Composite behavior identifying authenticated SMB access across administrative (ADMIN$, C$), backup, data, IPC$, and NETLOGON shares, combined with root directory reads, SAMR and SRVSVC RPC binding, and creation or overwrite of a delete.me file. This sequence is consistent with structured domain-level host and share reconnaissance followed by write-permission validation, commonly observed in automated post-authentication discovery and lateral movement tooling.