Mostly the ransomware used to find the the windows registry. After that you can check them in the critical system files , temporary files, .ink files and word files.