Login
If you see S1-mp64-ship.exe in the installation folder of a legitimate game you purchased, it is safe. However, because the filename looks technical and "system-y," malware authors sometimes mimic this naming convention to trick users.
Red Flags to watch for:
Document Type: Technical File Brief
Risk Assessment Level: Medium (Context Dependent)
Date: Current S1-mp64-ship.exe -
Check if any process named S1-mp64-ship.exe has active connections to IPs outside your local network. Non-standard ports (4444, 8080, 5555) are red flags.
Because “-ship.exe” files are known to gamers, attackers often name malware to blend in. Treat the file as suspicious under the following conditions: If you see S1-mp64-ship
| Indicator | Low Risk (Likely Legit) | High Risk (Likely Malware) |
| :--- | :--- | :--- |
| Location | ...\GameName\Binaries\Win64\ | C:\Windows\, C:\Users\Public\, Temp\, AppData\Roaming\ |
| Digital Signature | Valid signature from a known game publisher (e.g., Epic Games, Valve, or indie dev) | No signature, invalid signature, or signature from an unknown/可疑 CA |
| Behavior | Runs only when game is launched; uses high CPU/GPU normally | Persists after reboot; injects into other processes; makes outbound connections to suspicious IPs |
| Parent Process | Launched by explorer.exe (user double-click) or Steam/Epic launcher | Launched by cmd.exe, wscript.exe, or via scheduled task |
Malware with randomized names like S1-mp64-ship.exe is rarely downloaded intentionally. It is usually disguised as something else. Common distribution methods include: Because “-ship
Then that game folder has been tampered with. The file is not part of the original game. Delete it, then verify game file integrity via Steam/Origin/Epic Launcher. Also run a full system scan, because the injector likely modified game DLLs.