GVTs - wearegvts.com
OtterCTF - Memory Forensics - “Bit 4 Bit”

We’ve found the malware before:

We need to extract malware from the memory dump so we can examine it:
./vol.py -f OtterCTF.vmem --profile=Win7SP1x64 procdump -D dump/ -p 3720

We thought that running the malware/ransomeware under a dummy/temporary Windows to infect the OS intentionally so maybe we can see the attacker’s wallet address easily.
We were unable to run it.

We moved the executable.3720.exe to a Windows OS with CodeReflect installed and opened it.
After some digging we found this:

1MmpEmebJkqXG8nQv4cjJSmxZQFVmFo63M was looks like a BTC wallet. To be sure we checked it via:

So the flag is: