Check %AppData% or %LocalAppData% for randomly named folders containing .sqlite or .txt files (logs of stolen data).
Targets browser extensions like MetaMask or desktop wallets (e.g., Atomic, Exodus). File: hdx-home-beta-windows.zip ...
Sometimes bundled with "free" versions of premium software. Check %AppData% or %LocalAppData% for randomly named folders