First role as a sysadmin, sent 1 killed nmap.exe on app server. How'd it get there?

Ive recently been hired as a sys admin/level 1 soc. First job with this title so apologies ahead of time. Sent 1 sent me an alert saying an nmap.exe was detected and killed on a windows 16 RDS APP server with no outside internet access. It showed the folder being buried in a old digicert folder. Most of whats currently in this infrastructure was put there by the infrastructure engineer and my predecessor. We've moved alot of our stuff to new windows 25 server. With this one being classified as an "old RDS server" Sent 1 killed it, folder removed. Going through more stuff tomorrow to make sure its clean.This server doesnt have much on it but a small production app thats not used often. (Ill find out whats on it more tomorrow) I've been focusing alot of my knowledge and training on the servers hosting the critical important things, 3 out of the 4 Hyper Vs, backups, and level 1 soc analyst things. usually employees trying to download something or dns filter things. what are your thoughts as to how it got there? If it helps you do need 2fa to log in and only 4 people have those creds. Unlikely one of them for a number of reasons. The other variable is ive recently been trying to play around with tenable nessus pro and was doing a vulnerability scan on 2 /24 networks and a /16 . Im sure im missing alot of key details but thats the gist of it. Just curious if it was indeed a threat, I looked at search bar and nessus doesnt use nmap for network enumeration so unlikely that and more of an odd coincidence. Did someone really get access to the server and attempt to run namp? Share your wisdom oh wise ones! Thanks in advanced. Edit: grammar spelling and everything else. Im an ape on mobile.