The starting point of the attack is a dropper, which comes in two variants — a regular dropper that’s either implemented as an executable or a DLL file and a tampered installer file for a legitimate tool named Total Commander.