or data section. When a user runs the dropper, it performs the XOR operation again with the same key to reconstruct the original malware, then either executes it directly from memory or writes it to disk before running it.

This process removes several indicators that antivirus software relies on. The MZ header{{px2mdash}}px2}}}}?the 2-byte signature "MZ" which marks the beginning of every Windows executable{{px2mdash}}px2}}}}?gets completely obscured by the XOR operation. Security programs frequently