20 0x4D e..User-Agent: M
0x6F 0x7A 0x69 0x6C 0x6C 0x61 0x2F 0x34 0x2E 0x30 0x20 0x28 0x63 0x6F 0x6D 0x70 ozilla/4.0 (comp
0x61 0x74 0x69 0x62 0x6C 0x65 0x3B 0x20 0x4D 0x53 0x49 0x45 0x20 0x36 0x2E 0x30 atible; MSIE 6.0
0x3B 0x20 0x57 0x69 0x6E 0x64 0x6F 0x77 0x73 0x20 0x4E 0x54 0x20 0x35 0x2E 0x31 ; Windows NT 5.1
0x3B 0x20 0x53 0x56 0x31 0x3B 0x20 0x54 0x65 0x6E 0x63 0x65 0x6E 0x74 0x54 0x72 ; SV1; TencentTr
0x61 0x76 0x65 0x6C 0x65 0x72 0x20 0x3B 0x20 0x46 0x44 0x4D 0x3B 0x20 0x2E 0x4E aveler ; FDM; .N
0x45 0x54 0x20 0x43 0x4C 0x52 0x20 0x31 0x2E 0x31 0x2E 0x34 0x33 0x32 0x32 0x3B ET CLR 1.1.4322;
0x20 0x2E 0x4E 0x45 0x54 0x20 0x43 0x4C 0x52 0x20 0x32 0x2E 0x30 0x2E 0x35 0x30 .NET CLR 2.0.50
0x37 0x32 0x37 0x29 0x0D 0x0A 0x48 0x6F 0x73 0x74 0x3A 0x20 0x69 0x6E 0x73 0x74 727)..Host: inst
0x2E 0x33 0x36 0x30 0x73 0x61 0x66 0x65 0x2E 0x63 0x6F 0x6D 0x0D 0x0A 0x43 0x6F ...Co
0x6E 0x6E 0x65 0x63 0x74 0x69 0x6F 0x6E 0x3A 0x20 0x4B 0x65 0x65 0x70 0x2D 0x41 nnection: Keep-A
0x6C 0x69 0x76 0x65 0x0D 0x0A 0x0D 0x0A ive.....
Source address: 60.195.253.85 Port: 80 Destination address: 10.1.5.189 Port: 1214 TTL: 50 PacketSize: 215
Protocol: TCP �
0x01 0x01 0x08 0x0A 0x59 0xFD 0xD1 0x45 0x00 0x32 0x7A 0x78 0x48 0x54 0x54 0x50 ....Y..E.2zxHTTP
0x2F 0x31 0x2E 0x31 0x20 0x32 0x30 0x30 0x20 0x4F 0x4B 0x0D 0x0A 0x44 0x61 0x74 /1.1 200 OK..Dat
0x65 0x3A 0x20 0x54 0x75 0x65 0x2C 0x20 0x31 0x37 0x20 0x4F 0x63 0x74 0x20 0x32 e: Tue, 17 Oct 2
0x30 0x30 0x36 0x20 0x30 0x32 0x3A 0x34 0x33 0x3A 0x33 0x34 0x20 0x47 0x4D 0x54 006 02:43:34 GMT
0x0D 0x0A 0x53 0x65 0x72 0x76 0x65 0x72 0x3A 0x20 0x41 0x70 0x61 0x63 0x68 0x65 ..Server: Apache
0x0D 0x0A 0x58 0x2D 0x50 0x6F 0x77 0x65 0x72 0x65 0x64 0x2D 0x42 0x79 0x3A 0x20 ..X-Powered-By:
0x50 0x48 0x50 0x2F 0x34 0x2E 0x33 0x2E 0x31 0x31 0x0D 0x0A 0x43 0x6F 0x6E 0x74 PHP/4.3.11..Cont
0x65 0x6E 0x74 0x2D 0x4C 0x65 0x6E 0x67 0x74 0x68 0x3A 0x20 0x32 0x0D 0x0A 0x43 ent-Length: 2..C
0x6F 0x6E 0x6E 0x65 0x63 0x74 0x69 0x6F 0x6E 0x3A 0x20 0x63 0x6C 0x6F 0x73 0x65 onnection: close
0x0D 0x0A 0x43 0x6F 0x6E 0x74 0x65 0x6E 0x74 0x2D 0x54 0x79 0x70 0x65 0x3A 0x20 ..Content-Type:
0x74 0x65 0x78 0x74 0x2F 0x68 0x74 0x6D 0x6C 0x0D 0x0A 0x0D 0x0A 0x6F 0x6B ext/html....ok.
Source address: 60.195.253.85 Port: 80 Destination address: 10.1.5.189 Port: 1214 TTL: 50 PacketSize: 52
Protocol: TCP �
01 01 08 0A 59 FD D1 45 00 32 7A 78 ....Y..E.2zx
Source address: 10.1.5.189 Port: 1214 Destination address: 60.195.253.85 Port: 80 TTL: 64 PacketSize: 52
Protocol: TCP �
01 01 08 0A 00 32 7A 7A 59 FD D1 45 .....2zzY..E
Source address: 10.1.5.189 Port: 1214 Destination address: 60.195.253.85 Port: 80 TTL: 64 PacketSize: 52
Protocol: TCP �
01 01 08 0A 00 32 7A 7A 59 FD D1 45 .....2zzY..E
Source address: 60.195.253.85 Port: 80 Destination address: 10.1.5.189 Port: 1214 TTL: 50 PacketSize: 52
Protocol: TCP �
01 01 08 0A 59 FD D1 54 00 32 7A 7A ....Y..T.2zz
NSIS is Nullsoft Install System, a software for making installation programs
The search results are as follows:
NSIS is the abbreviation of "Nullsoft Scriptable Installation System". It is a free Win32 installation and uninstallation system, and uses a simple and efficient scripting method. It was originally a system created by Nullsoft and used to publish as Winamp and its plug-ins, but it has been applied by hundreds of applications as a tool for their program release.
The installer created by NSIS can be installed, uninstalled, set up system settings, decompressed files, etc. Almost everything can be done. Because it is based on script files, you have complete control over every part of your installer. Its scripting language supports variable, function, and string processing, just like a normal programming language - but it is only designed to create installers.
When uninstalling 360safe, it will indeed connect to port 80 of the following address.
60.195.253.85
Catch the packet as follows:
Source address: 10.1.5.189 Port: 1214 Destination address: 60.195.253.85 Port: 80 TTL: 64 PacketSize: 64
Protocol: TCP �
0x02 0x04 0x05 0xAC 0x01 0x03 0x03 0x02 0x01 0x01 0x08 0x0A 0x00 0x00 0x00 0x00 ................
0x00 0x00 0x00 0x00 0x01 0x01 0x04 0x02 ........
Source address: 10.1.5.189 Port: 1214 Destination address: 60.195.253.85 Port: 80 TTL: 64 PacketSize: 52
Protocol: TCP �
01 01 08 0A 00 32 7A 78 59 FD D1 35 .....2zxY..5
Source address: 60.195.253.85 Port: 80 Destination address: 10.1.5.189 Port: 1214 TTL: 50 PacketSize: 60
Protocol: TCP �
0x02 0x04 0x05 0x18 0x01 0x03 0x03 0x00 0x01 0x01 0x08 0x0A 0x59 0xFD 0xD1 0x35 ............Y..5
0x00 0x00 0x00 0x00 ....
Source address: 10.1.5.189 Port: 1214 Destination address: 60.195.253.85 Port: 80 TTL: 64 PacketSize: 352
Protocol: TCP �
0x01 0x01 0x08 0x0A 0x00 0x32 0x7A 0x78 0x59 0xFD 0xD1 0x35 0x47 0x45 0x54 0x20 .....2zxY..5GET
0x2F 0x72 0x65 0x67 0x2F 0x73 0x61 0x66 0x65 0x5F 0x75 0x6E 0x69 0x2E 0x68 0x74 /reg/safe_uni.ht
0x6D 0x3F 0x70 0x61 0x72 0x74 0x6E 0x65 0x72 0x3D 0x68 0x5F 0x68 0x6F 0x6D 0x65 m?partner=h_home
0x26 0x76 0x65 0x72 0x3D 0x32 0x2E 0x30 0x2E 0x30 0x2E 0x33 0x30 0x30 0x33 0x26 &ver=2.0.0.3003&
0x74 0x3D 0x33 0x33 0x30 0x38 0x32 0x37 0x31 0x38 0x37 0x20 0x48 0x54 0x54 0x50 t=330827187 HTTP
0x2F 0x31 0x2E 0x31 0x0D 0x0A 0x41 0x63 0x63 0x65 0x70 0x74 0x3A 0x20 0x2A 0x2F /1.1..Accept: */
0x2A 0x0D 0x0A 0x41 0x63 0x63 0x65 0x70 0x74 0x2D 0x45 0x6E 0x63 0x6F 0x64 0x69 *..Accept-Encodi
0x6E 0x67 0x3A 0x20 0x67 0x7A 0x69 0x70 0x2C 0x20 0x64 0x65 0x66 0x6C 0x61 0x74 ng: gzip, deflat
0x65 0x0D 0x0A 0x55 0x73 0x65 0x72 0x2D 0x41 0x67 0x65 0x6E 0x74 0x3A 0x20 0x4D e..User-Agent: M
0x6F 0x7A 0x69 0x6C 0x6C 0x61 0x2F 0x34 0x2E 0x30 0x20 0x28 0x63 0x6F 0x6D 0x70 ozilla/4.0 (comp
0x61 0x74 0x69 0x62 0x6C 0x65 0x3B 0x20 0x4D 0x53 0x49 0x45 0x20 0x36 0x2E 0x30 atible; MSIE 6.0
0x3B 0x20 0x57 0x69 0x6E 0x64 0x6F 0x77 0x73 0x20 0x4E 0x54 0x20 0x35 0x2E 0x31 ; Windows NT 5.1
0x3B 0x20 0x53 0x56 0x31 0x3B 0x20 0x54 0x65 0x6E 0x63 0x65 0x6E 0x74 0x54 0x72 ; SV1; TencentTr
0x61 0x76 0x65 0x6C 0x65 0x72 0x20 0x3B 0x20 0x46 0x44 0x4D 0x3B 0x20 0x2E 0x4E aveler ; FDM; .N
0x45 0x54 0x20 0x43 0x4C 0x52 0x20 0x31 0x2E 0x31 0x2E 0x34 0x33 0x32 0x32 0x3B ET CLR 1.1.4322;
0x20 0x2E 0x4E 0x45 0x54 0x20 0x43 0x4C 0x52 0x20 0x32 0x2E 0x30 0x2E 0x35 0x30 .NET CLR 2.0.50
0x37 0x32 0x37 0x29 0x0D 0x0A 0x48 0x6F 0x73 0x74 0x3A 0x20 0x69 0x6E 0x73 0x74 727)..Host: inst
0x2E 0x33 0x36 0x30 0x73 0x61 0x66 0x65 0x2E 0x63 0x6F 0x6D 0x0D 0x0A 0x43 0x6F ...Co
0x6E 0x6E 0x65 0x63 0x74 0x69 0x6F 0x6E 0x3A 0x20 0x4B 0x65 0x65 0x70 0x2D 0x41 nnection: Keep-A
0x6C 0x69 0x76 0x65 0x0D 0x0A 0x0D 0x0A ive.....
Source address: 60.195.253.85 Port: 80 Destination address: 10.1.5.189 Port: 1214 TTL: 50 PacketSize: 215
Protocol: TCP �
0x01 0x01 0x08 0x0A 0x59 0xFD 0xD1 0x45 0x00 0x32 0x7A 0x78 0x48 0x54 0x54 0x50 ....Y..E.2zxHTTP
0x2F 0x31 0x2E 0x31 0x20 0x32 0x30 0x30 0x20 0x4F 0x4B 0x0D 0x0A 0x44 0x61 0x74 /1.1 200 OK..Dat
0x65 0x3A 0x20 0x54 0x75 0x65 0x2C 0x20 0x31 0x37 0x20 0x4F 0x63 0x74 0x20 0x32 e: Tue, 17 Oct 2
0x30 0x30 0x36 0x20 0x30 0x32 0x3A 0x34 0x33 0x3A 0x33 0x34 0x20 0x47 0x4D 0x54 006 02:43:34 GMT
0x0D 0x0A 0x53 0x65 0x72 0x76 0x65 0x72 0x3A 0x20 0x41 0x70 0x61 0x63 0x68 0x65 ..Server: Apache
0x0D 0x0A 0x58 0x2D 0x50 0x6F 0x77 0x65 0x72 0x65 0x64 0x2D 0x42 0x79 0x3A 0x20 ..X-Powered-By:
0x50 0x48 0x50 0x2F 0x34 0x2E 0x33 0x2E 0x31 0x31 0x0D 0x0A 0x43 0x6F 0x6E 0x74 PHP/4.3.11..Cont
0x65 0x6E 0x74 0x2D 0x4C 0x65 0x6E 0x67 0x74 0x68 0x3A 0x20 0x32 0x0D 0x0A 0x43 ent-Length: 2..C
0x6F 0x6E 0x6E 0x65 0x63 0x74 0x69 0x6F 0x6E 0x3A 0x20 0x63 0x6C 0x6F 0x73 0x65 onnection: close
0x0D 0x0A 0x43 0x6F 0x6E 0x74 0x65 0x6E 0x74 0x2D 0x54 0x79 0x70 0x65 0x3A 0x20 ..Content-Type:
0x74 0x65 0x78 0x74 0x2F 0x68 0x74 0x6D 0x6C 0x0D 0x0A 0x0D 0x0A 0x6F 0x6B ext/html....ok.
Source address: 60.195.253.85 Port: 80 Destination address: 10.1.5.189 Port: 1214 TTL: 50 PacketSize: 52
Protocol: TCP �
01 01 08 0A 59 FD D1 45 00 32 7A 78 ....Y..E.2zx
Source address: 10.1.5.189 Port: 1214 Destination address: 60.195.253.85 Port: 80 TTL: 64 PacketSize: 52
Protocol: TCP �
01 01 08 0A 00 32 7A 7A 59 FD D1 45 .....2zzY..E
Source address: 10.1.5.189 Port: 1214 Destination address: 60.195.253.85 Port: 80 TTL: 64 PacketSize: 52
Protocol: TCP �
01 01 08 0A 00 32 7A 7A 59 FD D1 45 .....2zzY..E
Source address: 60.195.253.85 Port: 80 Destination address: 10.1.5.189 Port: 1214 TTL: 50 PacketSize: 52
Protocol: TCP �
01 01 08 0A 59 FD D1 54 00 32 7A 7A ....Y..T.2zz
NSIS is Nullsoft Install System, a software for making installation programs
The search results are as follows:
NSIS is the abbreviation of "Nullsoft Scriptable Installation System". It is a free Win32 installation and uninstallation system, and uses a simple and efficient scripting method. It was originally a system created by Nullsoft and used to publish as Winamp and its plug-ins, but it has been applied by hundreds of applications as a tool for their program release.
The installer created by NSIS can be installed, uninstalled, set up system settings, decompressed files, etc. Almost everything can be done. Because it is based on script files, you have complete control over every part of your installer. Its scripting language supports variable, function, and string processing, just like a normal programming language - but it is only designed to create installers.