Randomly Named Files in C: and C:\Users Drives – Huntress Product Support

Team: Huntress EDR
Product: SentinelOne
Environment: SentinelOne Enhanced Ransomware Detection
Summary: If you see long randomly named files appearing in C: and C:\Users Drives, you may have SentinelOne Enhanced Ransom Detection enabled.

Are you seeing weird file names randomly pop up in your C: drive?

You most likely have SentinelOne and are utilizing the Enhanced Ransomware Detection feature.

The Agent drops decoy files with open read/write permissions, which are used for detection purposes. Before Agent version 21.6, the decoy files were created in folders %user%\Documents\afterSentDocuments and %user%\Appdata\Local\afterSentDocuments).

From Agent version 21.6, the Agent generates decoy files in new decoy folders, under C:\, C:\Users, and shared folders. The names of the new decoy folders begin with the $ character and are followed by 32 random hex characters.

Examples:

C:\$A82346DA61A8DCD8697CF45427579C4DC\decoyFile1

C:\Users\$23A8ACD46DA68D1F498697CC4DC542757\decoyFile2

Are you seeing weird file names randomly pop up in your C: drive?

Related articles