Recovering the flag from the logged Windows API calls of malware reading the original unencrypted files.

Original writeup (http://karabut.com/trend-micro-ctf-2017-quals-forensic-300-writeup.html).