Reviewing DNS logs within my company I've found a lot of weird DNS requests from a machine involving what it seems a DGA scheme as shown below (real IP has been obfuscated):
04/07/2017 13:36:47 12C8 PACKET 0000000005492E80 UDP Rcv x.x.x.x 615f Q [0001 D NOERROR] A (4)ipv6(8)msftncsi(3)com(0)
04/07/2017 13:38:48 12CC PACKET 0000000014093AE0 UDP Rcv x.x.x.x bd65 Q [0001 D NOERROR] A (8)gjsqexfs(3)int(0)
04/07/2017 13:38:49 12CC PACKET 00000000104B8020 UDP Rcv x.x.x.x 05ac Q [0001 D NOERROR] A (8)gjsqexfs(7)company(3)sys(0)
04/07/2017 13:38:49 12CC PACKET 000000000AE7D830 UDP Rcv x.x.x.x 3f29 Q [0001 D NOERROR] A (8)gjsqexfs(6)domain(5)local(0)
04/07/2017 13:38:53 0EFC PACKET 000000D4A0454220 UDP Rcv x.x.x.x 5770 Q [0001 D NOERROR] A (4)ipv6(8)msftncsi(3)com(0)
04/07/2017 13:40:17 12EC PACKET 000000001347DCE0 UDP Rcv x.x.x.x 567f Q [0001 D NOERROR] A (7)amwvagu(3)int(0)
04/07/2017 13:40:17 12EC PACKET 0000000010EECC30 UDP Rcv x.x.x.x 473a Q [0001 D NOERROR] A (15)yumtigciicyjkyo(3)int(0)
04/07/2017 13:40:17 12EC PACKET 000000000F6C3AE0 UDP Rcv x.x.x.x d29b Q [0001 D NOERROR] A (13)sqyhdalqdytlm(3)int(0)*
I'm aware ipv6.msftncsi.com is used by Microsoft to check connectivity but no idea about the other internal ones (probably a host/service discovery process?).
In the first place I believe there could be a malware infection behind this but no evidences have been found.
My question is, could be a windows process/service behind these requests?
