Description: |
Generally, when an application access the Internet, firewall uses Windows API to retrieve the parent PID and name (the executable which launch the trusted application) and when they have it, they freeze it (suspend) and ask you what to do (allow/deny).
To prevent to be seen, Ghost once it has given information to send to the default browser, change of PID by shuting down itself and restarting itself to continue to send data.
Ghost just try to reach one page sending a string to it.
|