EchoTrail

nltest.exe

Author: Microsoft

Source: Wild

Summary

nltest.exe is the 1453rd most commonly executed Windows program. It typically runs from the path C:\Windows\System32, and is most often launched by PDQInventoryScanner.exe. It has been observed executing on 8.2% of computers in the wild.

EchoTrail Prevalence Score (EPS)

34.8

Rank Analysis

Host Prevalence

8.2%

Execution Rank

1,453rd

Behavioral Analysis

Top Hashes

ff5ee67ba5ec9c196489b4ac28158cec3fecc6acfc0182cbc42e7dfeffc50b37

37.28 %

Top Paths

C:\Windows\System32

100.00 %

Top Network Ports

No results found.

Ancestry Analysis

Top GrandParents

PDQInventoryAgent.exe

63.69 %

Top Parents

PDQInventoryScanner.exe

99.36 %

Top Children

conhost.exe

100.00 %

Security Analysis

Intel

While nltest.exe is a Microsoft executable that runs natively on Windows Server 2003 - 2012, it is probably unlikely to see someone executing commands in your environment with this tool. Note that the SocGhoulish malware which is one of Red Canary's top malware in 2022, tries to enumerate AD with this (https://redcanary.com/threat-detection-report/threats/socgholish/). If you see activity, locate the administrator for that server and see if it is them.