It is very rare, possibly never, that an attacker performs an entire attack from within one process.
The fact that an attack tool or a Windows library is using multiple processes and Windows programs is sometimes invisible to users of the malware (aka, the criminals).
Process behaviors represent an important source of variables during Cyber Crucible decision making, which involves behavioral indicators from a variety of sources.