From Matousec.com : The Runner finds the default browser's executable and renames it. Then it copies itself to the file of the original default browser's executable. It runs this copy, renames it, copies the original executable of the default browser back and then it tries to establish an Internet connection.
Firewalls that are not able to handle this trick either do not verify the integrity of the default browser, or their verification occurs when the privileged action is executed instead of the moment of the fake executable execution.
|