Oracle 10 -> 15

Oracle 10 -> 11

The password for oracle11 is the .biz site the user has previously navigated to.

Get-Item 'HKCU:\Software\Microsoft\Internet Explorer\TypedURLs'

Password: yondu

Oracle 11 -> 12

The password for oracle12 is the drive letter associated with the mapped drive that this user has.

Get-ChildItem 'HKCU:\Network'

Password: m

https://social.technet.microsoft.com/Forums/ie/en-US/65eb8a2f-988f-40a7-b6ff-616a050c8efc/list-all-mapped-drives-for-all-users-that-have-logged-into-a-computer?forum=ITCG

Oracle 12 -> 13

The password for oracle13 is the IP of the system that this user has previously established a remote desktop with.

Get-ChildItem 'HKCU:\Software\Microsoft\Terminal Server Client'

Password: 192.168.2.3

https://www.techsupportall.com/how-to-remove-remote-desktop-connection-history-name-ip-entries/

Oracle 13 -> 14

The password for oracle14 is the name of the user who created the Galaxy security group as depicted in the event logs on the desktop PLUS the name of the text file on the user’s desktop.

Get-WinEvent -Path .\security.evtx | Where-Object -Property Message -Match 'Galaxy' | Format-List
Log Id: 4727

Password: gamora88

https://4sysops.com/archives/search-the-event-log-with-the-get-winevent-powershell-cmdlet/

Oracle 14 -> 15

The password for oracle15 is the name of the user who added the user Bereet to the Galaxy security group as depicted in the event logs on the desktop PLUS the name of the text file on the user’s desktop.

Get-WinEvent -Path .\security.evtx | Where-Object -Property Message -Match 'bereet' | Format-List
Log Id: 4728

Password: nebula2112