grayson-tech-support-scam — fake Microsoft pop-up remote access

what this proves

• all eight tech-support-scam primary engines produce deterministic, fixture-locked output — verified by npm run check:flagship (280/280 fleet · 8 for this scenario).
• every output is generated 100% locally in your browser — event logs, browser profiles, and PowerShell never upload.
• RDP log clearing gaps, remote session cache tiles, lolbin bursts, malicious Chrome extension, and obfuscated loader indicators surface without sending evidence to a server.

primary engines locked to this fixture

• remote-desktop-log-clearing-detector
• rdp-cache-parser
• live-response-tool-execution-detector
• lolbin-execution-burst-detector
• browser-history-extractor
• browser-extension-analyzer
• chrome-extension-analyzer
• powershell-deobfuscator

build the case binder

runs all eight primary engines on the synthetic evidence zip and opens a self-contained html binder. uses the default binder renderer for tech-support-scam — no upload.

download the synthetic evidence

MIT-licensed, fully synthetic. includes Terminal Services and Security event exports, Chrome history sqlite, malicious extension zip, obfuscated PowerShell loader, RDP cache tiles, process burst csv, and KAPE triage listing.

built deterministically from scripts/fixtures/build-grayson-tech-support-scam.mjs. seed: grayson-tech-support-scam:v1.

methodology

tech support fraud is scripted remote access — preserve Terminal Services logs first, then walk log clearing detector → RDP cache → live response tools → lolbin bursts → browser history → extension analyzers → PowerShell deobfuscation. read the full tech support scam guide →

after the playbook

run each primary locally — or export findings from the binder — then drop every csv/json into fatcousin-multi-tool-super-timeline-correlator. one timestamp-sorted timeline across RDP session onset, lolbin bursts, browser extension installs, and PowerShell deobfuscation — still zero upload.