Good find by Elastic - possibly North Korean based threat actors using an unfixed bug in Windows to execute code, undetected across all vendors until that point (and as of writing only Elastic detect still)
@SwiftOnSecurity essentially. I was looking at VirusTotal just now, apparently .msc misuse has been supercharged for a while now, e.g. I can see red teams using WebDAV paths in icon parameters to get SMB hashes