The attack has the user paste content into the Windows run dialog. That could include spawning an admin Powershell and running `Set-ExecutionPolicy -ExecutionPolicy Unrestricted` before running a remote script. Or more likely what nullindividual said - the download and start of the exe is entirely contained in what the user is pasting in.