nvspcap64.dll

NVIDIA GeForce Experience

NVIDIA Corporation

It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘ShadowPlay’.
Reason Core Security
Publisher:
NVIDIA Corporation  (signed and verified)

Product:
NVIDIA GeForce Experience

Description:
NVIDIA Capture Server Proxy

Version:
9.3.16.0

MD5:
372fb9c5abc9c28c21cd70b1ef6275a0

SHA-1:
10d5db76e8b8e91c0412555832b8db2d15de8b40

SHA-256:
7ac40cf3794ce7e7d43dd0151d7f28da2620ad3896771d9760cf4e125a805976

Scanner detections:
0 / 68

Status:
Clean (as of last analysis)

Analysis date:
7/3/2015 4:15:53 PM UTC  (today)

Reason Core Security
File size:
1 MB (1,063,200 bytes)

Product version:
9.3.16.0

Copyright:
(C) NVIDIA Corporation. All rights reserved.

Original file name:
nvspcap.dll

File type:
Dynamic link library (Win64 DLL)

Language:
English (United States)

Common path:
C:\Windows\System32\nvspcap64.dll

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
9/1/2011 7:00:00 PM

Valid to:
9/1/2014 6:59:59 PM

Subject:
CN=NVIDIA Corporation, OU=Software, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
43BB437D609866286DD839E1D00309F5

File PE Metadata
Compilation timestamp:
10/16/2013 11:27:50 PM

OS version:
4.0

OS bitness:
Win64

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
12288:3XaL/s2VkFgBx5vuel6tiJGFG4u0nVDZDNEv+RVIQAy9iZztpG:3XaL/sKrx5Ai750nJpNEvoAy9iZztpG

Entry address:
0x8C290

Entry point:
48, 89, 5C, 24, 08, 48, 89, 74, 24, 10, 57, 48, 83, EC, 20, 49, 8B, F8, 8B, DA, 48, 8B, F1, 83, FA, 01, 75, 05, E8, A3, 87, 00, 00, 4C, 8B, C7, 8B, D3, 48, 8B, CE, 48, 8B, 5C, 24, 30, 48, 8B, 74, 24, 38, 48, 83, C4, 20, 5F, E9, AB, FE, FF, FF, CC, CC, CC, 48, 8B, C4, 48, 89, 58, 08, 48, 89, 68, 10, 48, 89, 70, 18, 48, 89, 78, 20, 41, 54, 48, 83, EC, 20, 4D, 8B, 51, 38, 48, 8B, F2, 4D, 8B, E0, 41, 8B, 02, 48, 8B, E9, 49, 8B, D1, 48, 03, C0, 48, 8B, CE, 49, 8B, F9, 49, 8D, 5C, C2, 04, 4C, 8B, C3, E8, 32, E0...
 
[+]

Entropy:
5.5929

Code size:
872 KB (892,928 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
ShadowPlay

Command:
C:\Windows\System32\rundll32.exe C:\Windows\System32\nvspcap64.dll,shadowplayonsystemstart


Reason Core Security