Composite behavior indicating remote lateral movement over SMB followed by service-based execution of a staged payload delivered through mshta invoking msiexec from remote infrastructure. The sequence combines IPC$ share access, SAMR and SVCCTL RPC binding, service control pipe interaction, and remote command execution consistent with administrative service creation or modification to execute a downloaded installer. This pattern is strongly associated with hands-on-keyboard intrusion activity and automated lateral propagation frameworks leveraging Windows service execution for payload deployment.

SMB session creating and binding to the svcctl pipe, opening the Service Control Manager via OpenSCManagerW, creating a service with an mshta.exe VBScript payload, starting it via StartServiceW, then deleting it via DeleteService.