Once malware is running, security software will continue to look for suspicious behavior emitted by running processes.
For example, if a notepad.exe process is observed receiving process injection then connecting to the internet, this is suspicious and highly likely to be malicious activity.