First, we know from where Java was run:
There's also another EXE listed in the output:
That's interesting. Maybe an interesting analysis technique to add via the tools is to parse the module paths, and find not just the path to the EXE that was created, but also any other EXE paths listed, and flag on those with more than one. Flagging on those Prefetch files that include more than one EXE path may not find anything in most cases, but hey, it's automated and documented, only takes a quick second to run, and the time that it does find something will be a real winner.
Okay, now back to our regularly scheduled program, already in progress...
Then I found these paths:
I wasn't too interested in those (I had no idea what they are) until I found this one later on:
\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\TEST\LOCAL SETTINGS\APPLICATION DATA\D3D9CAPS.TMP
I still have no idea what any of this is...remember, I only have the single Prefetch file...but this might be something worth investigating.
Here's a path to one of the logs that Corey mentioned in his post:
\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\ADMINISTRATOR\APPLICATION DATA\SUN\JAVA\DEPLOYMENT\DEPLOYMENT.PROPERTIES
We see something similar later in the output, for the Test user:
\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\TEST\APPLICATION DATA\SUN\JAVA\DEPLOYMENT\DEPLOYMENT.PROPERTIES
Here's the path to another log file that Corey mentioned in his blog:
And here's the same thing, but for the Test user account (again):
Remember that Corey was using MetaSploit, per his blog post: