why should malware only take one password if it could copy all your passwords
"IBM Trusteer researchers found a new configuration of Citadel that is being used to compromise password management and authentication solutions. It instructs the malware to start keylogging (capturing user keystrokes) when some processes are running.
The relevant part of the configuration is shown below (in IBM Trusteer’s proprietary format):
so in fact this means that now with a passwordmanagement software but later with whatever identification file or system on your computer it can be intercepted or copied
that is way in the safe portable (sophos) the identification files are not in root or kernel or system of windows but on a preboot encrypted seperated system (and this is why it doesn't work with the Belgian EID but only with a token from safenet)