ff5ee67ba5ec9c196489b4ac28158cec3fecc6acfc0182cbc42e7dfeffc50b37

Author: Microsoft

Source: Wild

Summary

nltest.exe is the 10629th most commonly executed Windows program. It typically runs from the path C:\Windows\System32, and is most often launched by PDQInventoryScanner.exe. It has been observed executing on 8.2% of computers in the wild. The typical filename is nltest.exe.

EchoTrail Prevalence Score (EPS)

32.5

Rank Analysis

Host Prevalence

8.2%

Execution Rank

10,629th

Behavioral Analysis

Top Filenames

nltest.exe

100.00 %

Top Paths

C:\Windows\System32

100.00 %

Top Network Ports

No results found.

Ancestry Analysis

Top GrandParents

PDQInventoryAgent.exe

63.69 %

Top Parents

PDQInventoryScanner.exe

99.36 %

Top Children

conhost.exe

100.00 %

Security Analysis

Intel

While nltest.exe is a Microsoft executable that runs natively on Windows Server 2003 - 2012, it is probably unlikely to see someone executing commands in your environment with this tool. Note that the SocGhoulish malware which is one of Red Canary's top malware in 2022, tries to enumerate AD with this (https://redcanary.com/threat-detection-report/threats/socgholish/). If you see activity, locate the administrator for that server and see if it is them.