FortiEDR
FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
agat
Staff
Staff
Article Id 247328

Introduction

 

Mimic ransomware was discovered in June 2022 by the researchers at cyber security company Trend Micro.[1] Trend Micro researchers also found that this malware uses DLL functions of a legitimate tool called “Everything”. Everything is freeware tool created by a company called “voidtools”[2]. This tool creates a real-time index of all files on a drive, enabling system administrators to quickly search through files on a drive using minimal system resources.  The use of this DLL allows Mimic ransomware to quickly search for files with a desired extension and then encrypt them. Prior to encrypting files Mimic performs several preparation functions such as deleting shadow copies, terminating multiple services and applications including Microsoft Defender, and unpacking third party tools it uses as part of its execution. The purpose of this article is to demonstrate how FortiEDR detects and prevents execution of this malware and its associated preparation and encryption behavior to mitigate associated risk. This article will also demonstrate what FortiEDR Threat Hunting telemetry is generated by this ransomware if observed in a FortiEDR protected environment and how this telemetry can be leveraged using threat hunting queries.

 

agat_0-1677490947747.png

Figure 1. Attack diagram of Mimic Ransomware

 

Analysis

 

Primary Loader:

Upon execution the primary loader exe of the Mimic malware drops multiple EXE and DLL files into folder “C:\Users\<USER>\AppData\Local\Temp\7ZipSfx.000\”.  First the primary loader drops 7za.exe which is 7zip (file archiver with a high compression ratio) executable file. Then it also drops the legitimate files of “Everything” application (Everything.exe and Everything32.dll) into the above mentioned “7ZipSfx.000” folder. A file named as “Everything64.dll” is extracted, but this file is not a DLL file. This file is password protected 7zip file which contains second level malicious payloads. The primary loader extracts this “Everything64.dll” file using following command where parameter “20475326413135730160” specifies the password for this Everything64.dll file:

 

 

"C:\Users\<USER>\AppData\Local\Temp\7ZipSfx.000\7za.exe" x -y -p20475326413135730160 Everything64.dll

 

 

The following Table below describes the function of each of the files in the unzipped folder.

 

File Name

Description

7za.exe

Legitimate 7zip file used by first stage loader to extract payloads

Everything.exe

Legitimate Everything Application executable file

Everything32.dll

Legitimate Everything Application DLL file

Everything64.dll

Password protected 7zip file which contain Malicious payload and other 3rd party executables

Mc_virus.exe

Malicious secondary payload which was extracted from Everything64.dll

sdel.exe

Sysinternal secure delete utility executable, Secure delete applications overwrite a deleted files on-disk data using techniques that are shown to make disk data unrecoverable. This file was extracted from Everything64.dll

Sdel64.exe

64 Bit Application of above mentioned Sysinternals secure delete utility. This file was extracted from Everything64.dll

DC.exe

Defender Controller is a third-party application that can enable or disable Windows Defender[3]. This file was extracted from Everything64.dll

Everything.ini

Everything software configuration file. This file was extracted from Everything64.dll

Everything2.ini

Everything software configuration file. This file was extracted from Everything64.dll

Table 1. List of files dropped by the main payload and secondary payload.

 

The primary loader executable is identified as a malicious file by FortiEDR as it has a known FortiGuard AV signature and it's execution is blocked if EDR is configured in Prevention mode. For analysis of this malware, we disabled Prevention mode to allow unrestricted execution so we can observe further activities of malware. The event of blocking the malicious primary loader can be seen in the Figure 2 below.

 

agat_1-1677491010102.png

Figure 2. FortiEDR detects primary loader of Mimic Ransomware as malicious.

 

After extraction of all these files the primary loader now executes the Mc_virus.exe which is the second stage malicious payload of Mimic Ransomware. When we checked the hash of this file in the FortiGuard Central Threat System (CTS), we found that Mc_virus.exe is flagged as malicious and identified as a known Mimic ransomware executable. This can be observed in the screenshots of CTS system below:

 

agat_2-1677491055977.png

Figure 3. FortiGuard CTS showing malicious indicator for Mc_virus.exe

 

After executing the Mc_virus.exe the primary loader deletes the files dropped in the %TEMP%\7ZipSfx.000 folder. Then the primary loader creates a file “7ZSfx000.cmd” in the folder “C:\Users\<USER>\AppData\Local\Temp\”. This file has following contents:

 

agat_3-1677491079931.png

Figure 4. Content of 7ZSfx00.cmd file dropped by payload to delete its original executable file

 

 

This content is a set of cmd commands. The commands provide instructions to delete the primary executable file from a specified path, then after deletion of primary executable file the .cmd file will delete itself. Once this .cmd file has been written to disk it is executed by primary loader using the following command:

 

 

C:\Windows\system32\cmd.exe /c "C:\Users\<USER>\AppData\Local\Temp\7ZSfx000.cmd"

 

 

Secondary Loader

Following the above behavior, the primary loader executes the “MC_virus.exe” executable which is the second stage loader for the Mimic ransomware payload. When the second stage loader is executed, it extracts the same files extracted by the first stage payload but in a different folder, Users\<username>\AppData\Local\{ECD7344E-DB25-<alphanum>-009E-<alphanum>}\.  This secondary payload Mc_virus.exe is also detected as malicious by the FortiEDR and is prevented from execution when FortiEDR is in prevention mode.    

As well as executing the main ransomware payload, the secondary loader also adds a  run key registry value for the file “bestplacetolive.exe” to create persistence in the victim machine (T1547.001). This registry entry is created in the following path “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” with the value set to the location of the “bestplacetolive.exe” file ("C:\Users\user1\AppData\Local\{ECD7344E-DB25-8B38-009E-175BDB26EC3D}\bestplacetolive.exe").  The secondary loader also creates a file, “session.tmp” under the path (Users\<username>\AppData\Local\{ECD7344E-DB25-8B38-009E-175BDB26EC3D) that it uses for internal session management . After this the secondary payload executes the main ransomware payload which is the previously created “bestplacetolive.exe” executable.

 

Main Payload

The “bestplacetolive.exe” is the main payload of Mimic ransomware.  Like the majority of other malware families the Mimic ransomware payload performs a number or preparation functions prior to beginning encryption. These functions include  disabling security tools (T1562.001), create power configurations, prevent access to shutdown commands, creates monitoring a process, stops services (T1489) and kills processes that might hamper complete file encryption. These functions are described in further detail in this section.

 

Malware self-protection:

The “bestplacetolive.exe” disables the security tool Windows Defender by using the open-source tool Defender Control.[4] This tool is dropped as DC.exe by previous stage payload of the malware. It executes “DC.exe” by calling cmd.exe with following command:

cmd.exe /c DC.exe /D

The “bestplacetolive.exe” also creates a copy of itself for monitoring own process with passing the process id of the first process and passing arguments “-e watch -pid <first_instance_pid> -!”. We believe it is a watchdog process to restart the “bestplacetolive.exe” if it gets killed.

 

Anti-shutdown activities

Afterward performing these defense evasion techniques the “bestplacetolive.exe” process creates a new power configuration plan and applies it so that the victim computer would not sleep or shutdown. The process creates this power configuration using windows tool “powerfg.exe”. The “bestplacetolive.exe” process also kills any existing logoff.exe, shutdown.exe and powercfg.exe processes but this only occurs on initial execution, there was not check found to keep killing these processes after initial execution. It also creates multiple registry entries which remove visual buttons for shutdown and logoff features through the Windows Explorer GUI. The purpose of each of the modified registry entries are described in Table 2 below.

 

Registry Key

Value

Description

HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\ HidePowerOptions

1

shutdown, restart, sleep, and hibernate commands are removed from the Start menu

HKCU\\ Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\ HidePowerOptions

1

shutdown, restart, sleep, and hibernate commands are removed from the Start menu

HKLM\\ SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ shutdownwithoutlogon

0

The Shutdown button is disabled from logon screen

HKCU\\ SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\ NoClose

1

The Power button and the Shut Down, Restart, Sleep, and Hibernate commands are removed from the Start menu.

HKCU\\ SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\ StartMenuLogOff

1

Removes the Log Off user-name item from the Start menu

 Table 2. Registry entries performed by the main Mimic ransomware payload that aim to prevent the system user from manually shutting down a compromised endpoint using the GUI during the encryption process.

 

 

Unlock in-use files:

The “bestplacetolive.exe” starts three child processes of itself with parameters “-e ul1”, “-e ul2” and “-startup”.  The main “bestplacetolive.exe” process stops multiple services and processes which might interfere with the encryption process as they lock the files they use during operation. The list of the services stopped is provided in Table 3 below. Along with these services the malware also kills multiple processes in its predefined list. The list of processes killed by malware are shown in the Table 4 below.

 

Service

Description

WSearch

Windows Search (WSearch) service that supports the Instant Search feature

pla

Performance Logs and Alerts (PLA)

DusmSvc

Data Usage (DusmSvc) Service

defragsvc

Optimize drives (defragsvc) Service

DoSvc

Delivery Optimization Service

wercplsupport

Problem Reports and Solutions Control Panel Support service

SDRSVC

Provides Windows Backup and Restore capabilities

TroubleshootingSvc

Troubleshooting Service

Wecsvc

Windows Event Collector (Wecsvc) service

fhsvc

File History Service

wbengine

Windows Backup and recovery service

PcaSvc

Program Compatibility Assistant Service

WerSvc

Windows Error Reporting Service

SENS

System Event Notification Service

AppIDSvc

Application Identity (AppIDSvc) service

BITS

Background Intelligent Transfer Service (BITS)

wuauserv

Windows Update Service,

SysMain

Superfetch, called SysMain after the Windows 10 1809 update

DiagTrack

Diagnostics Tracking

diagnosticshub.standardcollector.service

Service collects and processes real time ETW events

dmwappushservice

Routes Wireless Application Protocol Push messages

WMPNetworkSvc

Helps windows media player to share its library with network

DiagTrack

Tracking service collects data about functional issues in Windows

Table 3. Services killed by the Mimic Malware Payload.

 

Process Killed

Description

SearchIndexer.exe

Windows search indexer that indexes files so that searches can be returned more quickly.

SearchProtocolHost.exe

Application that other applications interface with to gain access to data indexed by SearchIndexer.exe.

SearchApp.exe

Application used to provide results from SearchIndexer.exe to user.

CompatTelRunner.exe

Part of the Microsoft Windows telemetry system

wsqmcons.exe

Windows Customer Experience Improvement application

taskmgr.exe

Windows Task Manager

tasklist.exe

Task listing command line tool

taskkill.exe

Task killing command line tool

perfmon.exe

Main Windows application used for performance monitoring

logoff.exe

Windows executable that executes the user logoff process.

shutdown.exe

Windows executable that executes the shutdown and restart processes.

Table 4. Processes killed by the Mimic Malware payload.

 

Delete backups:

The malware then stops any virtual machines running on the system, then gets all the VHD (Virtual Hard Disk) objects of each hosted virtual machine and then dismounts any associated VHD disks. The VHD are dismounted so that the VHD files on the machine can be encrypted properly without any  other software accessing them. We can observe these events in the following taken from the FortiEDR Threat Hunting page.

 

agat_4-1677491223652.png

Figure 5. Threat Hunting Page of FortiEDR showing commands executed by malware to stop virtual machine and dismount virtual Hard-disks

 

 

The main ransomware process gets a list of disk volumes on the victim machine and also unmounts these disk volumes. We believe that malware is unmounting removable drives to make encryption process quicker.  The main ransomware process then deletes the backup files and system backups using the windows system utilities ‘bcdedit.exe’ and ‘wbadmin.exe’. Boot Configuration Data (BCD) files provide a store that is used to describe boot applications and boot application settings. BCDEdit is a command-line tool for managing BCD.[5] It can be used for a variety of purposes, including creating new stores, modifying existing stores, and adding boot menu options. In the case of ransomware “bcdedit.exe” is typically used to disable Windows recovery. The malware executes the following commands to perform these functions.

 

 

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

bcdedit.exe /set {default} recoveryenabled no

wbadmin.exe DELETE SYSTEMSTATEBACKUP

wbadmin.exe delete catalog -quiet

 

 

FortiEDR detects and mitigates the ransomware’s attempt to use wbadmin.exe as a “Service Access” event under the “Exfiltration Prevention” rule group. Figure 7 below shows a sample event where FortiEDR effectively blocked “bestplacetolive.exe” from employing wbadmin.exe in this way.

 

agat_5-1677491299748.png

Figure 6. FortiEDR detects attempts by the main Mimic ransomware process (bestplacetolive.exe) from executing wbadmin.exe to delete backups.

 

The ransomware’s attempts to execute bcdedit.exe are also detected and blocked by FortiEDR as a “Malicious File Detected” in the “Execution Prevention” security policy. An example of this security event can be observed in Figure 7 below. We can also observe that the “bestplacetolive.exe” is detected as threat name “Filecoder_Mimic.A!tr.ransom” by the FortiEDR, this signature is taken from FortiGuard AV signatures.

 

agat_6-1677491594969.png

Figure 7 FortiEDR blocks malware from accessing system utility bcdedit.exe

 

File Encryption Process:

The “bestplacetolive.exe” creates two instances of the “Everything.exe” process with the parameter “-startup”. This option indicates “Run Everything in the background”[6]  meaning, these processes will run in the background and create indexes of files on the system. The malware later queries the generated index through the Everything executable using API calls. As highlighted above, after deleting backups, the malware unmounts all drives and Virtual Machine Hard disks. Once these functions are completed the ransomware starts encryption of files on the victim machine by first overwriting the original files with encrypted content then renaming them with the ".QUIETPLACE” file extension. This behavior triggers the “File Encryptor -Suspicious File Modification” rule which is part of the “Ransomware Prevention” security policy in the FortiEDR. This can be observed in Figure 8 below.

 

agat_7-1677491706194.png

Figure 8. FortiEDR blocks file encryption attempt by Mimic Ransomware

 

After the malware has finished the encryption of the files, it executes Microsoft SysInternals tool Sdelete to clean up the free space on drives that have been encrypted. The malware has dropped copy of 32-bit and 64-bit version of the tool Sdelete as sdel.exe and sdel64.exe respectively and executes the corresponding executable depending on the operating system. In our case it used following command:

 

 

sdel64.exe -accepteula -p 1 -c C:\

 

 

This specifies clean free space with single overwrite pass.[7]  The ransomware performs this secure delete in order to prevent recovery of the original files encrypted by the malware that may be retrievable from slack space.

As with all ransomware, once encryption is completed the main process drops a ransom note file in the location “C:\Users\<USERNAME>\AppData\Local\Decrypt_me.txt”. Then it launches notepad.exe with this parameter to show user the ransom note. A screenshot of the ransom note  can be observed in the Figure 9 below.

 

agat_8-1677491787444.png

Figure 9. Ransom note created by the Mimic ransomware sample analyzed in this article.

 

Conclusion

Mimic Ransomware is very quick to index the files in the victim computer as it was using this multi process indexing utility of software “Everything”. One prominent difference we noticed compared to other ransomware families is heavy and brazen use of various command line and third-party administrative utilities. Starting from third party 7z executable to extract archived files which are dropped, using Everything.exe to index and search files on victim computer, using Defender Control (DC.exe) to disable Windows Defender, using Windows utilities(powercfg.exe, PowerShell, wbadmin.exe, bcdedit.exe), up to the use of SysInternals tool sdelete (sdel64.exe) to clean up free space on drive after encryption. Seeing such prevalent use of administrative utilities we suspect that the malware author might have previous background in the IT administration area.

Another prominent difference in Mimic ransomware is that it is very “loud” in terms of events and commands it executes on the victim machine. This contrasts to many other ransomware families that obfuscate the behavior performed by their malware or perform many of these preparation functions within the core ransomware code rather than using third party tools. On analyzing the assembly code of the main ransomware executable we identified multiple plaintext comments being sent to internal logs. Again this differs to many other ransomware families that remove or obfuscate many of these artifacts. This also supports our theory that malware author might be from IT background previously.

    As highlighted in this article, FortiEDR effectively detects and mitigates the risk of Mimic ransomware execution and subsequent behavior. In the analysis outlined in this article FortiEDR was configured in ‘Log Only’ mode to demonstrate detection capabilities against all stages of Mimic ransomware execution. We have seen that FortiEDR detects the multiple stages of this malware’s execution, blocking service access and blocking the file encryption process. Some threat hunting queries are included below to allow organizations to put additional detections in place to identify some behaviors associated with Mimic ransomware execution to assist with triaging potential intrusions.

 

Threat Hunting

The Everything64.dll file extraction performed by the primary loader of Mimic ransomware can be detected with the following Threat Hunting query. It is possible that for future versions of malware the author might change the password string used in the extraction command. In that scenario this query won’t be able to detect this type of event although the query could be modified to omit the password component of the command line for greater utility but with a higher risk of false positives.

 

Type: ("Process Creation") AND Target.Process.File.Name:7za.exe Target.Process.CommandLine:("x -y -p20475326413135730160 Everything64.dll")

 

 

 

The following query can be used to find execution of script 7ZSfx000.cmd. As mentioned previously, this script deletes temporary files dropped by malware in AppData/Local/Temp directory. Note that malware author may change the name of this script in future that would stop this query from finding these events.

 

Type: ("Process Creation") AND Target.Process.Name:cmd.exe AND Target.Process.CommandLine:("7ZSfx000.cmd")

 

 

 

The primary loader drops the secondary loader "Mc_virus.exe" using the 7z utility executable. File Create events related to this behavior can be found using following Threat Hunting query:

 

Type: ("File Create") AND Source.Process.Name:7za.exe AND Target.File.Name: ("Mc_virus.exe")

 

 

 

The secondary loader drops a number of third party executables in to AppData folder. File Creation events associated with this behavior can be found using following Threat Hunting query:

 

Type: ("File Create") AND Source.Process.Name:Mc_virus.exe AND Target.File.Name: ("sdel64.exe" OR "sdel.exe" OR "DC.exe" OR "session.tmp" OR "bestplacetolive.exe" OR "Everything2.ini" OR "Everything.ini")

 

 

 

The secondary loader executes the main payload "bestplacetolive.exe". Related Process Creation events can be  found using the following Threat Hunting query:

 

Type: ("Process Creation") and Source.Process.Name:mc_virus.exe AND Target.Process.Name:bestplacetolive.exe

 

 

 

The main Mimic ransomware process executes a PowerShell command to find and stop all the Virtual machine hosted on a victim endpoint. Related Process Creation events can be found using following Threat Hunting query:

 

Type: ("Process Creation") and Source.Process.Name:bestplacetolive.exe AND Target.Process.Name:powershell.exe AND Target.Process.CommandLine:"-ExecutionPolicy Bypass \"Get-VM | Stop-VM\""

 

 

 

The main Mimic ransomware process executes a PowerShell command to find and dismount Virtual machine disks hosted on a victim endpoint. Related Process Creation events can be found using following Threat Hunting query:

 

Type: ("Process Creation") and Source.Process.Name:bestplacetolive.exe AND Target.Process.Name:powershell.exe  AND Target.Process.CommandLine:"-ExecutionPolicy Bypass \"Get-VM | Select-Object vmid | Get-VHD | %{Get-DiskImage -ImagePath $_.Path; Get-DiskImage -ImagePath $_.ParentPath} | Dismount-DiskImage\""

 

 

 

The main Mimic ransomware process executes a PowerShell command to dismount the disk volumes on the victim endpoint. Related Process Creation events can be found using following Threat Hunting query:

 

Type: ("Process Creation") and Source.Process.Name:bestplacetolive.exe AND Target.Process.Name:powershell.exe AND Target.Process.CommandLine:"-ExecutionPolicy Bypass \"Get-Volume | Get-DiskImage | Dismount-DiskImage\""

 

 

 

Persistence (Auto run entry) created for bestplacetolive.exe in registry can be found using following query which will return associated Value Created events.

 

Type: ("Value Created") AND Registry.Path:"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" AND Registry.Data:bestplacetolive.exe

 

 

 

 

MITRE ATT&CK Mapping

 

TA0002 - Execution

Technique ID

Technique Description

Observed Activity

T1059.001

PowerShell

Bypasses PowerShell execution policy and executes PowerShell commands to unmount drives and virtual hard-disks


TA0003 - Persistence

Technique ID

Technique Description

Observed Activity

T1547.001

Registry Run Keys / Startup Folder

Creates an entry in the current users run keys for main ransomware payload “bestplacetolive.exe”.

 


TA0005 - Defense Evasion

Technique ID

Technique Description

Observed Activity

T1027

Obfuscated Files or Information

Dropped files are extracted from encrypted/password protected 7zip file. Threat actor drops their own 7za application to unzip internal files as part of execution.

 

 

T1562.001

Disable or Modify Tools

1) Modifies Group Policy settings (Disable AllowTelemetry from policy SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection)
2) Disables Windows Defender using third party tool Defender Control
3) Disables UAC (Modify ConsentPromptBehaviorAdmin in registry path SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\System) Above all modifications are done by the bestplacetolive.exe process of malware using RegCreateKeyExW .

T1562.006

Impair Defenses: Indicator Blocking

Malware process bestplacetolive.exe disables telemetry policy in the Data Collection group in registry using RegCreateKeyExW (Disable AllowTelemetry from policy SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection)

T1497

Virtualization/Sandbox Evasion

Contains long sleeps to evade Sandbox detection. Sleeps are implemented within the loaders and main executable.

T1630.002

Indicator Removal on Host: File Deletion

The malware deletes its primary loader file.


TA0007 - Discovery

Technique ID

Technique Description

Observed Activity

T1518.001

Security Software Discovery

Checks for and disables Windows Defender software

T1057

Process Discovery

Queries a list of running processes and kills processes from predefined list in malware

T1082

System Information Discovery

1) List drive volumes to dismount them
2) Query environment variables
3) Check OS version

T1083

File and Directory Discovery

Get list of files and folder using third party utility Everything.exe.

T1120

Peripheral Device Discovery

Checks for available system drives to get files for encryption.



TA0040 - Impact

Technique ID

Technique Description

Observed Activity

T1486

Data Encrypted for Impact

1) Encrypts user documents and files. Encryption is performed by the main ransomware process. Files are overwritten with encrypted content then renamed.
2) Writes a ransomware note to "C:\Users\user1\AppData\Local\" with the title “Decrypt_me.txt”.

T1489

Service Stop

Malware stops multiple Windows services on the victim machine. Services are stopped directly by the malware and a full list of services targeted are provides in Table 3 above.

T1490

Inhibit System Recovery

Malware uses wbadmin.exe an bcdedit.exe to delete backup and disable recovery option in windows.

 

IOCs

 

Indicator Description

Indicator

Indicator Type

Associated Tactic

Notes

First Observed

Malicious Executable

4b53652574ce6ded87c9884bc88b491424e83e79

SHA1 Hash

Installation

Primary Payload of Mimic Ransomware

2022-12-12

Malicious Executable

b7581da9c48e1b514664d560f866899745620b82

SHA1 Hash

Installation

Secondary Payload of Mimic Ransomware

2023-01-27

Malicious zip

f204bcdf564eb2a5bdfa74745ce53263c8f6476f

SHA1 Hash

Installation

Encrypted 7zip file which contains malicious payload

2022-12-12

Executable used by malware

dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b

SHA1 Hash

Execution

Software to disable Windows Defender

2021-06-19

 

 

 

[1] https://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-e...

[2] https://www.voidtools.com/faq/

[3] https://www.sordum.org/9480/defender-control-v2-1/

[4] https://github.com/qtkite/defender-control

[5] https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/bcdedit-command-line-options?...

[6] https://www.voidtools.com/support/everything/command_line_options/

[7] https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete

Contributors