Server hit with new variant that has changed file extension to email@example.com_.code and seems to have focussed on Office documents. The file Backup Instruction.exe was found in each of the encrypted folders as far as I can tell.
See https://www.virustotal.com/en/file/004cdc6996225f244aef124edc72f90434a872b3d4fa56d5ebc2655473733aef/analysis/ and https://www.hybrid-analysis.com/sample/004cdc6996225f244aef124edc72f90434a872b3d4fa56d5ebc2655473733aef?environmentId=4 which mentions the IP address of the CC server.
UPDATE: I think the payload file is in %appdata%\Local\Temp\Low\9985.tmp.exe
UPDATE 2: Looking at the machine where this came from, there is are two entries at startup for (as shown in MSConfig) WZZKIXq, publisher SynapicosSoft, Corporation. and AdobeFlashPlayerSoftWare publisher unknown. The registry (HKCU\Software\Microsoft\Windows\Run) has these two as Adobe Reader Updater SoftWare (pointing to this 9985.tmp.exe file above) and AdobeFlashPlayersSoftWare (pointing to a AdobeFlashPlayer_7cb3b7bc1b34fa.exe) which matches the string inserted into the new file extension above. It could be that is has come down as a fake Adobe Flash player update?
Edited by quietman7, 31 August 2016 - 01:24 PM.