// first 10 minutes
tech support scam — quick-start
tech support scam — first 10 minutes. cut remote access, preserve payment records. print this, check boxes, then run the primary tools.
checklist
- disconnect from the internet or terminate the remote access session immediately — close AnyDesk, TeamViewer, QuickSupport.
- run antivirus and look for remote access tools installed by the scammer — AnyDesk, TeamViewer, ScreenConnect, ConnectWise.
- record the payment method and amount: gift card serial numbers, wire transfer reference, Zelle/Venmo transaction ID.
- screenshot or photograph the scammer's callback number, company name, and any on-screen messages before they are lost.
- export browser history for the period — note the pop-up URL that initiated the contact and any domains the scammer accessed.
- pull the Windows event log for remote access tool installation and execution (Application log + System log).
- check whether the scammer created any new user accounts, changed passwords, or installed persistence tools.
- if gift cards were purchased: return unused portions and contact the gift card issuer's fraud line — some issuers can freeze unspent balances.
- file at ftc.gov/reportfraud and ic3.gov — include callback number, company name, and payment details.
- begin the primary tool path below — remote access artifact scanner and tech support scam evidence builder.
primary tools
- 01remote desktop log clearing and gap detectordrop rdp evtx csvs · detect rdp session log gaps · identify rdp channel clearing · surface rdp session reconstruction with cleared log indicators · runs locally
- 02rdp cache parserdrop .bmc/.bin cache files · RDP8 magic or legacy BGRA tiles · thumbnail grid · hide uniform tiles · export zip · runs locally
- 03live response tool execution artifact detectordrop prefetch shimcache amcache or 4688 evtx csv · detect live response and triage collection tool execution · identify when and how live response was performed · surface kape triage collector and incident response tool artifacts · runs locally
- 04LOLBin execution burst detectordrop 4688 or sysmon evtx csv · detect living off the land binary execution · identify lolbin abuse patterns · surface unusual lolbin invocations and burst usage · runs locally
- 05browser history extractordrop a Chrome or Firefox SQLite history DB · extract URLs · visit counts · timestamps · typed URLs · export CSV · runs locally
- 06browser extension analyzerdrop Chrome or Firefox extension folder or .crx · parse manifest · permissions · background scripts · content scripts · flag dangerous permissions · export report · runs locally
- 07chrome extension analyzerdrop crx or manifest.json · permissions audit · content scripts · risk score · script patterns · runs locally
- 08powershell deobfuscatorpaste obfuscated powershell · base64 utf-16 · deflate gzip · concat replace · char arrays · multi-pass · iocs · runs locally