User manual

1
 Installation
1. To install the panel, you need to buy a VPS / VDS with the following characteristics::
● RAM 4 GB
● CPU 2 Cores
● SSD disk
● Windows Server OS
2. After you have purchased the server and activated it, press Win+R, then type "mstsc" and press
ENTER.
3. In the "Connect to remote desktop" window, find the "Computer" field and enter the IP address of the
server you purchased, then click "Connect".
4. Enter the username and Password that you received when purchasing the server.
5. After you are logged in to the server, move the Tools folder from your work PC to the server. Copy
the folder and paste it on the server.
6. Run the file on the server “NetFramework48.exe " as an administrator and install it on the server.
7. Run the file on the server “Chrome.exe " and install it on the server.
8. Open the serviceSettings file.JSON and change the localhost value to your Dedic's IP address.
9. Copy the Panel folder to the server, run the file " RedLine.MainPanel.exe” on behalf of the
administrator, in the open window, enter the account details that you registered when purchasing our
program. if you don't have them, then contact the seller to get them, and then click “Sign in” to enter
the panel.
10. If you want to change the port for the panel's operation, open the serviceSettings file.JSON and
change the port value to the desired one and restart the panel.

2
 Creating a build
Go to the “Builder " tab.
Icon File - an icon for your build
Server IP - the IP address of your server. If you have multiple domains, then enter them via |
BuildID - a unique identifier for your build. you will use BuildID to understand which file the log came
from.

After entering the Server IP, click on the "Check connection" button to check the connection at the
current address.

The “Icon File” and “BuildID " fields are optional.

Everything is ready. Click the "Build" button, then select the folder where the final build will be saved
and enter a name for it, and then click "Save".

Creating a clipper build:

At the bottom of the Builder tab, select the icon, and then fill in the “Patterns " field.
Fill in the “Patterns " field as follows:
address|regular expression

Ready-made examples for popular wallets:

Wallet BTC|\b(bc1|[13])[a-zA-HJ-NP-Z0-9]{26,35}\b
ETH wallet|\b0x[a-fA-F0-9]{40}\b
BCH wallet|\b (q|p) [a-z0-9]{41}\b
Wallet DOGE|\bD{1}[5-9A-HJ-NP-U]{1}[1-9A-HJ-NP-Za-km-z]{32}\b
LTC wallet|\b[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}\b
Dash wallet|\bX[1-9A-HJ-NP-Za-km-z]{33}\b
Neo wallet|\bA[0-9a-zA-Z]{33}\b
XMR wallet|\b4[0-9AB][1-9A-HJ-NP-Za-km-z]{93}\b
XRP wallet|\br[0-9a-zA-Z]{24,34}\b
The zcash for wallet|\bt(bc1|[13])[a-zA-HJ-NP-Z0-9]{26,35}\b

After filling in all the fields, click the "Build" button at the bottom of the page and save the file.

Attention! The clipper build doesn't have a built-in autoload. You need to ask the Cryptor to add it
when crypting.

3
 Build settings
● Box “to Get Browsers” is responsible for the function of collecting information from browsers
are enabled by default.
● The “JSON Cookies " field is responsible for the mode of saving cookies in JSON format. if the
check box is turned off, then cookies will be saved in Netscape format.
● The “Get ftp clients " field is responsible for collecting information from FTP clients (FileZilla,
etc.). it is enabled by default.
● The “Get IM clients " field is responsible for collecting information from IM clients (Pidgin, etc.).
it is enabled by default.
● The “Get wallets " field is responsible for collecting cold wallets. it is enabled by default.
● The "Grab UserAgent" field is responsible for collecting the browser fingerprint. it allows you
to disguise your browser as the victim's browser. it is enabled by default.
● The “Anti Duplicate " field is responsible for the function of anti-duplicate logs. if the field is
enabled, repeated logs from one victim will not be displayed. by default, it is enabled.
● The “Get files " field is responsible for collecting files from the victim's PC. it is enabled by
default. To configure the list of files that Stiller should collect, fill in the “Get files settings " field.
● The “Get files settings " field. Just below the label is a list of your settings for collecting files.
You can add new settings via the "Enter a search pattern" field.
● The "Enter a search pattern" field is required to add a new setting for collecting the file. The
value in this field must be written in the following format: "Path|Extension|1 or 0”, system variables of
the OS can be used in the path. In the extension, you can write the full name of the file to be found (for
example, wallet. dat), or part of it (*.dat, *wallet*.*,*.*). the value is 1 if you need to search in subfolders
of the specified folder, and 0 if you don't need to search in subfolders. After filling in the field, click on
the " Add " button to add it to the file collection settings. Also, in order not to fill in one value at a time,
you can import these values from the file. Each value must start from a new line. To import values from
a file, click on the "From File" button and select the desired file. You can delete values from settings by
selecting it in the list with the left mouse button, then right-clicking and selecting "Delete".‘
● The “Black list countries " field. Just below the label is a list of your settings for countries where
the build will not work. You can add new settings via the "Enter a country" field.
● The “Black list IPs " field. Just below the label is a list of your settings for IP addresses where
the build will not work. You can add new settings via the "Enter an IP" field.
● The “Enter a country " field is necessary to add a new setting for countries where the build will
not work. The value in this field must be written in the following format: UA, RU, US, and so on. A full
list of countries can be found on the website
https://www.acex.net/ru/useful_information/ISO_country_codes.php. values from column A2. After
filling in the field, click on the " Add " button to add countries to the blacklist settings. You can delete
values from settings by selecting it in the list with the left mouse button, then right-clicking and selecting
"Delete".
● The “Domain Detector settings " field. Just below the label is a list of your settings for collecting
files. You can add new settings via the "Enter a domain pattern" field.
● The “Enter a domain pattern " field is necessary to add a new configuration for domain groups
that will be searched for when logs are received. if a domain from the group is found in the log, it will
show you this in the PDD column (if in passwords), or in the CDD column (if in cookies). The value in

4
this field must be written in the following format:: GROUP NAME=domain
Example 1: CRYPTO=blockchain|hitbtc
Example 2: PP=paypal
After filling in the field, click on the " Add " button to add a new value to the settings. You can delete
values from settings by selecting it in the list with the left mouse button, then right-clicking and selecting
"Delete".

IMPORTANT! For the changes to take effect, click on the “Save Settings " button.”

5
 Notifications
The “Notifications " tab is used to display important panel events. It will show you when the task
was completed or when a duplicate log was received

6
 Statistics
Go to the “Statistical " tab to see statistics on logs that are located in the panel.
● The “Passwords " field shows the total number of passwords in all logs.
● The "Cookies" field shows the total number of cookies in all logs.
● The "Autofills" field shows the total number of AutoFill forms in all logs.
● The “Credit Cards " field shows the total number of credit cards in all logs.
● The “Files " field shows the total number of files from the grabber in all logs.
● The " FTP " field shows the total number of FTP accounts in all logs.
● The “Cold Wallets " field shows the total number of cold wallets in all logs.
● The “Top 10 of counties " field shows the top 10 countries by the number of logs from these
countries.
● The “Top 10 of OS " field shows the TOP10 operating systems by the number of logs with
these operating systems.
● The “Reset all stats " button is responsible for resetting all statistics, without deleting logs.

Guest statistics for installation fillers can be configured in the “Guest Links " tab.”
A list of active guest links is located at the top of the tab.
To create public statistics for the desired build, fill in the fields :
"BuildID" is the ID of the build whose statistics you want to show. you specified it in the Builder
when creating it.
“Expires DateTime " is needed to limit the time of access to this link. If you want to do this
without restrictions, leave the field empty. if you want the link to work until a certain time, then
the format of the value is 01.01.2020 23: 59
And then click "Create Link".
To get a link, double-click on the desired line in the list of links, and the browser opens with the
link.

To delete a link, right-click on the line and then “Delete”

7
 Checking the balance of a cold BTC wallet
Go to the “Wallet Checker "tab and click on the "Open" button, and then select the cold wallet file.
after successful verification, it will show you the amount of BTC that is available on the balance of this
wallet.

8
 Sorting logs
Go to the “Log Sorter " tab, here you will see two types of sorter: the left one, which is necessary
for searching by parameters, or the right one, which sorts logs by the necessary domains.

Description of the left sorter:

Field " Country” - the country that should be in the log

Field "BuildID" - ID of the build in the log
"Set Comment" field - a comment that will be assigned to the log if it passes all other parameters.
"Skip Comment" field - a comment in the log that will skip the log for sorting
Field " Comment” - a comment that should be included in the log
Field " OS” - the operating system that should be in the log
The “Password Contains Domain " field is the site domain that should be included in the log
passwords (example: paypal.com). You can also specify multiple domains by separating them with |
.To specify the required number of passwords from this site, enter in the vk. com format: 3-will find logs
where the number of passwords from the site is vk.com equal to 3 or more
The "Cookies Contains Domain" field is the site domain that should be included in the log cookies
(example: paypal.com).You can also specify multiple domains by separating them with | .To specify
the required number of passwords from this site, enter in the vk. com format: 3-it will find logs where
the number of cookies from the site is vk.com equal to 3 or more
Field "Credit cards" - the log must contain credit cards, enabled by default
Field "Autofills" - the log must contain AutoFill forms, enabled by default
Field "FTPs" - the log must contain FTP accounts, enabled by default
Field " Files” - the log must contain files from the grabber, enabled by default
Field "Cold wallets" - the log must contain cold wallets, enabled by default
The "LogDate FROM" field - the initial date and time before which logs will not be saved
The "LogDate To" field is the end date and time after which the logs will not be saved.
"Skip Checked" field - skip checked logs
The field “Skip Empty Passwords” - pass log with an empty password
"Skip Empy Cookies" field - skipping logs with empty cookies
“Refresh Domain Detect " field-updates the PDD and CDD values in the log table

In the Comment, Skip Comment, BuildID, and Country fields, you can specify multiple values for
sorting, separated by commas.
In the Passwords Contains Domain, Cookies Contains Domain fields, you can specify several
values for the search. you need to enter them via |

All fields are optional.

Logs will be saved only for those that fit all the specified fields at once. If at least one field does
not meet your requirements in the log, it will not be saved.

To perform sorting, check all the fields for correctness, and then click on the "Sort" button and in
the window select the folder where the files that fit your parameters will be located.

9
10
 Description of the upper-right sorter:

In the text box under “Current domain”, enter the domains that you want to search for.
Each domain must be entered from a new line.
A separate folder with logs will be created for each domain.
After filling in the field, click on Sort and select the folder where the logs will be saved.

Description of the lower-right sorter:

This sorter will save the usernames and passwords of the required sites in a text file.
For example, enter the site yandex.ru in the search field and click " Sort”, the sorter will create a
text file yandex.ru, records usernames and passwords from all logs from this site.

11
 Telegram notifications
1) Go to firewall and add the main EXE of the panel to the white list
2) Then create a bot in telegram (Google to help)
3) Copy the API Token
4) Go to the panel, then the Telegram tab, in the “Bot API Token” field, write this token
5) in the “Message Format” field, write the format of the notification that you want to receive, using
the following variables:
● {BuildID}
● {ID}
● {CDD}
● {PDD}
● {Comment}
● {Country}
● {Creds}
● {HWID}
● {IP}
● {Location}
● {LogDate}
● {OS}
● {PostalCode}
● {TimeZone}
● {Username}
6) Using these variables in the text, you can create the desired format. Example of the format :
Phone number: {ID}
Build: {BuildID}
OS: {OS}
IP: {IP}
Data: {Cred}
Country: {Country}
7) "Send Log File" - is responsible for whether the log file itself will be sent or only the log
message. Enable it only if the log flow is slow. On installations, uncheck this box.
8) Click the "Start" button”
9) log in to your bot, click /start
10) and then /sub
11) If the response says "Successful", then everything is configured successfully

12
 Tasks
Go to the “Loader Tasks " tab. In the upper part of the window, you will see a list of existing tasks
for Stiller.
One task is performed only once per victim. After successful execution, the Stiller remembers that
it has completed it and is no longer executing it. The parameter for storing the task is the " ID " field in
the task list.

The “Reset " button is responsible for completely resetting the history of completed tasks, as well
as existing ones. Clears the task list.
The “Refresh list " button updates the data in the task list. Namely, the “Current” and “Status "
fields.

In the lower part of the window, the panel is divided into two parts: the left one is for creating a
task, and the right one is for editing existing ones.
Description of the left part:

The following values are available for the “Action” field::

Download - download the file via a direct link to the specified folder
Download Yandex-download a file via a direct link to the specified folder and then run this file
OpenLink - opening the desired site in the victim's browser
Cmd - executing a cmd command on the victim's computer
RunPE-gets a file from a direct link, and then runs this file in the memory of another application
that you specify ( injection )

The Target field is filled in in a different format depending on the Action field.

Format of the Target field for Download: link / file path

Example: https://site.ru/filename.exe|%tmp%\filename.exe

Format of the Target field for RunPE: link|file name from a folder
C:\Windows\Microsoft.NET\Framework\v4.0.30319
Example: https://site.ru/filename.exe|AddInProcess32.exe

Format of the Target field for download Yandex: link|file path

Example: https://site.ru/filename.exe|%tmp%\filename.exe

Format of the Target field for OpenLink: link

Example: https://site.ru/filename.exe

Format Of the target field in Cmd: link

Example: shutdown -r -t 0
In the “FinalPoint” field, you must enter the number of successful task completions. after the
number of completions reaches this number, the task will be considered completed.

13
 In the "Filter" field, you can write a filter based on the following parameters::
Country, IP, OS, BuildID
The fill-in format is as follows:
Country=RU;BuildID=testid
You don't have to use all filters. You can combine them with each other, or leave them blank
altogether if you want all victims to perform this task.

In the “Domains Check” field, you can enter domains separated by the / separator. if the field is
filled in, the presence of these domains in passwords will be checked, and if they are found, the task
will be completed.
Examples:
paypal.com
paypal.com|amazom.com

To add a task, check all fields and click " Add”

To change a task, select the appropriate one in the task list and change the required fields in the
lower-right part, and then click " Save”
To delete an issue, select the appropriate one in the task list and change the "Visible" field in the
lower-right part, and then click " Save”

14
 Viewing logs
Go to the “Logs " tab.
A large part of the window is a list of the current logs.
Each line is a unique log with the following fields:
Field " ID” - unique log number in the list
The "HWID" field is a unique identifier based on the victim's OS characteristics
Field " IP” - IP address
Field " OS " - operating system
The "BuildID" field is the build ID that was specified when creating the build
Field "LogDate" - date and time when the log was added to the list
Field " OS " - operating system
Field " Country” - country
The field “Comment” - comment
"PDD" field - this field records the detector domain groups for passwords that you added in the
settings.
"CDD" field-this field records the cookie detector domain groups that you added in the settings.

To search among the list of logs, fill in the “Search filter "field, and then click the "Search" button.
The format of the values:
Country=RU,UA,US;BuildID=test1
In other words, it is similar to the filter used when creating tasks.

To assign a comment to the appropriate log, select the appropriate one from the list, then fill in
the "Enter a comment" field and click "Set".

To save all logs to a folder, click the "Save list" button, and then select the folder where the logs
will be located
To clear the list of all logs, click on the "Clear all logs" button, and then confirm your action.

To view logs directly in the dashboard. select the desired log from the list by left-clicking, and then
right-click on it again. A menu will appear where you can view all the data in this log.
The menu item "System Info" will show you the system log information and a screenshot from the
screen.
The “Save " menu item is needed in order to save this log to the folder that you select.
The "Runtime Exceptions" menu item is used for error diagnostics, only for developers.
The “Delete " menu item deletes the selected log from the list of logs.
The menu item “Viewers " is required to view the collected information:
Passwords - usernames and passwords
Cookies - cookies
Autofills-AutoFill forms
Credit cards - credit cards
FTP-FTP accounts
Files - files

15
16
 File hosting
To get a direct link to a file, go to the “Guest Links "tab, click on the" Create Link‘ button at the
bottom, and then select the file that you want to get a direct link to.
If you want your file to have a new md5 checksum every time, check the box “Change checksum".
To delete a link, select the appropriate one from the list, and then right - click and select " Delete”

17
 Other things
Go to the “Misc " tab.

The upper part of the window is responsible for creating a clone of another file
Target Path-file to make a copy of
Build Path - your build
“Assembly Info " field-copying the icon and file description
The field “Certificate” - a copy of the certificate

After filling in the fields, click on the "Clone" button “”

The lower part of the window is responsible for increasing the file weight
Target Path-file to increase the weight of
Bytes count - the number of bytes to add to the weight of your file

After filling in the fields, click on the "Pump" button “”

18