Smoke Loader targets stored info for Firefox, Internet Explorer, Chrome, Opera, QQ Browser, Outlook, and Thunderbird. It searches for files named logins.json which it parses for hostname, encryptedUsername, and encryptedPassword. If “fgclearcookies” is set, kills browser processes and deletes cookies. It then triggers a malicious event handler via WM_NOTIFY and WM_PAINT. The malware can be used to load a malicious application that can be. used to be used in other malicious applications.”]
Source: https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html