Unusual Disk Usage by Userinit Logon Application – Potential Security Concern

[AnhTuan_Utracon]

Dear Kaspersky Support Team,

I am a licensed Kaspersky user, and I would like to ask for your assistance regarding a suspicious behavior observed on one of our company’s computers.

We noticed that the process Userinit Logon Application is continuously writing a large amount of data (approximately 20GB) to the *C:* drive, specifically under the folder C:\Users\Public\Graphics. What’s concerning is that the files appear to be downloaded from our internal company server.

Here are some details:

• The files in the Graphics folder all show 0KB in size when viewed, but the overall folder size is significantly large (around 20GB).

• The system does not have Synology Drive Client installed.

• Offline Files feature in Windows is disabled.

• The userinit.exe file has a valid Microsoft digital signature.

• We have scanned the machine using Kaspersky, and no threats were detected.

• Hidden files and system files are fully visible, and still, all individual files in the folder appear as 0KB despite the large folder size.

We are concerned whether this might indicate some form of malware activity or even a potential breach. Could you please advise on what might be causing this, and whether it could be a security risk?

Thank you for your support.