SMB session creating and binding to the svcctl pipe, opening the Service Control Manager via OpenSCManagerW, creating a service with an mshta.exe VBScript payload, starting it via StartServiceW, then deleting it via DeleteService.

Composite behavior indicating remote lateral movement over SMB followed by service-based execution of a staged payload delivered through mshta invoking msiexec from remote infrastructure. The sequence combines IPC$ share access, SAMR and SVCCTL RPC binding, service control pipe interaction, and remote command execution consistent with administrative service creation or modification to execute a downloaded installer. This pattern is strongly associated with hands-on-keyboard intrusion activity and automated lateral propagation frameworks leveraging Windows service execution for payload deployment.