I know this is an old thread but there doesn't seem to be a lot of info around on this behavior. Our EDR recently began flagging files created, written to and deleted within the same second. The file contained null and the hash is very old. The file names and extensions are random and statistically, it occasionally creates a file with a legitimate extension like, sys, php, msi, vbs, etc. We believe this is a component of the Applications Insight telemetry process. The only machines we are seeing it on are running application insights or sharepoint. Today it created a php and an a1g file, both with the same hash. I believe the process may create a complete filename with 11 characters and then pop a "." before the last 3 to arrive at a name.

4ethdxc2.php

6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d