just noticed! did he manage to spoof email id from localbitcoins.com domain? didnt gmail raise flags?
That's easy bro.. and in this case they used
http://emkei.cz/ mailer.
I am going to reverse their rat in free time and will post more details here.
Ps: I told him that i clicked on it and nothing happened, and then i kept disconnecting his call in between of that convo. He is going to guide me "How to run that file" in half hour because he is busy with his localbitcoins work now.