The journey to answer this sort of question can be jumpstarted with sysinternals sigcheck.
You can point sigcheck at the file in question to answer questions relating to origin of the executable (publisher, company), it's integrity (digital signature), it's description (high level summary of functionality), and its hash (for lookups to threat intelligence sources such as VirusTotal having details about reputation and observed behavior).
Once you trust that the file in question has integrity you can then leverage the product description to study it's intended purpose on vendor website. For Microsoft function libraries I tend to throw "learn.microsoft.com" and "msdn" into search terms. Full query:
"Cryptographic Services" CryptSvc.dll site:learn.microsoft.com msdn
Based on the description I agree with your assessment that the transaction was expected behavior relating to cryptographic services. With that the follow-on action in my mind would be to determine what activity invoked the support of cyptographic services. In this case I'd be more concerned about "the game" than the cryptsvc player itself. I'd inspect ProcessCreate/ ImageLoad events just prior to the cue and DNSQuery/NetworkConnect events which immediately follow for answers to that.