from the doc: 'Generally when an application access the Internet, firewall uses Windows API to retrieve the parent PID and name (the executable which launch the trusted applicaitno) and when they have it, they freeze it (suspend) and ask you what to do (allow/deny). To prevent be seen, Ghost once it has given information to send to the default browser, change of PID by shuting down itself and restarting itself to continue to send data. Ghost just rry to reach one page sending a string to it.'
Trojan Horse [Panda]
ghost.exe