Attackers execute NETWIRE backdoor trojan using a process hollowing technique March 19, 2019 https://cyware.com/news/attackers-e...-using-a-process-hollowing-technique-0db3ddaa
In other words, the key is to never auto-trust ANY process (system process or not), they should ALL be monitored with behavior blocker and EDR. Of course it also helps if you could simply block the process hollowing part. And I assume, if you block InstallUtil.exe from automatic network access, the trojan will have difficulty trying to phone home.
Per the Firewire detailed analysis: https://www.fireeye.com/blog/threat...hing-campaign-usage-of-process-hollowing.html The attack could have been prevented by just paying attention to a browser alert.