Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
19-11-2021 20:56
Static task
static1
Behavioral task
behavioral1
Sample
d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe
Resource
win10-en-20211014
General
-
Target
d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe
-
Size
194KB
-
MD5
f4650d292682a8ae1ca1efd08fa1eb58
-
SHA1
e64e2a4909672cd6ff27788976b875be8c3f25a6
-
SHA256
d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346
-
SHA512
64ba5a118c5fdd9633c102062591ceb8e8511f3cfea8223989ad9997e1fb7b9d1012e157214ad6e103a9314abbd28b0d5a8a0e559bbfbf8df94a6adffb02d222
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.click
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exedescription ioc process File renamed C:\Users\Admin\Pictures\InitializeOut.png => C:\Users\Admin\Pictures\InitializeOut.png.UAHCW d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File renamed C:\Users\Admin\Pictures\MoveTrace.tif => C:\Users\Admin\Pictures\MoveTrace.tif.UAHCW d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File renamed C:\Users\Admin\Pictures\ResizeTrace.raw => C:\Users\Admin\Pictures\ResizeTrace.raw.UAHCW d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File renamed C:\Users\Admin\Pictures\RevokeCompare.raw => C:\Users\Admin\Pictures\RevokeCompare.raw.UAHCW d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File renamed C:\Users\Admin\Pictures\SetClear.png => C:\Users\Admin\Pictures\SetClear.png.UAHCW d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File renamed C:\Users\Admin\Pictures\WaitFormat.raw => C:\Users\Admin\Pictures\WaitFormat.raw.UAHCW d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Users\Admin\Pictures\ExportConvert.tiff d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File renamed C:\Users\Admin\Pictures\ExportConvert.tiff => C:\Users\Admin\Pictures\ExportConvert.tiff.UAHCW d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe -
Drops startup file 1 IoCs
Processes:
d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exedescription ioc process File created C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\readme.txt d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-api-caching.jar d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application-views.xml d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkHandle.png d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\ui-strings.js d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-ae\ui-strings.js d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ppd.xrm-ms d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-100.png d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\root\ui-strings.js d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-ae\readme.txt d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\tool-search.png d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.update\platform.xml d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_gridview_selected-hover.svg d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\COMPASS\COMPASS.INF d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-sl\ui-strings.js d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\root\readme.txt d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File created C:\Program Files\VideoLAN\VLC\locale\brx\readme.txt d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File created C:\Program Files\VideoLAN\VLC\locale\pl\readme.txt d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\CASCADE.ELM d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-phn.xrm-ms d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\readme.txt d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\jmxremote.password.template d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\vlc.mo d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\THMBNAIL.PNG d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\sql70.xsl d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ko-kr\ui-strings.js d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-pl.xrm-ms d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\readme.txt d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STRTEDGE\readme.txt d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File created C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\readme.txt d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jetty.util_8.1.14.v20131031.jar d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-services_zh_CN.jar d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_listview_selected.svg d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-si\ui-strings.js d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-ae\ui-strings.js d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ppd.xrm-ms d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN011.XML d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\THMBNAIL.PNG d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Close.png d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ppd.xrm-ms d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme.nl_ja_4.4.0.v20140623020002.jar d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\bg_pattern_RHP.png d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\css\readme.txt d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\it-it\readme.txt d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File created C:\Program Files\VideoLAN\VLC\locale\ro\readme.txt d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File created C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\readme.txt d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ja-jp\readme.txt d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ppd.xrm-ms d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File created C:\Program Files\Java\jre1.8.0_66\bin\server\readme.txt d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sk-sk\readme.txt d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ru-ru\ui-strings.js d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBCN6.CHM d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\CAMERA.WAV d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\readme.txt d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-api-caching_ja.jar d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_empty_state.svg d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_share_18.svg d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\ui-strings.js d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files\7-Zip\Lang\nb.txt d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ul-oob.xrm-ms d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exepid process 2700 d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe 2700 d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
vssvc.exeWMIC.exedescription pid process Token: SeBackupPrivilege 3928 vssvc.exe Token: SeRestorePrivilege 3928 vssvc.exe Token: SeAuditPrivilege 3928 vssvc.exe Token: SeIncreaseQuotaPrivilege 1916 WMIC.exe Token: SeSecurityPrivilege 1916 WMIC.exe Token: SeTakeOwnershipPrivilege 1916 WMIC.exe Token: SeLoadDriverPrivilege 1916 WMIC.exe Token: SeSystemProfilePrivilege 1916 WMIC.exe Token: SeSystemtimePrivilege 1916 WMIC.exe Token: SeProfSingleProcessPrivilege 1916 WMIC.exe Token: SeIncBasePriorityPrivilege 1916 WMIC.exe Token: SeCreatePagefilePrivilege 1916 WMIC.exe Token: SeBackupPrivilege 1916 WMIC.exe Token: SeRestorePrivilege 1916 WMIC.exe Token: SeShutdownPrivilege 1916 WMIC.exe Token: SeDebugPrivilege 1916 WMIC.exe Token: SeSystemEnvironmentPrivilege 1916 WMIC.exe Token: SeRemoteShutdownPrivilege 1916 WMIC.exe Token: SeUndockPrivilege 1916 WMIC.exe Token: SeManageVolumePrivilege 1916 WMIC.exe Token: 33 1916 WMIC.exe Token: 34 1916 WMIC.exe Token: 35 1916 WMIC.exe Token: 36 1916 WMIC.exe Token: SeIncreaseQuotaPrivilege 1916 WMIC.exe Token: SeSecurityPrivilege 1916 WMIC.exe Token: SeTakeOwnershipPrivilege 1916 WMIC.exe Token: SeLoadDriverPrivilege 1916 WMIC.exe Token: SeSystemProfilePrivilege 1916 WMIC.exe Token: SeSystemtimePrivilege 1916 WMIC.exe Token: SeProfSingleProcessPrivilege 1916 WMIC.exe Token: SeIncBasePriorityPrivilege 1916 WMIC.exe Token: SeCreatePagefilePrivilege 1916 WMIC.exe Token: SeBackupPrivilege 1916 WMIC.exe Token: SeRestorePrivilege 1916 WMIC.exe Token: SeShutdownPrivilege 1916 WMIC.exe Token: SeDebugPrivilege 1916 WMIC.exe Token: SeSystemEnvironmentPrivilege 1916 WMIC.exe Token: SeRemoteShutdownPrivilege 1916 WMIC.exe Token: SeUndockPrivilege 1916 WMIC.exe Token: SeManageVolumePrivilege 1916 WMIC.exe Token: 33 1916 WMIC.exe Token: 34 1916 WMIC.exe Token: 35 1916 WMIC.exe Token: 36 1916 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.execmd.exedescription pid process target process PID 2700 wrote to memory of 720 2700 d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe cmd.exe PID 2700 wrote to memory of 720 2700 d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe cmd.exe PID 720 wrote to memory of 1916 720 cmd.exe WMIC.exe PID 720 wrote to memory of 1916 720 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe"C:\Users\Admin\AppData\Local\Temp\d43b52e3453ce77d2694a239232f39341a98fa704954a558125e74a85f22a346.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{19CDF45A-AB26-4CD3-A80A-DC59EDB6A247}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{19CDF45A-AB26-4CD3-A80A-DC59EDB6A247}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken