S1-mp64-ship.exe - | 4K — UHD |
Because “-ship.exe” files are known to gamers, attackers often name malware to blend in. Treat the file as suspicious under the following conditions:
| Indicator | Low Risk (Likely Legit) | High Risk (Likely Malware) |
| :--- | :--- | :--- |
| Location | ...\GameName\Binaries\Win64\ | C:\Windows\, C:\Users\Public\, Temp\, AppData\Roaming\ |
| Digital Signature | Valid signature from a known game publisher (e.g., Epic Games, Valve, or indie dev) | No signature, invalid signature, or signature from an unknown/可疑 CA |
| Behavior | Runs only when game is launched; uses high CPU/GPU normally | Persists after reboot; injects into other processes; makes outbound connections to suspicious IPs |
| Parent Process | Launched by explorer.exe (user double-click) or Steam/Epic launcher | Launched by cmd.exe, wscript.exe, or via scheduled task | S1-mp64-ship.exe -
Once executed, S1-mp64-ship.exe performs a range of harmful activities. Security sandbox reports (from sources like ANY.RUN, Hybrid Analysis, and Joe Sandbox) show the following: Because “-ship
Some older or custom deployments of the SentinelOne EDR (Endpoint Detection and Response) product have been observed using a similarly named shim or wrapper. However, official SentinelOne executables are normally signed and named SentinelAgent.exe or SentinelOne.exe. If S1-mp64-ship.exe is found in C:\Program Files\SentinelOne\, it may be a renamed or third-party component — verify digital signatures. ⚠️ Do not simply delete the file
⚠️ Do not simply delete the file. It often has persistence and will recreate itself. Follow this proper removal process.
If you're tasked with reporting on this file due to an issue:
Using File Explorer, search your entire C: drive for S1-mp64-ship.exe. Delete each found instance. Also delete these common hidden companions: