In addition to its capability of encrypting files, STOP Ransomware has added the AZORult trojan to its arsenal which in turn steal credentials, browser data, files, crypto wallets, and other information. Researchers downloaded a STOP Promorad Variant Sample to check for AZORult. Through this they discovered that the encrypted files were appended with the.promorad extension. The ransomware created a ransom note named _readme.txt and the Promorad variant also downloaded and executed a file named “5.exe.” This file, when executed, creates network traffic that is associated with the C&C server communications for the AZORult trojan.