// runnable playbook

tech support scam

pop-up → call center → remote-access install → gift-card / wire payout. evidence is RDP / RMM tooling and the call recording / payment.

a guided path, not automation — each step opens a tool you run yourself; nothing uploads. progress is saved only in this browser.

// based on the curated pipeline

wraps the tech support scam — triage kit preset — drop RDP / RMM logs + browser history → remote-access clearing detect → lolbin burst → PS deobfuscate → report

methodology guide →worked example →full tool list →

guided steps

0/8 done

01
evidence manifest generator
hash endpoint exports before triage
open tool →methodology
your note (local only)
02
remote desktop log clearing and gap detector
detect RDP log clearing — common post-scam cleanup
open tool →methodology
your note (local only)
03
rdp cache parser
parse RDP bitmap cache for remote session evidence
open tool →methodology
your note (local only)
04
live response tool execution artifact detector
detect RMM / live-response tool execution artifacts
open tool →methodology
your note (local only)
05
LOLBin execution burst detector
flag lolbin execution bursts during the scam session window
open tool →methodology
your note (local only)
06
powershell deobfuscator
deobfuscate PowerShell payloads dropped by the scammer
open tool →methodology
your note (local only)
07
browser history clearing pattern detector
detect browser history clearing after the remote session
open tool →methodology
your note (local only)
08
case report generator
draft a report documenting remote-access evidence + cleanup indicators
suggested options · title: tech support scam — triage
open tool →methodology
your note (local only)

when you're done

export a run summary — a small JSON record of which steps you marked done, your notes, and a self-hash so the record can't be silently altered. it is your reproducibility note, not a per-tool receipt: each tool emits its own input→output receipt when you run it.