# Malicious MSIX Example This is a smallest, simplest example of a malicious MSIX that runs `Autoruns64.exe` when installed. ## Usage ### Install To install it, simply double click on the package and hit install. Alternatively, you may install from command line: ``` PS> Add-AppxPackage -Path VcRedist2-signed.msix ``` But that doesn't run executable after installation completes. In case of **unsigned** app, we can also install it like so: ``` PS> Add-AppxPackage -Path VcRedist2-unsigned.msix -AllowUnsigned ``` Program will get installed to: ``` C:\Program Files\WindowsApps\___ ``` In this case: ``` C:\Program Files\WindowsApps\VcRedist2_1.0.0.0_x64__cge602bk4wsb0 ``` ### Verify installation After installation completes, you may review its details with: ``` PS> Get-AppPackage -Name vcredist2 Name : VcRedist2 Publisher : CN=12980215 Canada Inc., O=12980215 Canada Inc., S=Ontario, C=CA Architecture : X64 ResourceId : Version : 1.0.0.0 PackageFullName : VcRedist2_1.0.0.0_x64__cge602bk4wsb0 InstallLocation : C:\Program Files\WindowsApps\VcRedist2_1.0.0.0_x64__cge602bk4wsb0 IsFramework : False PackageFamilyName : VcRedist2_cge602bk4wsb0 PublisherId : cge602bk4wsb0 IsResourcePackage : False IsBundle : False IsDevelopmentMode : False NonRemovable : False IsPartiallyStaged : False SignatureKind : Developer Status : Ok ``` The name `TestMe` comes from `AppxManifest.xml` XML and field ` Remove-AppPackage -Package VcRedist2_1.0.0.0_x64__cge602bk4wsb0 ``` Meaning it can be combined altogether into: ``` PS> Remove-AppPackage -Package (Get-AppPackage -Name VcRedist2).PackageFullName ``` ## More information - https://learn.microsoft.com/en-us/windows/msix/desktop/desktop-to-uwp-manual-conversion - https://learn.microsoft.com/en-us/windows/msix/packaging-tool/bundle-msix-packages - https://learn.microsoft.com/en-us/windows/msix/overview