Running and installing are different things. A popular dropper I frequently run into for example never drops an executable to disk, it loads base64 from registry, decodes/decrypts it and reflectively executes the .NET assembly which in turn decodes and executes shell code from registry.
badrabbit|3 years ago