drop process memory + executable · detect direct-syscall stubs (HellsGate / SysWhispers / FreshyCalls) · runs locally
x64 mov r10,rcx; mov eax,SSN; syscall · framework strings · x86 int 2e
heuristic screener · parses artifacts locally · not definitive proof