[algorithm-memory] Full algorithm + decoded payloads + progress saved under:
  C:\Users\Asus\Desktop\4DEngine\RQ4D-Stega\rq4d_output\algorithm_sessions\20260405T005455Z_700e1b2b0fe6
    → decoded_payloads_recursive/ (ranked .bin + FULL_DECODED_RECURSIVE_BEST.bin)
  pattern library: C:\Users\Asus\Desktop\4DEngine\RQ4D-Stega\rq4d_output\algorithm_store\pattern_library.jsonl
  (after ultra-peel: FULL_DECODED_AFTER_PEEL.bin is copied into this session)
2026-04-04 20:03:45,270Z INFO rq4d_stega.engine Report written C:\Users\Asus\Desktop\4DEngine\RQ4D-Stega\rq4d_output\reports\swi-rebecca-5102-card.avif_700e1b2b0fe6a109.json
   PASS 1 — deterministic metrics
   Evidence path:           C:\Users\Asus\Desktop\swi-rebecca-5102-card.avif
   Size (bytes):            37022
   SHA256 (prefix):         700e1b2b0fe6a109c1339c41…
   Container / format:      bmff
   Global Shannon H:        7.99051
   Chi-square vs uniform:   568.61
   EOF / appended regions:  1
   Extracted sidecar blobs: 1

>> Deterministic scenario ranking (pre-LLM)
--------------------------------------------
   [0.85] ml_model_or_serialization_artifact
   [0.60] encrypted_or_high_entropy_opaque_blob
   [0.55] benign_compression_or_container_artifact
   [0.48] steganographic_or_appended_payload
   [0.39] embedded_executable_artifact

>> Payload / signature scan (heuristic markers)
------------------------------------------------
   pe_mz: 2 hit(s) @ offsets [31680, 108]
   shellcode_hint: 2 hit(s) @ offsets [25712, 284]

>> Byte-level structure validation (deterministic)
---------------------------------------------------
   PE images verified (in-buffer): 0
   ZIP archives verified:          0
   MZ scanner hits (unverified):   2

[2] Carving & candidate generation
     headers · entropy windows · report-linked slices
   PASS 2 — extraction summary
   Distinct candidates: 4
   Top sources (count): eof:jpeg_post_eoj:1, existing_extract:eof_jpeg_po...

[2.5] Byte metadata + forced recursive decode
     every candidate → transform graph (entropy-breakthrough priority); LLM sees all paths
   PASS 2.5 — transformation evolution (not gated on initial structure)
   Carved candidates (all):            4
   Recursive graph nodes expanded:     199996
   Decode breakthrough rows:           40
   Byte-valid PE/ZIP (reference only): 0

[DECODE BREAKTHROUGH]
Candidate: cand_ent_disc_0_588dee
Path:
candidate:cand_ent_disc_0_588dee -> xor:xor_single_0x2f -> strings:strslice_1
Entropy:
7.80464 -> 1.67293 (delta 6.13171)
Detected:
'short'
Confidence:
0.6

[DECODE BREAKTHROUGH]
Candidate: cand_ent_disc_0_588dee
Path:
candidate:cand_ent_disc_0_588dee -> xor:xor_single_0x2f -> strings:strslice_2
Entropy:
7.80464 -> 1.91487 (delta 5.88977)
Detected:
'unknown'
Confidence:
0.6

[DECODE BREAKTHROUGH]
Candidate: cand_ent_disc_0_588dee
Path:
candidate:cand_ent_disc_0_588dee -> xor:xor_single_0x2f -> strings:strslice_8
Entropy:
7.80464 -> 2.24853 (delta 5.55611)
Detected:
'unknown'
Confidence:
0.6

[DECODE BREAKTHROUGH]
Candidate: cand_ent_disc_0_588dee
Path:
candidate:cand_ent_disc_0_588dee -> xor:xor_single_0x2f -> strings:strslice_7
Entropy:
7.80464 -> 2.32441 (delta 5.48023)
Detected:
'unknown'
Confidence:
0.6

[DECODE BREAKTHROUGH]
Candidate: cand_ent_disc_0_588dee
Path:
candidate:cand_ent_disc_0_588dee -> xor:xor_single_0x2f -> strings:strslice_11
Entropy:
7.80464 -> 2.32441 (delta 5.48023)
Detected:
'unknown'
Confidence:
0.6

[DECODE BREAKTHROUGH]
Candidate: cand_ent_disc_0_588dee
Path:
candidate:cand_ent_disc_0_588dee -> xor:xor_single_0x2f -> strings:strslice_3
Entropy:
7.80464 -> 2.39428 (delta 5.41036)
Detected:
'unknown'
Confidence:
0.6

[DECODE BREAKTHROUGH]
Candidate: cand_ent_disc_0_588dee
Path:
candidate:cand_ent_disc_0_588dee -> xor:xor_single_0x2f -> strings:strslice_5
Entropy:
7.80464 -> 2.39428 (delta 5.41036)
Detected:
'unknown'
Confidence:
0.6

[DECODE BREAKTHROUGH]
Candidate: cand_ent_disc_0_588dee
Path:
candidate:cand_ent_disc_0_588dee -> strings:strslice_0
Entropy:
7.80464 -> 2.45915 (delta 5.34549)
Detected:
'unknown'
Confidence:
0.6

[DECODE BREAKTHROUGH]
Candidate: cand_ent_disc_0_588dee
Path:
candidate:cand_ent_disc_0_588dee -> xor:xor_single_0x2f -> strings:strslice_4
Entropy:
7.80464 -> 2.51957 (delta 5.28507)
Detected:
'unknown'
Confidence:
0.6

[DECODE BREAKTHROUGH]
Candidate: cand_ent_disc_0_588dee
Path:
candidate:cand_ent_disc_0_588dee -> xor:xor_single_0x2f -> strings:strslice_10
Entropy:
7.80464 -> 2.52205 (delta 5.28259)
Detected:
'unknown'
Confidence:
0.6

[DECODE BREAKTHROUGH]
Candidate: cand_ent_disc_0_588dee
Path:
candidate:cand_ent_disc_0_588dee -> xor:xor_single_0x2f -> strings:strslice_9
Entropy:
7.80464 -> 2.55034 (delta 5.2543)
Detected:
'short'
Confidence:
0.6

[DECODE BREAKTHROUGH]
Candidate: cand_ent_disc_0_588dee
Path:
candidate:cand_ent_disc_0_588dee -> xor:xor_single_0x2f -> strings:strslice_13
Entropy:
7.80464 -> 2.64295 (delta 5.16169)
Detected:
'unknown'
Confidence:
0.6

[DECODE BREAKTHROUGH]
Candidate: cand_ent_disc_0_588dee
Path:
candidate:cand_ent_disc_0_588dee -> xor:xor_single_0x2f -> strings:strslice_12
Entropy:
7.80464 -> 2.77322 (delta 5.03142)
Detected:
'unknown'
Confidence:
0.6

[DECODE BREAKTHROUGH]
Candidate: cand_4154_20298_eof:jpeg_post_eoj_152502e5
Path:
candidate:cand_4154_20298_eof:jpeg_post_eoj_152502e5 -> xor:xor_single_0xcb -> xor:xor_rolling_add_3 -> strings:strslice_0
Entropy:
7.99125 -> 3.12193 (delta 4.86933)
Detected:
'short'
Confidence:
0.6

[DECODE BREAKTHROUGH]
Candidate: cand_file_eof_jpeg_post_eoj_4154_20298_d3da25
Path:
candidate:cand_file_eof_jpeg_post_eoj_4154_20298_d3da25 -> xor:xor_single_0xcb -> xor:xor_rolling_add_3 -> strings:strslice_0
Entropy:
7.99125 -> 3.12193 (delta 4.86933)
Detected:
'short'
Confidence:
0.6

[DECODE BREAKTHROUGH]
Candidate: cand_ent_disc_0_588dee
Path:
candidate:cand_ent_disc_0_588dee -> xor:xor_single_0x2f -> strings:strslice_0
Entropy:
7.80464 -> 2.94068 (delta 4.86396)
Detected:
'unknown'
Confidence:
0.6

[DECODE BREAKTHROUGH]
Candidate: cand_ent_disc_0_588dee
Path:
candidate:cand_ent_disc_0_588dee -> xor:xor_single_0x2f -> strings:strslice_15
Entropy:
7.80464 -> 3.12193 (delta 4.68271)
Detected:
'short'
Confidence:
0.6

[DECODE BREAKTHROUGH]
Candidate: cand_4154_20298_eof:jpeg_post_eoj_152502e5
Path:
candidate:cand_4154_20298_eof:jpeg_post_eoj_152502e5 -> xor:xor_single_0xcb -> xor:xor_rolling_add_3 -> xor_keyspace_lite:xor_2b_333a -> xor:xor_single_0x85 -> xor_keyspace_lite:xor_2b_0091 -> strings:strslice_0
Entropy:
7.992 -> 3.32193 (delta 4.67007)
Detected:
'short'
Confidence:
0.6

[DECODE BREAKTHROUGH]
Candidate: cand_file_eof_jpeg_post_eoj_4154_20298_d3da25
Path:
candidate:cand_file_eof_jpeg_post_eoj_4154_20298_d3da25 -> xor:xor_single_0xcb -> xor:xor_rolling_add_3 -> xor_keyspace_lite:xor_2b_333a -> xor:xor_single_0x85 -> xor_keyspace_lite:xor_2b_0091 -> strings:strslice_0
Entropy:
7.992 -> 3.32193 (delta 4.67007)
Detected:
'short'
Confidence:
0.6

[DECODE BREAKTHROUGH]
Candidate: cand_4154_20298_eof:jpeg_post_eoj_152502e5
Path:
candidate:cand_4154_20298_eof:jpeg_post_eoj_152502e5 -> xor:xor_single_0xcb -> xor:xor_rolling_add_3 -> xor_keyspace_lite:xor_2b_663a -> strings:strslice_0
Entropy:
7.99078 -> 3.32193 (delta 4.66886)
Detected:
'short'
Confidence:
0.6

[3] Ollama hypothesis synthesis
     JSON-only · all candidates + recursive decode evolution

[4a] Deterministic transform ladder
     zlib / gzip / XOR / base64 + margin expansion

[4b] Evidence-weighted revalidation
     magic · entropy delta · signatures

>> Validated findings (thresholded — suitable for briefings)
-------------------------------------------------------------

   Type                   Offset       Confidence  Evidence (summary)
   ------------------------------------------------------------------------
   Run summary
   Top confidence:            0.0000
   Deep-AI extra rounds used: 0

+--------------------------------------------------------------------------+
|                            PIPELINE COMPLETE                             |
|         JSON report + extracted artifacts under output directory         |
+--------------------------------------------------------------------------+

------------------------------------------------------------------------
[pipeline] Machine-readable findings (JSON export below)
[]

[pipeline] Full report: C:\Users\Asus\Desktop\4DEngine\RQ4D-Stega\rq4d_output\reports\swi-rebecca-5102-card.avif_700e1b2b0fe6a109_pipeline.json
[recursive-decode] Trace: C:\Users\Asus\Desktop\4DEngine\RQ4D-Stega\rq4d_output\traces\full_decode_tree.json

[pipeline status] no_successful_decode_chain_found_after_199996_transform_expansions
File: C:\Users\Asus\Desktop\swi-rebecca-5102-card.avif
SHA256: 700e1b2b0fe6a109c1339c41f5ca42df72440321cea4874da0e1fab3e20d28ca
Size: 37022
Detected format: bmff
Structure: parsed (bmff)
EOF / overlay regions:
  - jpeg_post_eoj @0x4154 len=20298 Appended after JPEG EOI
Global entropy: 7.990506  chi2_uniform: 568.608
Heuristic signals:
  - {'signal': 'global_high_entropy', 'value': 7.990506, 'confidence': 0.6, 'note': 'Uniform high entropy — not proof of malice'}
  - {'signal': 'aligned_high_entropy_window', 'offset': 512, 'confidence': 0.45, 'note': 'Heuristic only'}
  - {'signal': 'aligned_high_entropy_window', 'offset': 1024, 'confidence': 0.45, 'note': 'Heuristic only'}
  - {'signal': 'aligned_high_entropy_window', 'offset': 1536, 'confidence': 0.45, 'note': 'Heuristic only'}
  - {'signal': 'aligned_high_entropy_window', 'offset': 2048, 'confidence': 0.45, 'note': 'Heuristic only'}
  - {'signal': 'aligned_high_entropy_window', 'offset': 2560, 'confidence': 0.45, 'note': 'Heuristic only'}
  - {'signal': 'aligned_high_entropy_window', 'offset': 3072, 'confidence': 0.45, 'note': 'Heuristic only'}
  - {'signal': 'aligned_high_entropy_window', 'offset': 3584, 'confidence': 0.45, 'note': 'Heuristic only'}
  - {'signal': 'aligned_high_entropy_window', 'offset': 4096, 'confidence': 0.45, 'note': 'Heuristic only'}
  - {'signal': 'aligned_high_entropy_window', 'offset': 4608, 'confidence': 0.45, 'note': 'Heuristic only'}
  - {'signal': 'aligned_high_entropy_window', 'offset': 5120, 'confidence': 0.45, 'note': 'Heuristic only'}
  - {'signal': 'aligned_high_entropy_window', 'offset': 5632, 'confidence': 0.45, 'note': 'Heuristic only'}
  - {'signal': 'aligned_high_entropy_window', 'offset': 6144, 'confidence': 0.45, 'note': 'Heuristic only'}
  - {'signal': 'aligned_high_entropy_window', 'offset': 6656, 'confidence': 0.45, 'note': 'Heuristic only'}
  - {'signal': 'aligned_high_entropy_window', 'offset': 7168, 'confidence': 0.45, 'note': 'Heuristic only'}
Payload / script indicators:
  - pe_mz @0x7bc0 PE DOS header
  - shellcode_hint @0x6470 fc e8
  - shellcode_hint @0x11c fc e8
  - pe_mz @0x6c PE DOS header
Extracted:
  - C:\Users\Asus\Desktop\4DEngine\RQ4D-Stega\rq4d_output\extracted\eof_jpeg_post_eoj_4154_20298.bin
[decode] Top hypotheses (score / method):
  - xor_single_0x10 score=0.2769 len=20298
  - xor_single_0xba score=0.2761 len=20298
  - xor_single_0x0c score=0.276 len=20298
  - xor_single_0xa2 score=0.276 len=20298
  - xor_single_0x06 score=0.2759 len=20298
  - xor_single_0x16 score=0.2759 len=20298
  - xor_single_0x17 score=0.2759 len=20298
  - xor_single_0x12 score=0.2758 len=20298
[ml-sig] Model / tensor signature layer (factual markers only):
  - dense_float16_like_block @0x0 conf=0.6953 window=512 finite_ratio=0.9883
  - dense_float16_like_block @0x80 conf=0.6953 window=512 finite_ratio=0.9883
  - dense_float16_like_block @0x100 conf=0.6906 window=512 finite_ratio=0.9766
  - dense_float16_like_block @0x180 conf=0.6875 window=512 finite_ratio=0.9688
  - dense_float16_like_block @0x200 conf=0.6875 window=512 finite_ratio=0.9688
  - dense_float16_like_block @0x280 conf=0.6875 window=512 finite_ratio=0.9688
  - dense_float16_like_block @0x300 conf=0.6891 window=512 finite_ratio=0.9727
  - dense_float16_like_block @0x380 conf=0.6891 window=512 finite_ratio=0.9727
  - dense_float16_like_block @0x400 conf=0.6922 window=512 finite_ratio=0.9805
  - dense_float16_like_block @0x480 conf=0.6922 window=512 finite_ratio=0.9805
[decode-hyp] Ranked decode hypotheses (deterministic):
  - rank=1 xor_single_0x10 conf=0.2907
  - rank=2 xor_single_0xba conf=0.2899
  - rank=3 xor_single_0x0c conf=0.2898
  - rank=4 xor_single_0xa2 conf=0.2898
  - rank=5 xor_single_0x06 conf=0.2897
  - rank=6 xor_single_0x16 conf=0.2897
[fusion] Ranked scenario hypotheses:
  - ml_model_or_serialization_artifact confidence=0.85 sup=1 con=0
  - encrypted_or_high_entropy_opaque_blob confidence=0.6 sup=3 con=0
  - benign_compression_or_container_artifact confidence=0.55 sup=3 con=1
  - steganographic_or_appended_payload confidence=0.48 sup=3 con=0
  - embedded_executable_artifact confidence=0.39 sup=2 con=0
[recursive-decode] Ranked transform lineages (evidence on disk):
  - score=0.6 len=67 entropy_cliff@100 -> xor:xor_single_0x4d -> strings:strslice_1
  - score=0.6 len=60 entropy_cliff@100 -> xor:xor_single_0x4d -> strings:strslice_2
  - score=0.6 len=48 full_file -> xor:xor_single_0x35 -> endian:pair_byte_swap -> strings:strslice_2
  - score=0.6 len=47 payload_pe_mz@6c -> xor:xor_single_0x35 -> endian:pair_byte_swap -> strings:strslice_0
  - score=0.6 len=46 full_file -> xor:xor_single_0x35 -> strings:strslice_2
  - score=0.6 len=46 entropy_cliff@100 -> xor:xor_single_0x2f -> strings:strslice_2
  - trace_json: C:\Users\Asus\Desktop\4DEngine\RQ4D-Stega\rq4d_output\traces\full_decode_tree.json

[RomaQuantum4D] Post-scan: reusing PRIMARY Go telemetry (no duplicate bridge run)
  expectation_h=4.479318504925469 logit_bias=0.03361580012727075 sim_steps=7
2026-04-04 20:05:38,044Z INFO rq4d_stega.romaquantum_secondary_decode RomaQuantum secondary decode: 0 artifacts in C:\Users\Asus\Desktop\4DEngine\RQ4D-Stega\rq4d_output\romaquantum_decode_pass
[RomaQuantum4D] Secondary decode pass (deterministic): 0 artifact(s) -> C:\Users\Asus\Desktop\4DEngine\RQ4D-Stega\rq4d_output\romaquantum_decode_pass

[RomaQuantum4D] Pass-2 Ollama skipped (deterministic path only; use --ai for LLM).
[gov-peel] best_decoded_payload.bin -> C:\Users\Asus\Desktop\4DEngine\RQ4D-Stega\rq4d_output\best_decoded_payload.bin

=========================================================================
RQ4D-STEGA — SESSION FILES (save these paths)
Full console transcript (complete PowerShell/console capture):
C:\Users\Asus\Desktop\4DEngine\RQ4D-Stega\rq4d_output\sessions\rq4d_console_20260405T005452Z.log
Structured application log:
C:\Users\Asus\Desktop\4DEngine\RQ4D-Stega\rq4d_output\rq4d_stega_20260405T005452Z.log

Most promising .bin in layered/ (PE / shellcode-prioritized) (5342 bytes):
C:\Users\Asus\Desktop\4DEngine\RQ4D-Stega\rq4d_output\layered\pipe_cand_hdr_MZ_7bc0_18035f_5d2a08d3fd.bin
------------------------------------------------------------------------
Binary / high-entropy — top 100 ASCII strings + hex (first 512 bytes):

+H{`9?N
uJ8b_{c
@2Sw}Ea
w@\eb'
(FezA7
V#8MJs
ewvpYA
v.!y|I
(7AI32
f]GMF8
sMK(!^
,fyn.
3XS{A
x'zK3
K{];m
41~y`
`uyF"
~W'lD
}Qa6x
xuOX7
O]wC
g>]:?
7HB38
|NHgf
h0kf
a^E\
?),U
vI@@
qWGe
xwmJ
OT{n
Qwxk
f:]0
5=A3
KXBg
w0x8
3+o&
}%h!
tehv
8aI4
"JO<
(W#R
_1<u
JSo'
/U1u
y,^9
[Ob2
EN~k
>Q04
:R?x
^K8;
9(hR
'4<q
VoP!
w1Hl
G?[d
"?Rx
ypZ=
{\~l
JokN
}\oT
3 qM
!l<n
.GR}
@YNs
<yqA

Hex preview (first 512 bytes):
00000000  4d 5a 83 65 40 e0 db df ca 8e 53 f4 a2 5f b2 da  |MZ.e@.....S.._..|
00000010  c6 87 b3 68 30 6b 66 02 7d 3f 65 f8 e3 48 f9 24  |...h0kf.}?e..H.$|
00000020  ed 1c 89 d8 e6 88 85 fd 9c 93 44 7b d4 99 13 9a  |..........D{....|
00000030  b8 65 d6 83 d8 98 42 23 09 c1 61 5e 45 5c ca de  |.e....B#..a^E\..|
00000040  fa 18 66 de 64 07 65 bb 06 cf 16 02 40 81 2e 3e  |..f.d.e.....@..>|
00000050  92 a0 0f cf f7 ea 3f 29 2c 55 05 5b 07 f4 72 5e  |......?),U.[..r^|
00000060  44 d2 d0 e9 08 50 9e 4e b2 a9 1a 4f 3f c7 9b 76  |D....P.N...O?..v|
00000070  49 40 40 c3 f6 de 95 61 95 f7 0d 2a eb f6 8e 6d  |I@@....a...*...m|
00000080  88 21 04 f6 a9 f7 c2 77 40 5c 65 62 27 a8 e0 13  |.!.....w@\eb'...|
00000090  08 a7 47 cb f9 69 11 da c8 52 93 19 f0 82 ef 17  |..G..i...R......|
000000a0  99 c9 a2 b8 de 2c 5b 9d 60 ac 84 71 31 f8 87 30  |.....,[.`..q1..0|
000000b0  12 93 a8 d9 34 36 ae ec 63 64 b5 c4 9b 49 f5 45  |....46..cd...I.E|
000000c0  85 34 9c 4f 1c 77 dc 66 01 71 57 47 65 04 94 10  |.4.O.w.f.qWGe...|
000000d0  25 45 c1 0f 1c 32 fd 9b dd 5d 68 60 85 ac 38 a0  |%E...2...]h`..8.|
000000e0  ce b1 a1 16 38 22 c1 36 c6 2e 4b f4 cb f7 0f 0c  |....8".6..K.....|
000000f0  1e 0f 53 eb 52 66 81 f7 bc 41 fb 06 8d 7f a2 34  |..S.Rf...A.....4|
00000100  2c f8 d0 34 f2 f5 da 41 e8 80 9e 61 43 cc 0d 87  |,..4...A...aC...|
00000110  90 8d 18 9a 5d c2 8e 0c e2 15 dc d4 69 3d 13 ad  |....].......i=..|
00000120  e4 35 5a 88 bb 6e d5 ab 1e 81 d7 71 6c f5 23 3f  |.5Z..n.....ql.#?|
00000130  05 21 05 cd b6 da 81 43 3a 73 a2 35 e2 d1 f8 17  |.!.....C:s.5....|
00000140  84 6a 76 93 c3 56 d9 a3 3a 5b cf 39 8a b0 fc 46  |.jv..V..:[.9...F|
00000150  a4 65 35 f4 bd 67 38 17 a3 57 6b 85 0f 1d 86 d4  |.e5..g8..Wk.....|
00000160  a2 9e 6d aa 6b 6a 0d cc 6b 9a d9 b0 9a ac e4 e1  |..m.kj..k.......|
00000170  3e 0b fe 58 94 67 dc 8e 1a 46 bc bd 14 f9 e1 42  |>..X.g...F.....B|
00000180  0c f3 b5 08 5f e1 8b e5 c8 33 bf a8 2f 30 7f 95  |...._....3../0..|
00000190  0a 51 48 d4 91 e5 fc e5 b6 96 51 16 78 77 6d 4a  |.QH.......Q.xwmJ|
000001a0  0b 6d 18 c2 ac 8e fb a0 9d 54 68 d7 92 73 84 70  |.m.......Th..s.p|
000001b0  9c ab 35 d3 9b fa b2 43 16 8e fe ca 9d 32 91 e6  |..5....C.....2..|
000001c0  2b dc 97 4f 54 7b 6e 03 da 77 bd 57 3e fe 9e 47  |+..OT{n..w.W>..G|
000001d0  3e 93 6b 17 40 3a c0 06 21 f1 db 35 0d 05 c7 c4  |>.k.@:..!..5....|
000001e0  aa 0b 8c e2 37 82 c9 a3 97 09 c4 6d 67 ed 60 82  |....7......mg.`.|
000001f0  10 fa af c5 34 cb 1e b1 e7 12 25 f3 67 f9 e9 fd  |....4.....%.g...|
=========================================================================

=========================================================================
=== RQ4D-STEGA ULTIMATE GOV — FULLY PEELED PAYLOAD ===
=========================================================================
Payload file: C:\Users\Asus\Desktop\4DEngine\RQ4D-Stega\rq4d_output\best_decoded_payload.bin
Size: 5342 bytes

CLEAN HEX (first 512 bytes — C array style):
{0x4D, 0x5A, 0x83, 0x65, 0x40, 0xE0, 0xDB, 0xDF, 0xCA, 0x8E, 0x53, 0xF4, 0xA2, 0x5F, 0xB2, 0xDA, 0xC6, 0x87, 0xB3, 0x68, 0x30, 0x6B, 0x66, 0x02, 0x7D, 0x3F, 0x65, 0xF8, 0xE3, 0x48, 0xF9, 0x24, 0xED, 0x1C, 0x89, 0xD8, 0xE6, 0x88, 0x85, 0xFD, 0x9C, 0x93, 0x44, 0x7B, 0xD4, 0x99, 0x13, 0x9A, 0xB8, 0x65, 0xD6, 0x83, 0xD8, 0x98, 0x42, 0x23, 0x09, 0xC1, 0x61, 0x5E, 0x45, 0x5C, 0xCA, 0xDE, 0xFA, 0x18, 0x66, 0xDE, 0x64, 0x07, 0x65, 0xBB, 0x06, 0xCF, 0x16, 0x02, 0x40, 0x81, 0x2E, 0x3E, 0x92, 0xA0, 0x0F, 0xCF, 0xF7, 0xEA, 0x3F, 0x29, 0x2C, 0x55, 0x05, 0x5B, 0x07, 0xF4, 0x72, 0x5E, 0x44, 0xD2, 0xD0, 0xE9, 0x08, 0x50, 0x9E, 0x4E, 0xB2, 0xA9, 0x1A, 0x4F, 0x3F, 0xC7, 0x9B, 0x76, 0x49, 0x40, 0x40, 0xC3, 0xF6, 0xDE, 0x95, 0x61, 0x95, 0xF7, 0x0D, 0x2A, 0xEB, 0xF6, 0x8E, 0x6D, 0x88, 0x21, 0x04, 0xF6, 0xA9, 0xF7, 0xC2, 0x77, 0x40, 0x5C, 0x65, 0x62, 0x27, 0xA8, 0xE0, 0x13, 0x08, 0xA7, 0x47, 0xCB, 0xF9, 0x69, 0x11, 0xDA, 0xC8, 0x52, 0x93, 0x19, 0xF0, 0x82, 0xEF, 0x17, 0x99, 0xC9, 0xA2, 0xB8, 0xDE, 0x2C, 0x5B, 0x9D, 0x60, 0xAC, 0x84, 0x71, 0x31, 0xF8, 0x87, 0x30, 0x12, 0x93, 0xA8, 0xD9, 0x34, 0x36, 0xAE, 0xEC, 0x63, 0x64, 0xB5, 0xC4, 0x9B, 0x49, 0xF5, 0x45, 0x85, 0x34, 0x9C, 0x4F, 0x1C, 0x77, 0xDC, 0x66, 0x01, 0x71, 0x57, 0x47, 0x65, 0x04, 0x94, 0x10, 0x25, 0x45, 0xC1, 0x0F, 0x1C, 0x32, 0xFD, 0x9B, 0xDD, 0x5D, 0x68, 0x60, 0x85, 0xAC, 0x38, 0xA0, 0xCE, 0xB1, 0xA1, 0x16, 0x38, 0x22, 0xC1, 0x36, 0xC6, 0x2E, 0x4B, 0xF4, 0xCB, 0xF7, 0x0F, 0x0C, 0x1E, 0x0F, 0x53, 0xEB, 0x52, 0x66, 0x81, 0xF7, 0xBC, 0x41, 0xFB, 0x06, 0x8D, 0x7F, 0xA2, 0x34, 0x2C, 0xF8, 0xD0, 0x34, 0xF2, 0xF5, 0xDA, 0x41, 0xE8, 0x80, 0x9E, 0x61, 0x43, 0xCC, 0x0D, 0x87, 0x90, 0x8D, 0x18, 0x9A, 0x5D, 0xC2, 0x8E, 0x0C, 0xE2, 0x15, 0xDC, 0xD4, 0x69, 0x3D, 0x13, 0xAD, 0xE4, 0x35, 0x5A, 0x88, 0xBB, 0x6E, 0xD5, 0xAB, 0x1E, 0x81, 0xD7, 0x71, 0x6C, 0xF5, 0x23, 0x3F, 0x05, 0x21, 0x05, 0xCD, 0xB6, 0xDA, 0x81, 0x43, 0x3A, 0x73, 0xA2, 0x35, 0xE2, 0xD1, 0xF8, 0x17, 0x84, 0x6A, 0x76, 0x93, 0xC3, 0x56, 0xD9, 0xA3, 0x3A, 0x5B, 0xCF, 0x39, 0x8A, 0xB0, 0xFC, 0x46, 0xA4, 0x65, 0x35, 0xF4, 0xBD, 0x67, 0x38, 0x17, 0xA3, 0x57, 0x6B, 0x85, 0x0F, 0x1D, 0x86, 0xD4, 0xA2, 0x9E, 0x6D, 0xAA, 0x6B, 0x6A, 0x0D, 0xCC, 0x6B, 0x9A, 0xD9, 0xB0, 0x9A, 0xAC, 0xE4, 0xE1, 0x3E, 0x0B, 0xFE, 0x58, 0x94, 0x67, 0xDC, 0x8E, 0x1A, 0x46, 0xBC, 0xBD, 0x14, 0xF9, 0xE1, 0x42, 0x0C, 0xF3, 0xB5, 0x08, 0x5F, 0xE1, 0x8B, 0xE5, 0xC8, 0x33, 0xBF, 0xA8, 0x2F, 0x30, 0x7F, 0x95, 0x0A, 0x51, 0x48, 0xD4, 0x91, 0xE5, 0xFC, 0xE5, 0xB6, 0x96, 0x51, 0x16, 0x78, 0x77, 0x6D, 0x4A, 0x0B, 0x6D, 0x18, 0xC2, 0xAC, 0x8E, 0xFB, 0xA0, 0x9D, 0x54, 0x68, 0xD7, 0x92, 0x73, 0x84, 0x70, 0x9C, 0xAB, 0x35, 0xD3, 0x9B, 0xFA, 0xB2, 0x43, 0x16, 0x8E, 0xFE, 0xCA, 0x9D, 0x32, 0x91, 0xE6, 0x2B, 0xDC, 0x97, 0x4F, 0x54, 0x7B, 0x6E, 0x03, 0xDA, 0x77, 0xBD, 0x57, 0x3E, 0xFE, 0x9E, 0x47, 0x3E, 0x93, 0x6B, 0x17, 0x40, 0x3A, 0xC0, 0x06, 0x21, 0xF1, 0xDB, 0x35, 0x0D, 0x05, 0xC7, 0xC4, 0xAA, 0x0B, 0x8C, 0xE2, 0x37, 0x82, 0xC9, 0xA3, 0x97, 0x09, 0xC4, 0x6D, 0x67, 0xED, 0x60, 0x82, 0x10, 0xFA, 0xAF, 0xC5, 0x34, 0xCB, 0x1E, 0xB1, 0xE7, 0x12, 0x25, 0xF3, 0x67, 0xF9, 0xE9, 0xFD}

STRINGS:
+H{`9?N
uJ8b_{c
@2Sw}Ea
w@\eb'
(FezA7
V#8MJs
ewvpYA
v.!y|I
(7AI32
f]GMF8
sMK(!^
,fyn.
3XS{A
x'zK3
K{];m
41~y`
`uyF"
~W'lD
}Qa6x
xuOX7
O]wC
g>]:?
7HB38
|NHgf
h0kf
a^E\
?),U
vI@@
qWGe
xwmJ
OT{n
Qwxk
f:]0
5=A3
KXBg
w0x8
3+o&
}%h!
tehv
8aI4
"JO<
(W#R
_1<u
JSo'
/U1u
y,^9
[Ob2
EN~k
>Q04
:R?x
^K8;
9(hR
'4<q
VoP!
w1Hl
G?[d
"?Rx
ypZ=
{\~l
JokN
}\oT
3 qM
!l<n
.GR}
@YNs
<yqA

DISASSEMBLY (Capstone x86):
00000000: dec      ebp
00000001: pop      edx
00000002: and      dword ptr [ebp + 0x40], 0xffffffe0
00000006: fcmovnu  st(0), st(7)
00000008: retf     0x538e
0000000b: hlt
0000000c: mov      byte ptr [0xc6dab25f], al
00000011: xchg     dword ptr [ebx + 0x666b3068], esi
00000017: add      bh, byte ptr [ebp + 0x3f]
0000001a: clc
0000001c: jecxz    0x66
0000001e: stc
0000001f: and      al, 0xed
00000021: sbb      al, 0x89
00000023: fsub     st(6)
00000025: mov      byte ptr [ebp + 0x44939cfd], al
0000002b: jnp      1
0000002d: cdq
0000002e: adc      ebx, dword ptr [edx - 0x7c299a48]
00000034: fcomp    dword ptr [eax - 0x3ef6dcbe]
0000003a: popal
0000003b: pop      esi
0000003c: inc      ebp
0000003d: pop      esp
0000003e: retf     0xfade
00000041: sbb      byte ptr [esi - 0x22], ah
00000044: pop      es
00000046: mov      ebx, 0x216cf06
0000004c: inc      eax
0000004d: sub      dword ptr [esi], 0xfa0923e
00000053: iretd
00000054: imul     edx
00000056: aas
00000057: sub      dword ptr [edx*2 - 0xbf8a4fb], ebp
0000005e: jb       0xbe
00000060: inc      esp
00000061: rcl      al, cl
00000063: jmp      0x4e9e5070
00000068: mov      dl, 0xa9
0000006a: sbb      cl, byte ptr [edi + 0x3f]

EXACT WINNING ALGORITHM:
payload_pe_mz@6c -> xor:xor_single_0x35 -> endian:pair_byte_swap -> strings:strslice_0

MANUAL REPRODUCTION STEPS:
1. Extract candidate region from file
2. Working buffer under rq4d_output: layered\pipe_cand_hdr_MZ_7bc0_18035f_5d2a08d3fd.bin
3. Apply transform: payload_pe_mz@6c.
4. Apply single-byte XOR with key 0x35 (every byte).
5. Apply transform: endian:pair_byte_swap.
6. Apply strings / slice extraction (strings:strslice_0).

GOV IOCs extracted: domain=Nz6.wej [full_file -> xor:xor_single_0x33]; domain=1.Rz [full_file -> xor:xor_single_0x36]; domain=y.Cf [full_file -> xor:xor_single_0x36]; domain=M.vd [full_file -> xor:xor_single_0x0c]; domain=g.hI [full_file -> xor:xor_single_0x0c]; domain=a.fM [full_file -> xor:xor_single_0x0c]; domain=WZ.zH [full_file -> xor:xor_single_0x37]; domain=5.AF [full_file -> xor:xor_single_0x37]; domain=2.tg [full_file -> xor:xor_single_0x37]; domain=S.WI [full_file -> xor:xor_single_0x0a]; domain=y.Pk [full_file -> xor:xor_single_0x0a]; domain=GT.wa [full_file -> xor:xor_single_0x0a]; domain=P.yH [full_file -> xor:xor_single_0x0b]; domain=g.XS [full_file -> xor:xor_single_0x0b]; domain=1.dTL [full_file -> xor:xor_single_0x0b]; domain=n.lq [full_file -> xor:xor_single_0x31]; domain=U.fL [full_file -> xor:xor_single_0x31]; domain=wq.Vy [full_file -> xor:xor_single_0x31]; domain=222.TFKBSD [full_file -> xor:xor_single_0x32]; domain=j.Hb [full_file -> xor:xor_single_0x32]; domain=p6.QU [full_file -> xor:xor_single_0x32]; domain=7n.zm [full_file -> xor:xor_single_0x2f]; domain=9Ti.mv [full_file -> xor:xor_single_0x2f]; domain=3.Kf [full_file -> xor:xor_single_0x26]; domain=R.zu [full_file -> xor:xor_single_0x26]; domain=a7.Jf [full_file -> xor:xor_single_0x26]; domain=a.rt [full_file -> xor:xor_single_0x20]; domain=p.Yyc [full_file -> xor:xor_single_0x20]; domain=G.rh [full_file -> xor:xor_single_0x20]; domain=6b.WO [full_file -> xor:xor_single_0x20]; domain=u.Ez [full_file -> xor:xor_single_0x2b]; domain=O.kc [full_file -> xor:xor_single_0x25]; domain=q.sB [full_file -> xor:xor_single_0x09]; domain=B.zDe [full_file -> xor:xor_single_0x28]; domain=7.cJ [full_file -> xor:xor_single_0x28]; domain=0d.LQ [full_file -> xor:xor_single_0x28]; domain=l.IJ [full_file -> xor:xor_single_0x28]; domain=7N.WF [full_file -> xor:xor_single_0x29]; domain=b.Sz [full_file -> xor:xor_single_0x4c]; domain=n.XyVP [full_file -> xor:xor_single_0x4c]; domain=4q.uQx [full_file -> xor:xor_single_0x2a]; domain=P.rb [full_file -> xor:xor_single_0x2a]; domain=F.ra [full_file -> xor:xor_single_0x4a]; domain=D.ER [full_file -> xor:xor_single_0x4a]; domain=C.TH [full_file -> xor:xor_single_0x24]; domain=I.xH [full_file -> xor:xor_single_0x24]; domain=C.LD [full_file -> xor:xor_single_0x24]; domain=W.PO [full_file -> xor:xor_single_0x3c]; domain=Y.Bk [full_file -> xor:xor_single_0x3c]; domain=U.HV [full_file -> xor:xor_single_0x3c]; domain=Rj.gy [full_file -> xor:xor_single_0x23]; domain=z.xz [full_file -> xor:xor_single_0x23]; domain=t.Uu [full_file -> xor:xor_single_0x21]; domain=1.SoZ [full_file -> xor:xor_single_0x27]; domain=P.Nb [full_file -> xor:xor_single_0x27]; registry=HKU [full_file -> xor:xor_single_0x27]; domain=Y.NV [full_file -> xor:xor_single_0x44]; domain=f.lO [full_file -> xor:xor_single_0x44]; domain=L.Vm [full_file -> xor:xor_single_0x4d]; domain=z.Ko [full_file -> xor:xor_single_0x3f]; domain=w.Cp [full_file -> xor:xor_single_0x39]; domain=y.hw [full_file -> xor:xor_single_0x39]; domain=M.CiHj [full_file -> xor:xor_single_0x48]; domain=B.IN [full_file -> xor:xor_single_0x48]; domain=K.uR [full_file -> xor:xor_single_0x4b]; domain=l.ie [full_file -> xor:xor_single_0x4b]; domain=ZXXXXZXX9.hiXXXX [full_file -> xor:xor_single_0x58]; domain=Sj.CaI [full_file -> xor:xor_single_0x58]; domain=n.IZ [full_file -> xor:xor_single_0x58]; domain=M.vy [full_file -> xor:xor_single_0x58]; domain=y.jo [full_file -> xor:xor_single_0x5e]; domain=K.XU [full_file -> xor:xor_single_0x5e]; domain=K.fA [full_file -> xor:xor_single_0x3e]; domain=PPv.Cu [full_file -> xor:xor_single_0x3e]; domain=nn.Es [full_file -> xor:xor_single_0x49]; domain=T.zX [full_file -> xor:xor_single_0x49]; domain=i.Eg [full_file -> xor:xor_single_0x49]; domain=F2.XN [full_file -> xor:xor_single_0x4f]; domain=4.hvC [full_file -> xor:xor_single_0x47]; domain=P.Yo [full_file -> xor:xor_single_0x47]; domain=Z.Dm [full_file -> xor:xor_single_0x47]; domain=s.Sm [full_file -> xor:xor_single_0x4e]; domain=5.wq [full_file -> xor:xor_single_0x4e]; ipv6=c:0: [full_file -> xor:xor_single_0x59]; domain=Z.sy [full_file -> xor:xor_single_0x59]; domain=l.Kb [full_file -> xor:xor_single_0x41]; domain=8.ny [full_file -> xor:xor_single_0x41]; domain=O6.xTb [full_file -> xor:xor_single_0x41]; domain=y.goD [full_file -> xor:xor_single_0x45]; domain=m.pr [full_file -> xor:xor_single_0x46]; domain=13.lUqx [full_file -> xor:xor_single_0x46]; domain=t.Yjnb [full_file -> xor:xor_single_0x46]; domain=39.ZZZZZZZZZZZZZZZZT [full_file -> xor:xor_single_0x5a]; domain=z.rF [full_file -> xor:xor_single_0x5a]; domain=G.tv [full_file -> xor:xor_single_0x51]; domain=59.jYf [full_file -> xor:xor_single_0x51]; domain=7.cc [full_file -> xor:xor_single_0x5b]; domain=HL.Gh [full_file -> xor:xor_single_0x54]; ipv6=5:15: [full_file -> xor:xor_single_0x5c]; domain=d.iQ [full_file -> xor:xor_single_0x60]; domain=j.ce [full_file -> xor:xor_single_0x52]; domain=7.CCCCCBCCCw [full_file -> xor:xor_single_0x43]; domain=T.gf [full_file -> xor:xor_single_0x65]; domain=n.Xh [full_file -> xor:xor_single_0x5d]; domain=Np8.PAO [full_file -> xor:xor_single_0x6a]; domain=Q.zX [full_file -> xor:xor_single_0x6a]; domain=4.RD [full_file -> xor:xor_single_0x6a]; domain=V.qv [full_file -> xor:xor_single_0x6a]; domain=vS.Mli [full_file -> xor:xor_single_0x6c]; domain=R.Xa [full_file -> xor:xor_single_0x53]; domain=k.rm [full_file -> xor:xor_single_0x53]; domain=7.QZM [full_file -> xor:xor_single_0x56]; domain=9W.CuB [full_file -> xor:xor_single_0x56]; domain=y.QJK [full_file -> xor:xor_single_0x56]; domain=K.ay [full_file -> xor:xor_single_0x71]; domain=W.sSpm [full_file -> xor:xor_single_0x71]; domain=m.qO [full_file -> xor:xor_single_0x71]; domain=vvt.vvvx [full_file -> xor:xor_single_0x76]; domain=vvt.vvvf [full_file -> xor:xor_single_0x76]; domain=M.Yt [full_file -> xor:xor_single_0x76]; domain=6lWD.cS [full_file -> xor:xor_single_0x76]; domain=y.Mx [full_file -> xor:xor_single_0x70]; domain=tg.aE [full_file -> xor:xor_single_0x75]; domain=8.tn [full_file -> xor:xor_single_0x75]; domain=M.IL [full_file -> xor:xor_single_0x73]; domain=G.hdB [full_file -> xor:xor_single_0x77]; domain=J.qo [full_file -> xor:xor_single_0x77]; domain=E.HA [full_file -> xor:xor_single_0x7d]; domain=W.Hy [full_file -> xor:xor_single_0x7d]; domain=J.tq [full_file -> xor:xor_single_0x7d]; domain=k.gJ [full_file -> xor:xor_single_0x63]; domain=8.RS [full_file -> xor:xor_single_0x7a]; domain=Q.LK [full_file -> xor:xor_single_0x6f]; domain=s.AL [full_file -> xor:xor_single_0x6f]; domain=bHBl.kYh [full_file -> xor:xor_single_0x74]; domain=FRD.WQ [full_file -> xor:xor_single_0x7b]; domain=U.Ef [full_file -> xor:xor_single_0x08]; domain=6.jl [full_file -> xor:xor_single_0x69]; domain=s.AZI [full_file -> xor:xor_single_0x72]; domain=h.ma [full_file -> xor:xor_single_0x72]; domain=H.BuISN [full_file -> xor:xor_single_0x72]; domain=9.zz [full_file -> xor:xor_single_0x78]; domain=Pt.CR [full_file -> xor:xor_single_0x79]; domain=E.Cv [full_file -> endian:pair_byte_swap]; domain=WO.Wz [full_file -> xor:xor_single_0x04]; domain=ivyrvy.rv [full_file -> xor:xor_single_0x1f]; domain=t.QB [full_file -> xor:xor_single_0x1f]; domain=eJ0.jq [full_file -> xor:xor_single_0x1f]; domain=h.Ws [full_file -> xor:xor_single_0x1f]; registry=hku [full_file -> xor:xor_single_0x07]; domain=R.RE [full_file -> xor:xor_single_0x15]; domain=a.xX [full_file -> xor:xor_single_0x0e]; domain=Q.kg [full_file -> xor:xor_single_0x0f]; domain=F.eS [full_file -> xor:xor_single_0x0f]; domain=V.nk [full_file -> xor:xor_single_0x0f]; domain=V.BQ [full_file -> xor:xor_single_0x0f]; domain=aJ9L.kS [full_file -> xor:xor_single_0x19]; domain=1.XP [full_file -> xor:xor_single_0x19]; domain=s.xtBr [full_file -> xor:xor_single_0x02]; domain=3.ym [full_file -> xor:xor_single_0x7e]; domain=wd.gmg [full_file -> xor:xor_single_0x14]; domain=qyg.ual [full_file -> xor:xor_single_0x14]; domain=ufm.uxd [full_file -> xor:xor_single_0x14]; domain=T.lW [full_file -> xor:xor_single_0x05]; domain=d.hd [full_file -> xor:xor_single_0x05]; domain=v.NB [full_file -> xor:xor_single_0x16]; domain=e.ZO [full_file -> xor:xor_single_0x12]; domain=W.sb [full_file -> xor:xor_single_0x12]; domain=1.By [full_file -> xor:xor_single_0x03]; domain=Z.Ek [full_file -> xor:xor_single_0x11]; domain=q.Sp [full_file -> xor:xor_single_0x11]; domain=V.Ju [full_file -> xor:xor_single_0x11]; domain=3.Ci [full_file -> xor:xor_single_0x11]; domain=t2.vgcF [full_file -> xor:xor_single_0x18]; domain=ly.Lv [full_file -> xor:xor_single_0x18]; domain=LU.vs [full_file -> xor:xor_single_0x1c]; domain=d.sZ [full_file -> xor:xor_single_0x1c]; domain=P.LYG [full_file -> xor:xor_single_0x1c]; domain=i.Cu [full_file -> xor:xor_single_0x1c]; domain=cg.jM [full_file -> xor:xor_single_0x1e]; domain=v.ux [full_file -> xor:xor_single_0x1e]; domain=U.xTdc [full_file -> rot:ror_2]; domain=S.KzP [full_file -> rot:ror_2]; domain=a.olFa [full_file -> rot:ror_2]; domain=m.Mi [full_file -> rot:ror_1]; domain=r.Jp [full_file -> rot:ror_1]; domain=v.bT [full_file -> rot:ror_1]; domain=n.ON [full_file -> rot:ror_1]; domain=Q.MGgE [full_file -> xor:xor_single_0x7f]; domain=g.WR [full_file -> xor:xor_single_0x7f]; domain=A.OK [full_file -> xor:xor_single_0x7f]; domain=t.cj [full_file -> xor:xor_single_0xca]; domain=5.pb [full_file -> xor:xor_single_0xca]; domain=S.rk [full_file -> xor:xor_single_0xa2]; domain=b.Mz [full_file -> xor:xor_single_0x99]; domain=9.gT [full_file -> xor:xor_single_0x99]; domain=8.WC [full_file -> xor:xor_single_0xba]; domain=V.OT [full_file -> xor:xor_single_0x9c]; domain=Q.nzB [full_file -> xor:xor_single_0x9c]; domain=D8.B.rDsv [full_file -> xor:xor_single_0x8f]; domain=Y.VTe [full_file -> xor:xor_single_0x8f]; domain=7.tq [full_file -> xor:xor_single_0x91]; domain=q.pE [full_file -> xor:xor_single_0x87]; domain=H.BP [full_file -> xor:xor_single_0xa3]; domain=h.RxX [full_file -> xor:xor_single_0xa3]; domain=H.hg [full_file -> xor:xor_single_0xa3]; domain=We.WM [full_file -> xor:xor_single_0xa4]; domain=w.Ei [full_file -> xor:xor_single_0xcb]; domain=Jxu.jX [full_file -> xor:xor_single_0xcb]; domain=N.Mg [full_file -> xor:xor_single_0x85]; domain=D.xc [full_file -> xor:xor_single_0xa5]; domain=3.ev [full_file -> xor:xor_single_0xa5]; domain=m.OQ [full_file -> xor:xor_single_0xbb]; domain=S.UAa [full_file -> xor:xor_single_0x88]; domain=h.Vi [full_file -> xor:xor_single_0x88]; domain=y.ly [full_file -> xor:xor_single_0x8e]; domain=b.Fs [full_file -> xor:xor_single_0x8e]; domain=i.qy [full_file -> xor:xor_single_0x8e]; domain=01M.Ei [full_file -> xor:xor_single_0xd3]; registry=hKU [full_file -> xor:xor_single_0xd3]; domain=U.kG [full_file -> xor:xor_single_0x89]; domain=SM.aR [full_file -> xor:xor_single_0x89]; domain=iC.PxDt [full_file -> xor:xor_single_0x8c]; domain=FT.On [full_file -> xor:xor_single_0x8c]; domain=a.wfQS [full_file -> xor:xor_single_0x8c]; domain=O.CH [full_file -> xor:xor_single_0xd2]; domain=0K.hHB [full_file -> xor:xor_single_0xda]; domain=B.rA [full_file -> xor:xor_single_0xda]; domain=s.rM [full_file -> xor:xor_single_0xdc]; domain=7.Ckre [full_file -> xor:xor_single_0xdc]; domain=q.Jq [full_file -> xor:xor_single_0xdc]; domain=K.NDP [full_file -> xor:xor_single_0xdc]; domain=e.WG [full_file -> xor:xor_single_0x93]; domain=l.SH [full_file -> xor:xor_single_0x9b]; domain=Q.cu [full_file -> xor:xor_single_0x9d]; domain=ay.St [full_file -> xor:xor_single_0x9d]; domain=G.yV [full_file -> xor:xor_single_0xc9]; domain=b.tb [full_file -> xor:xor_single_0xdf]; domain=M.ZY [full_file -> xor:xor_single_0x82]; domain=Fu.KRwU [full_file -> xor:xor_single_0xc2]; domain=H.fY [full_file -> xor:xor_single_0xc2]; domain=B.Dcu [full_file -> xor:xor_single_0xc2]; domain=x.xc [full_file -> xor:xor_single_0xc8]; domain=4v.aK [full_file -> xor:xor_single_0xc8]; domain=hh.QN [full_file -> xor:xor_single_0x83]; domain=G.pLfi [full_file -> xor:xor_single_0x83]; domain=v.EQj [full_file -> xor:xor_single_0x83]; domain=q.kx [full_file -> xor:xor_single_0x83]; domain=x.MT [full_file -> xor:xor_single_0x97]; domain=T.Eu [full_file -> xor:xor_single_0x97]; domain=Z.yiA [full_file -> xor:xor_single_0x97]; domain=i5.Gw [full_file -> xor:xor_single_0x97]; domain=z.oa [full_file -> xor:xor_single_0x97]; domain=W.bLk [full_file -> xor:xor_single_0xbd]; domain=4.dX [full_file -> xor:xor_single_0xa8]; domain=G.crs [full_file -> xor:xor_single_0xc3]; domain=j.Qu [full_file -> xor:xor_single_0xc3]; domain=F.ghU [full_file -> xor:xor_single_0xc3]; domain=QR.mp [full_file -> xor:xor_single_0xc4]; domain=Z.De [full_file -> xor:xor_single_0xc4]; domain=U.eq [full_file -> rot:rol_4]; domain=g9.lD [full_file -> xor:xor_single_0xb8]; domain=yr.Kq [full_file -> xor:xor_single_0xb8]; domain=z.KH [full_file -> xor:xor_single_0xc6]; domain=g.xz [full_file -> xor:xor_single_0xc6]; domain=au.pY [full_file -> xor:xor_single_0x8d]; domain=c.CZ [full_file -> xor:xor_single_0xcc]; domain=bs.dW [full_file -> xor:xor_single_0xf8]; domain=9.gQ [full_file -> xor:xor_single_0xf8]; domain=d.eIc [full_file -> xor:xor_single_0xf8]; domain=S.fj [full_file -> xor:xor_single_0xff]; domain=z.qc [full_file -> xor:xor_single_0xff]; domain=H.ip [full_file -> xor:xor_single_0xff]; domain=c.x.lI [full_file -> xor:xor_single_0xcf]; domain=f.APe [full_file -> xor:xor_single_0xcf]; domain=u.Aw [full_file -> xor:xor_single_0xcf]; domain=e.VN [full_file -> xor:xor_single_0xcf]; domain=sL.vs [full_file -> xor:xor_single_0xd7]; domain=2xO.MG [full_file -> xor:xor_single_0xd7]; domain=E.hT [full_file -> xor:xor_single_0x90]; domain=X.DI [full_file -> xor:xor_single_0x90]; domain=n.ok [full_file -> xor:xor_single_0x9a]; domain=39.DB [full_file -> xor:xor_single_0x9a]; domain=e.zm [full_file -> xor:xor_single_0xdd]; domain=K.WkYf [full_file -> xor:xor_single_0xdd]; domain=h.db [full_file -> xor:xor_single_0x9e]; domain=y.bs [full_file -> xor:xor_single_0x9e]; domain=Z.pG [full_file -> xor:xor_single_0xa6]; domain=SA.KK [full_file -> xor:xor_single_0xa6]; domain=S.jU [full_file -> xor:xor_single_0xa7]; domain=MOW.KiH [full_file -> xor:xor_single_0xbc]; domain=8e.UJ [full_file -> xor:xor_single_0xdb]; domain=S.XQ [full_file -> xor:xor_single_0xdb]; email=F@8e.UJ [full_file -> xor:xor_single_0xdb]; domain=DH8i.Qt [full_file -> xor:xor_single_0xc0]; domain=o.iTS [full_file -> xor:xor_single_0xc0]; domain=S.Jha [full_file -> xor:xor_single_0xc0]; domain=g.eqf [full_file -> xor:xor_single_0xe8]; domain=M.PYA [full_file -> xor:xor_single_0xe8]; domain=R.BzG [full_file -> xor:xor_single_0xaf]; domain=KHt.rh [full_file -> xor:xor_single_0xaf]; domain=N.NZ [full_file -> xor:xor_single_0xb5]; domain=H2EUT.xu [full_file -> xor:xor_single_0xb5]; domain=x.Aw [full_file -> xor:xor_single_0xb5]; domain=K.hI [full_file -> xor:xor_single_0xb9]; domain=z.ri [full_file -> xor:xor_single_0xd0]; domain=A.yD [full_file -> xor:xor_single_0xd1]; domain=l.qBp [full_file -> xor:xor_single_0xd1]; domain=rQHO.gb [full_file -> rot:rol_1]; domain=my.aL [full_file -> xor:xor_single_0xb6]; domain=S.Gzn [full_file -> xor:xor_single_0xb6]; domain=R.vlr [full_file -> xor:xor_single_0xb6]; domain=d.QQ [full_file -> xor:xor_single_0xde]; domain=4.xXob [full_file -> xor:xor_single_0xde]; domain=y.fv [full_file -> xor:xor_single_0xde]; domain=oS.uWI [full_file -> xor:xor_single_0xde]; domain=L.fZ [full_file -> xor:xor_single_0xde]; domain=p.PN [full_file -> xor:xor_single_0xf6]; domain=9.hK [full_file -> xor:xor_single_0xce]; domain=T.gNh [full_file -> xor:xor_single_0xf0]; domain=X.bd [full_file -> xor:xor_single_0xf0]; domain=d.hMZ [full_file -> xor:xor_single_0xe6]; domain=zU.Ts [full_file -> xor:xor_single_0xe6]; domain=yj.yx [full_file -> xor:xor_single_0xe6]; domain=a.OZa [full_file -> xor:xor_single_0xa1]; domain=P.zD [full_file -> xor:xor_single_0xe2]; domain=t.SI [full_file -> xor:xor_single_0xe2]; domain=C.xa [full_file -> xor:xor_single_0xec]; domain=R.Fx [full_file -> xor:xor_single_0xec]; domain=r.imUi [full_file -> xor:xor_single_0xfb]; domain=c.df [full_file -> xor:xor_single_0xac]; domain=m.zmd [full_file -> xor:xor_single_0xae]; domain=k.OR [full_file -> xor:xor_single_0xb3]; domain=B.rb [full_file -> xor:xor_single_0xb7]; domain=p.oRJ [full_file -> xor:xor_single_0xbf]; domain=k.ZCZ [full_file -> xor:xor_single_0xbf]; domain=wd.gmg [full_file -> strings:strslice_1 -> xor:xor_single_0x14]; domain=qyg.ual [full_file -> strings:strslice_1 -> xor:xor_single_0x14]; domain=ufm.uxd [full_file -> strings:strslice_1 -> xor:xor_single_0x14]; ipv6=c:0: [full_file -> strings:strslice_1 -> xor:xor_single_0x59]; domain=ivyrvy.rv [full_file -> strings:strslice_0 -> xor:xor_single_0x1f]; ipv6=5:15: [full_file -> strings:strslice_0 -> xor:xor_single_0x5c]; domain=D.NW [full_file -> base64:b64_std_skip0 -> xor:xor_single_0xe2]; domain=D.Cf [full_file -> base64:b64_std_skip0 -> xor:xor_single_0xd9]; domain=PcJdc.cc [full_file -> base64:b64_std_skip0 -> base64:b64_std_skip0 -> xor:xor_repeat_ae2d07963e2c21 -> base64:b64_std_skip1 -> xor:xor_repeat_61a128aa -> xor:xor_single_0x43]; domain=PPPPP.Py [full_file -> base64:b64_std_skip0 -> base64:b64_std_skip0 -> xor:xor_repeat_ae2d07963e2c21 -> base64:b64_std_skip1 -> xor:xor_repeat_61a128aa -> xor:xor_repeat_3300290700 -> xor:xor_single_0x70]; domain=O.OOOO [full_file -> base64:b64_std_skip0 -> base64:b64_std_skip0 -> xor:xor_repeat_ae2d07963e2c21 -> base64:b64_std_skip2 -> xor:xor_repeat_026822 -> xor:xor_repeat_3b000072 -> xor:xor_single_0x6f]; domain=mfnffff.ffff [full_file -> strings:strslice_0 -> xor:xor_repeat_4d494146 -> xor:xor_repeat_071f00000000 -> xor:xor_single_0x46]; domain=uuuu.uuuu [full_file -> strings:strslice_0 -> xor:xor_repeat_4d494146 -> xor:xor_repeat_0c000000000007 -> xor:xor_single_0x55]; domain=vf.vr [full_file -> strings:strslice_0 -> xor:xor_repeat_4146114649 -> xor:xor_single_0x56]; domain=vm.vrvvvvvvv [full_file -> strings:strslice_0 -> xor:xor_repeat_4146114649 -> xor:xor_repeat_000b0000000800 -> xor:xor_single_0x56]; domain=vf.vvvvv [full_file -> strings:strslice_0 -> xor:xor_repeat_4146114649 -> xor:xor_repeat_0000000004080000 -> xor:xor_single_0x56]; domain=F.zP [full_file -> base64:b64_std_skip0 -> base64:b64_std_skip0 -> xor:xor_repeat_443e26212d49 -> rot:rol_3]; domain=ufyyyyv.yyqy [full_file -> strings:strslice_0 -> xor:xor_single_0x2c -> xor:xor_repeat_6165656a -> xor:xor_single_0x59]; domain=ffffffe.ffnf [full_file -> strings:strslice_0 -> xor:xor_single_0x2c -> xor:xor_repeat_6165656a -> xor:xor_repeat_0c1f00000000 -> xor:xor_single_0x46]; domain=ujuuuuu.uu [full_file -> strings:strslice_0 -> xor:xor_single_0x2c -> xor:xor_repeat_6165656a -> xor:xor_repeat_0c00000000000f -> xor:xor_single_0x55]; domain=rb.yrrrrrrrr [full_file -> strings:strslice_0 -> xor:xor_single_0x2c -> xor:xor_repeat_6d6a3d6161 -> xor:xor_repeat_00000400000800 -> xor:xor_single_0x52]; domain=H.HM [full_file -> xor:xor_single_0x35 -> endian:pair_byte_swap]; domain=e.bW [full_file -> xor:xor_single_0x35 -> endian:pair_byte_swap]; domain=D.zO [full_file -> xor:xor_single_0x35 -> rot:ror_2]; domain=HY.wi [full_file -> xor:xor_single_0x35 -> rot:ror_2]; domain=k.vL [full_file -> xor:xor_single_0x35 -> rot:rol_4]; domain=g.oJ [full_file -> xor:xor_single_0x35 -> rot:rol_4]; domain=n.hR [full_file -> xor:xor_single_0x35 -> rot:rol_1]; domain=8B.Bn [full_file -> xor:xor_single_0x35 -> rot:rol_2]; domain=O.dfEc [full_file -> xor:xor_single_0x35 -> rot:ror_3]; domain=J.tgG [full_file -> xor:xor_single_0x35 -> rot:ror_3]; domain=L.Ga [full_file -> xor:xor_single_0x35 -> rot:ror_1]; domain=B.RB [full_file -> xor:xor_single_0x35 -> rot:ror_1]; domain=s.Mp [full_file -> xor:xor_single_0x35 -> rot:ror_1]; domain=f.Wh [full_file -> xor:xor_single_0x35 -> rot:ror_1]; domain=4.gU [full_file -> xor:xor_single_0x35 -> rot:rol_3]; domain=t.Cm [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_00ae]; domain=wx.sq [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_00ae]; domain=y4.Tp [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_66e8]; domain=j.eA [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_3374]; domain=V.am [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_22ae]; domain=4n0.CK [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_22ae]; domain=0y.QQ [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_001d]; domain=q.TJ [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_001d]; domain=S.vJ [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_221d]; domain=E.Hh [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_551d]; domain=f.kQ [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_5557]; domain=9.lb [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_3391]; domain=2e.jg [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_3391]; domain=B.tt [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_3391]; domain=X.LZM [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_4491]; domain=1.Te [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_4491]; domain=o.qu [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_4400]; domain=M.Ym [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_4400]; domain=i.AR [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_4400]; domain=H.GA [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_1174]; domain=I.dn [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_0091]; domain=2V.Yg [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_0091]; domain=r.AJ [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_0091]; domain=q.Gt [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_0091]; domain=d.Qs [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_66ae]; domain=J.TM [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_66ae]; domain=m.fQ [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_66ae]; domain=M.jb [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_5574]; domain=A.ZnkEfM [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_663a]; domain=i.sV [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_663a]; domain=c.yl [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_663a]; domain=OI.aWF [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_663a]; domain=o.SM [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_00cb]; domain=P.Xy [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_00cb]; domain=L.pM [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_00e8]; domain=U.Ku [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_443a]; domain=Ok.CWd [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_443a]; domain=w.cm [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_443a]; domain=g.sZr [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_44ae]; domain=G.dt [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_44ae]; domain=B.hli [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_55ae]; domain=7.Kx [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_55ae]; domain=b.sE [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_6691]; domain=u.kM [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_6691]; domain=R.YQc [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_6691]; domain=Z.Cm [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_6657]; domain=4.zI [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_11e8]; domain=X.Uh [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_5500]; domain=x.PR [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_5500]; domain=2.TLy [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_5500]; domain=m.NS [full_file -> xor:xor_single_0x35 -> xor_keyspace_lite:xor_2b_113a]; ... (+78 more)
=========================================================================

=== RQ4D-STEGA ULTIMATE GOVERNMENT-GRADE VERSION COMPLETE ===
Professional startup banner + 10-second delay + full responsibility disclaimer added.
RomaQuantum4D Go engine is PRIMARY: bridge runs first; Python guided search executes only under authorized telemetry (or --allow-python-decode-fallback).

========================================================================
RQ4D-STEGA — SESSION FILES (save these paths)
========================================================================
Full console transcript (complete PowerShell/console capture):
  C:\Users\Asus\Desktop\4DEngine\RQ4D-Stega\rq4d_output\sessions\rq4d_console_20260405T005452Z.log
Structured application log:
  C:\Users\Asus\Desktop\4DEngine\RQ4D-Stega\rq4d_output\rq4d_stega_20260405T005452Z.log
========================================================================
PS C:\Users\Asus\Desktop\4DEngine\RQ4D-Stega> cd "C:\Users\Asus\Desktop\4DEngine\RQ4D-Stega\rq4d_output"
PS C:\Users\Asus\Desktop\4DEngine\RQ4D-Stega\rq4d_output> mkdir -p "extracted_payloads\20260405_sw i-rebecca"


    Directory: C:\Users\Asus\Desktop\4DEngine\RQ4D-Stega\rq4d_output\extracted_payloads


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----        2026-04-04   8:12 PM                20260405_sw i-rebecca


PS C:\Users\Asus\Desktop\4DEngine\RQ4D-Stega\rq4d_output> copy best_decoded_payload.bin "extracted_payloads\20260405_swi-rebecca\payload_pe_mz_decoded.bin"
copy : Could not find a part of the path
'C:\Users\Asus\Desktop\4DEngine\RQ4D-Stega\rq4d_output\extracted_payloads\20260405_swi-rebecca\payload_pe_mz_decoded.bin'.
At line:1 char:1
+ copy best_decoded_payload.bin "extracted_payloads\20260405_swi-rebecc ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Copy-Item], DirectoryNotFoundException
    + FullyQualifiedErrorId : System.IO.DirectoryNotFoundException,Microsoft.PowerShell.Commands.CopyItemCommand

PS C:\Users\Asus\Desktop\4DEngine\RQ4D-Stega\rq4d_output> copy layered\pipe_cand_hdr_MZ_7bc0_18035f_5d2a08d3fd.bin "extracted_payloads\20260405_swi-rebecca\raw_carved_candidate.bin"
copy : Could not find a part of the path
'C:\Users\Asus\Desktop\4DEngine\RQ4D-Stega\rq4d_output\extracted_payloads\20260405_swi-rebecca\raw_carved_candidate.bin'.
At line:1 char:1
+ copy layered\pipe_cand_hdr_MZ_7bc0_18035f_5d2a08d3fd.bin "extracted_p ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Copy-Item], DirectoryNotFoundException
    + FullyQualifiedErrorId : System.IO.DirectoryNotFoundException,Microsoft.PowerShell.Commands.CopyItemCommand

PS C:\Users\Asus\Desktop\4DEngine\RQ4D-Stega\rq4d_output> # Create the folder (safely, even if it already exists)
PS C:\Users\Asus\Desktop\4DEngine\RQ4D-Stega\rq4d_output> New-Item -ItemType Directory -Path "extracted_payloads\20260405_swi-rebecca" -Force


    Directory: C:\Users\Asus\Desktop\4DEngine\RQ4D-Stega\rq4d_output\extracted_payloads


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----        2026-04-04   8:12 PM                20260405_swi-rebecca


PS C:\Users\Asus\Desktop\4DEngine\RQ4D-Stega\rq4d_output>
PS C:\Users\Asus\Desktop\4DEngine\RQ4D-Stega\rq4d_output> # Now copy both files
PS C:\Users\Asus\Desktop\4DEngine\RQ4D-Stega\rq4d_output> Copy-Item -Path best_decoded_payload.bin -Destination "extracted_payloads\20260405_swi-rebecca\payload_pe_mz_decoded.bin"
PS C:\Users\Asus\Desktop\4DEngine\RQ4D-Stega\rq4d_output> Copy-Item -Path layered\pipe_cand_hdr_MZ_7bc0_18035f_5d2a08d3fd.bin -Destination "extracted_payloads\20260405_swi-rebecca\raw_carved_candidate.bin"
PS C:\Users\Asus\Desktop\4DEngine\RQ4D-Stega\rq4d_output>
PS C:\Users\Asus\Desktop\4DEngine\RQ4D-Stega\rq4d_output> Write-Host "✅ Payloads safely copied!" -ForegroundColor Green
✅ Payloads safely copied!
PS C:\Users\Asus\Desktop\4DEngine\RQ4D-Stega\rq4d_output>