Malware authors often employ cryptographic keys or passwords in order to secure their payloads.
Often, these sensitive pieces of information are discovered by a defender. Perhaps an attacker left it on a system mistakenly, hard-coded a password or key into their payload, it was exposed in a leak, or the attacker made a mistake somewhere along the line that exposed their secret.
Other times, attackers will use similar passwords on command lines when they compromise disparate networks. For example, an attacker may attack two different organizations and use a command such as “net user /add hacker REALLYCOOLPASSWORD” during both intrusions. The chances of two different attackers using the same credentials is low unless they use generic values.
Take note of passwords or keys whenever you find them. Depending on the uniqueness of the username/password, it may be a useful tool to provide attribution.
Usernames and passwords can often give clues to the nationality of the attacker. Certain words just dont make sense out of context in English but may be a standard part of a typical Korean’s lexicon.
Finally, cryptography keys tend to be very unique. Any reuse of an attacker’s cryptographic materials should be investigated.