If a user saved passwords.txt from an email attachment or downloaded it from a company portal, it lives in the "Downloads" folder. Attackers using Remote Access Trojans (RATs) often check %USERPROFILE%\Downloads\ first.
But the behavior is always the same: