This is the downloader : hxxp://www.xup.in/dl,79161341/010-RELATORIOFINAL_2601.doc.exe.7z/ Domain used to donwload the trojan : hellolink.biz 110.4.45.31 URL : hxxp://hellolink.biz/pinjam.my/counter/WinProc.zip unzip the file the trojan exe is inside. Trojan is packed with Themida and gets file from here : proexti.ufam.edu.br/xmlrpc/content/count/B/fix.php Hosting Infos : http://whois.domaintools.com/200.129.163.16