Threat actors use the usm.exe filename in two primary ways:

The filename usm.exe (often accompanied by unins000.exe, sqlite3.dll, and libcurl.dll) is frequently encountered by system administrators and security analysts. Due to its legitimate digital signature (when genuine) and its low-prevalence in enterprise environments, it often bypasses heuristic detection. However, threat actors exploit the trusted name to disguise malicious executables, leading to system degradation, data loss, and network compromise.

You do not need to be a cybersecurity expert to verify the integrity of usm.exe. Follow these four diagnostic steps.

The Intel Management Engine (ME) is a small operating system that runs on a separate processor within the Intel chipset. It provides various features, including:

The following IoCs distinguish malicious from legitimate usm.exe:

| Category | Legitimate (USM Software) | Malicious Variant | |----------|---------------------------|-------------------| | Digital Signature | Valid, issued to USM Software LLC | Missing, invalid, or self-signed | | File Size | 1.5 MB – 2.2 MB | <500 KB (dropper) or >5 MB (miner) | | Location | Program Files\USM\ | %Temp%\, %AppData%\Local\Temp\, C:\Users\Public\ | | Persistence | None (run manually) | Run key, scheduled task, Startup folder | | Parent Process | Explorer.exe (user launch) | Script host (wscript.exe), downloaded by browser, or email client | | Network Behavior | HTTP/HTTPS to file hosting APIs | Stratum (mining), C2 over DNS or HTTPS | | CPU Usage | Spikes only during transfer | Constant high usage |

File hash examples (malicious – illustrative):