KES queries strange DGA NXDOMAIN *.ru, *.cyou, *.digital

[phuocnd1]

We are currently using Kaspersky Endpoint Security (KES) version 12.3.0 on several test servers. After some time, while reviewing DNS logs, we discovered unusual DNS queries and conducted an investigation. The details are as follows:

Image: C:\Program Files (x86)\Kaspersky Lab\KES.12.3.0\avp.exe 
User: NT AUTHORITY\SYSTEM 
QueryResults:  
QueryName: quotecomplainhappy.cyou 

This information was obtained from Sysmon Event ID 22 logs on the servers. In addition, we detected multiple other domains being queried by avp.exe, such as:

• startcounterfigure.cyou

• listensalespecial.digital

• firstspeakaccident.digital

• damageemergencymechanism.digital

• druguntilfall.cyou

and many other domains resembling DGA NXDOMAIN patterns.

We would like to ask whether this is normal behavior for Kaspersky Endpoint Security, and if not, what would be the recommended way to investigate and identify the root cause of this issue.