Initial access taxonomy:
DELIVERY(CONTAINER(TRIGGER + PAYLOAD + DECOY))
The Windows Component Store is located in C:\\Windows\\WinSxS. It is responsible for maintaining older versions of software that have been updated/patched. If a current program version isn’t vulnerable anymore e.g. to DLL Hijacking, you may find it in C:\\Windows\\WinSxS and run if from there.
Current version of ngentask.exe, not vulnerable to DLL hijacking:
ngentask.exe version stored in C:\\Windows\\WinSxS\\amd64_netfx4-ngentask_exe_b03f5f7f11d50a3a_4.0.15805.0_none_d4039dd5692796db\\ngentask.exe that is vulnerable to DLL hijacking
Windows installers aka MSI are files that store files and necessary steps to install an application. They can act as containers in the initial access taxonomy.
This is where the controversies creep in. If it's not feasible to buy a certificate as your company, what else can you do? One possibility is to set up and maintain dummy/shell companies, which takes a lot of time and effort. Another is to use leaked and/or stolen certificates, which is much quicker and easier. For instance, GitHub has a path qualifier that can be used to find certificates that have been committed to public repositories. You may also search public S3 buckets, game hacking forums, and other places.