Once malware enters a computer, it may execute any number of malicious tasks. There are a few reasons why you might want to copy data to a location other than the Windows directory or otherwise work with files that aren’t in the default system locations:

Malware may attempt to evade detection by standard security measures and human monitors by avoiding storing or changing files immediately within system directories like C:\Windows.

The following Regex can be used to search for and locate Windows files that exist outside the Windows directory and could be copied by malware.

(copy|copy-item|cp)\s+c:\\windows\\system32\\[a-zA-Z0-9_\-]{1,50}\.exe\s+(c:\\.*\\)?[a-zA-Z0-9_\-]{1,50}\.exe