Identifies an SMB session where the IPC$ share is accessed and RPC bindings are established to the SAMR and SRVSVC interfaces via named pipes. The combination of IPC$ access, SAMR RPC binding (Security Account Manager Remote), and SRVSVC pipe interaction indicates authenticated enumeration of user accounts, groups, shares, or service information on a Windows host. This behavior reflects structured post-authentication reconnaissance against Windows systems rather than unauthenticated share scanning.

Authenticated SMB session using WORKGROUP\GUEST that accesses the DATA share and sequentially opens multiple business-named directories (Financials, HR, IT, Projects, Marketing, Legal, Public, and related subfolders) with repeated root directory queries, consistent with structured directory discovery activity.