The legitimate Explorer.exe is the built-in Windows file explorer. However, explorer.exe is one of the top malware names. Signs of the legitimate explorer.exe: Image Path: %SystemRoot%\explorer.exe Parent Process: Created by an instance of userinit.exe that exits, so analysis tools usually do not provide the parent process name. Number of Instances: One or more per interactively logged-on user User Account: <logged-on user(s)> Start Time: First instance starts when the owner’s interactive logon begins Also note that malware could inject into the memory space of explorer.exe. In this case we would need to analyze the dlls that are loaded, or the actual code running in memory.