#### Security
# Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild

www.bitdefender.com


-----

Balint SZABO - Security Researcher (Attack Research) @ Bitdefender


-----

Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild


-----

Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild

### Technical analysis

In this chapter we describe the way in which secur32.dll arrives on the system and what actions it performs once it is
loaded in a OneDrive process. We noticed four similar hashes of secur32.dll, but all of them perform the same actions.
Multiple versions of secur32.dll hints at the fact that this malware campaign is ongoing and actively tested (the
authors are making small changes to the code and recompiling it, but leave the functionality untouched).

In normal circumstances, OneDrive.exe and OneDriveStandaloneUpdater.exe load secur32.dll from C:\Windows\System32

In this case, secur32.dll is loaded from the OneDrive folder which allows non-elevated users to write files to

Stack trace in the moment when secur32.dll creates the malicious thread

##### Initial access
As initial access is concerned, the malicious secur32.dll seems to arrive at its desired location by commodity
malware disguised as legitimate software (dropper process names include adobe photoshop setup.exe, Free_
**Macro_V1.3.exe). From the moment the malicious secur32.dll is dropped, it is up to the legitimate OneDrive.exe or**
**OneDriveStandaloneUpdater.exe to load and execute it.**

##### API resolution
Before digging further into the attack, we would like to present the API resolution scheme, which is used both by the
**dropper and the malicious secur32.dll.**

When secur32.dll calls Windows API, the functions are not directly called, to evade malware detection based on
imports. Instead, the malicious secur32.dll uses an API resolution scheme that employs FNV-1a hashing [4][ .]


-----

Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild

The call of CreateProcessA, for example, looks like this:

Example of indirect API call

An indirection is used for each function call that will resolve the API and then call the function:

Before being called, each API needs to be resolved

The API resolution performs the following steps:

The Process Environment Block is obtained using NtCurrentPeb()


-----

Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild

The pointer to PEB_LDR_DATA is obtained from the PEB

Gets the InLoadOrderModuleList, that is actually the first entry of type LDR_DATA_TABLE_ENTRY

Iterates the list of modules loaded by the host process. For each module, it iterates the list of exported functions. The searched function is
identified by calculating the FNV-1a hash of its name and comparing the result with a hardcoded value

An interesting property of the FNV-1a hash is that it needs a value to initialize the hash. In the above example, the hash
is initialized to 0xBCCAC3D70CB02197, but this can be any non-zero value. This initialization allows the malware to
identify the target API name through more (Hash, ApiCheckSum) pairs, and the malware actually does this. Each API
call has its own API resolution function with a different hardcoded initial hash and checksum.

##### Execution flow

**General infection flow**

We noticed two main patterns used when dropping secur32.dll. One of them involves using a small dropper malware
process which writes to disk the malicious secur32.dll and additional files. In the second case, the dropper malware
injects malicious code into AppLaunch.exe to perform the drop.


-----

Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild

The following diagram offers a high-level overview of the malware operation flow:

The main attack flow

**Dropper flow**

The dropper malware attempts to limit noise by checking first if the infected computer can support crypto-currency
mining. For that, it performs a basic check of the available hardware. First, it checks that the number of CPU cores is
greater than 2.

The dropper checks the number of CPU cores

Next, it enumerates the display adapters to check that the system is equipped with, as a minimum, an Intel, Nvidia
or AMD graphics card that runs correctly. After querying the display adapters, it checks whether they are equal with
“Microsoft Basic Display Adapter” or “Standard VGA Graphics Adapter.” These two display adapters are used when the


-----

Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild

The dropper checks the existence of a graphics card

The dropper resolves the LoadLibraryA function and loads shell32.dll, advapi32.dll and wininet32.dll. The names of
the DLLs are present in the dropper memory as XOR-encrypted strings.

String in memory before decryption

The same memory area after decryption with XOR

In case OneDrive.exe is running, the malware stops it, using the command line: _taskkill /IM OneDrive.exe /F._

The configuration of the crypto miner software is stored in the memory of the dropper, as a JSON array in a XOR
encrypted form. When decrypted, we notice that it contains the parameters required by the cryptomining software:

The configuration for the crypto mining software

The malware encrypts the JSON array by performing XOR operation with the GUID obtained by a call to
GetCurrentHwProfileA and writes it to disk in the folder %LocalAppData%\Microsoft\ using a randomly generated file
name that ends with _s (e.g.: 0dsaowQ2ACuzIJ_s).

The dropper then decrypts the malicious secur32.dll hardcoded in its own memory and writes it to %LocalAppData%\
_Microsoft\OneDrive\Secur32.dll._


-----

Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild

Encrypted secur32.dll in the data section of the dropper

Decrypted secur32.dll in the memory of the dropper and the dropped secur32.dll file

Interestingly, the dropper will also decrypt a hardcoded OneDrive.exe and replace the already existing one inside
%LocalAppData%\Microsoft\OneDrive\. The replacement OneDrive has malicious signatures on VirusTotal and it is
not digitally signed, but the attack works with the original, clean OneDrive.exe. The replacement OneDrive.exe only
contains a LoadLibraryA(“secur32.dll”) call.

To ensure that OneDrive executes at the next reboot, the dropper adds to registry values two reg.exe command lines:

- _REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v OneDrive /t REG_SZ /f /d %LocalAppData%\_
_Microsoft\OneDrive\OneDrive.exe_

- _REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v OneDrive /t REG__
_BINARY /f /d 020000000000000000000000_

At this point, the job of the dropper process is done. Now the malicious secur32.dll will be loaded by either OneDrive.
**exe or OneDriveStandaloneUpdater.exe into memory.**

Some of the dropper processes that we detected communicate with a C2 server on Telegram and report the hardware
specs and geolocation of the infected machine.


-----

Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild

**secur32.dll flow**

The malicious secur32.dll exports only one function, GetUserNameExW:

The export directory of the malicious secur32.dll

The reason for this is that OneDrive.exe imports only GetUserNameExW from the malicious secur32.dll:

The import directory of OneDrive.exe

We can assume that OneDrive.exe calls GetUserNameExW. The malicious secur32.dll however returns the value 1
from the exported API:

Fake stub for GetUserNameExW

By using the fake GetUserNameExW stub, the malware avoids the disruption in the normal functioning of OneDrive.
**exe. The real malicious actions are executed from a different thread that is created by the secur32.dll from**
DllMain. The thread resolves LoadLibraryA and loads advapi32.dll, shell32.dll and wininet.dll. The thread also calls
GetCurrentHwProfileA, which returns the same GUID as it returned for the dropper. In the rest of the paper we will refer
to this GUID as the GUID password. The thread enumerates the files in %LocalAppData%\Microsoft\ and it looks for
three special files:


-----

Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild

**File path pattern** **File contents**

the config file XOR encrypted by the dropper with the
%appdata%\Local\Microsoft\<random_characters>_s
GUID password

XMRig[ 5 ](open-source crypto miner) binary that was
%appdata%\Local\Microsoft\<random_characters>_c downloaded in a previous run of the malicious secur32.
dll and archived with the GUID password

lolMiner[ 6 ](open-source crypto miner) binary that was
%appdata%\Local\Microsoft\<random_characters>_g downloaded in a previous run of the malicious secur32.
dll and archived with the GUID password

The dropper decrypts the config file using the GUID password and loaded into memory as a JSON array.

If the dropper cannot find either XMRig or lolMiner on the disk, it means that secur32.dll did not yet run and they must
be downloaded from their GitHub repositories. When downloading the crypto miners, the URLs used for download are
XOR decrypted from memory. The User-Agent in the requests is “soft”.

The URLs for lolMiner is decrypted by applying 80 bytes long XOR with hardcoded key

The dropper will make a request to github.com with the User-Agent set to “soft”

The crypto-miners are downloaded in memory as zip archives and then inflated while still being kept in memory. These
crypto miners need some command line parameters to run. The dropper extracts the parameters from the config file
ending in _s. Moreover, the config file specifies which crypto miner should be used. In case the mining algorithm is
Ethash, Etchash or TON, the chosen crypto-miner is lolMiner. In case of Monero, the obvious choice is XMRig.

If lolMiner is used, the hollowed process is svchost.exe. In case XMRig is used, the chosen victim is conhost.exe. After
**OneDrive.exe hollows the victim process, a new thread is started inside OneDrive.exe, which runs an infinite loop. This**
thread checks if Taskmgr.exe, procexp.exe or procexp64.exe is running and kills the hollowed process in case those
tools are active. Otherwise, the victim process is hollowed again.

The main flow of the malicious thread is summarized by the following flowchart:


-----

Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild

The main execution flow in the malicious secur32.dll (part 1)


-----

Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild


The main execution flow in the malicious secur32.dll (part 2)


-----

Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild

_Flow of obtaining the image of the crypto miner in memory_


-----

Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild

The process hollowing technique is classic, but we will present it for recap purposes. First of all, a victim process is
created with the CREATE_SUSPENDED flag:

Process hollowing victim is created suspended

The context of the main thread of the victim process is needed in the hollowing process. A CONTEXT structure is
allocated using VirtualAlloc and the context is acquired using GetThreadContext.

The ContextFlags field is set to CONTEXT_FULL = CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_FLOATING_
POINT.

The context of the victim process is acquired

Executable memory is allocated in the address space of the victim process and the headers of the crypto miner MZPE
are written in the allocated memory area:

VirtualAllocEx called on the victim process

The headers of the crypto miner are written in the victim process


-----

Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild

The sections of the crypto miner are written one by one in the memory address of the victim process and the
ImageBase of the victim process is modified to the ImageBase of the crypto miner:

The sections of the crypto miner are written in the victim process

At the end of the loop, the RCX register in the victim process context is changed to contain the virtual
AddressOfEntryPoint of the injected crypto miner. This register originally contained the virtual AddressOfEntryPoint of
the victim executable:

The AddressOfEntryPoint of the victim process is patched


-----

Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild

The flow of the process hollowing operation is summarized in the following flowchart:

The flow of process hollowing


-----

Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild

The flow of the post-hollowing operations is summarized in the following flowchart:

The flow of the operations performed after process hollowing

##### Defense evasion techniques
This malware employs two big defense evasion techniques: DLL Side-Loading and Process Hollowing. First of all,
the malicious secur32.dll gets loaded in OneDrive executables via a DLL Side-Loading vulnerability. Secondly, the
crypto miner runs inside either a svchost.exe or a conhost.exe process as a result of Process Hollowing. Both these
techniques help the malware blend in with the processes that normally run on a system, such that the presence of a
crypto miner should not be obvious when somebody checks the running processes.

When it comes to smaller evasion techniques, the malware makes some effort to hide its strings, making it harder to
add static detection rules. To make the job of static detection engines harder, the malware hides its imports by using
an API resolution scheme and resolving an API only before using it.

**Strings encoding**

For example, the string Lolliedieb/lolMiner-releases/releases/download/1.48/lolMiner_v1.48_Win64.zip is first loaded
into an array as a ciphertext:


-----

Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild

Example of ciphertext to be decrypted

Then, the bytes of the key are also loaded into an array:

Example of encryption (and decryption) key

Finally, the XOR operation is performed by the vpxor instruction from the MMX instruction set.

##### Command and Control
There is no actual C2 server involved in the operation of this malware. The only communication with the group behind
the attack is done by the dropper that reports back to the malware developers via a Telegram channel.

A request is made that contains the hardware parameters of the new “worker” alongside it’s localization data:

##### Telegram channel message example

|❗ New worker connected! ❗️ Info: — GPU: Intel(R) HxD Graphics 630 — CPU: Intel(R) Core(TM) i7-7700 CPU @ 3.60GHz — RAM: 16247 MB ❕ Other info: — Username: <edited out> — IP: <edited out> — Country: RO — Build tag: EasyMiner|❗ New worker connected! ❗️ Info: — GPU: Intel(R) UHD Graphics 630 — CPU: Intel(R) Core(TM) i5-8300H CPU @ 2.30GHz — RAM: 8066 MB ❕ Other info: — Username: <edited out> — IP: <edited out> — Country: PT — Build tag: xDD|
|---|---|


-----

Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild

##### Impact
As crypto-currency mining is resource-intensive, victims can immediately notice degraded CPU and GPU performance,
overheating and increased energy consumption. All these side effects can wear hardware out.

As mentioned, the cryptojacking campaign uses four cryptocurrency mining algorithms: ethash, etchash, ton and xmr
with a predilection towards etchash. With this information, as well as the public wallets in the configuration files, our
investigation revealed that attackers make an average of $13 worth of crypto-currency per infected computer.

### Campaign distribution/ Campaign evolution

In terms of campaign evolution, we noticed that the malicious secur32.dll is recompiled about every 3 weeks:

The number of detection plotted against the date, comparing the evolution of the four malicious secur32.dll versions

We noticed that changes between the versions don’t affect the functionality as much, but rather affect encoded strings.

For instance, the first version we noticed (fed6517a5f84eecc29edee5586d7feeb) contained the
string Lolliedieb/lolMiner-releases/releases/download/1.48/lolMiner_v1.48_Win64.zip, while the second version,
9b1c1fd2556275a985bb4ce4aba99975 contained the string Lolliedieb/lolMiner-releases/releases/download/1.51a/
_lolMiner_v1.51a_Win64.zip. This implies the authors are updating the download location of the open-source_
cryptomining software when a new version comes along.


-----

Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild

A breakdown of the top 10 countries in terms of number of infected users is as follows:

Campaign distribution


-----

Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild

### How does Bitdefender defend against the campaign?

##### Protection
Bitdefender Endpoint Security Tools (BEST) On-Access scanning detects and stops the dropper process with a
signature of type AI:Coinminer:

Static detection of the dropper process as seen on in the Bitdefender Endpoint Security on the victim machine

##### Detection
To test the detection and visibility of our product, we adjusted the BEST settings to not block malicious processes.

Detection & visibility for dropper.exe from the GravityZone web interface

The Advanced Threat Control[7] technology reveals the following actions taken by the dropper:

- running taskkill.exe to stop OneDrive.exe

- dropping the malicious secur32 dll


-----

Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild

- running OneDrive.exe, which, after loading the malicious secur32.dll, makes a request to github.com, to download
the open-source crypto miner

- running reg.exe which adds OneDrive to startup via Windows Registry

- connecting to the Telegram API

- dropping the config file of the crypto miner (the file ending in _s)

Upon reboot, we also notice that OneDrive.exe is automatically started by explorer.exe, executes svchost.exe and
hollows it, which means that it replaces the image of svchost.exe in memory with the image of the crypto miner:

Detection & visibility for the side-loaded onedrive.exe from the GravityZone web interface

The command line of the hollowed svchost.exe will be C:\Windows\system32\svchost.exe --algo ETCHASH --pool
_etc.2miners.com:1010 --user 0x5aC1BA3f615fEAa6F638436D1C25CB2847C84e34.EasyMiner_


-----

Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild

### Conclusion

In this article we presented a DLL Side-Loading attack happening within the ubiquitous OneDrive application.

OneDrive can be side-loaded with several other DLLs. In this case, secur32.dll was chosen, possibly because OneDrive
uses only one of its exports. During our vulnerability disclosure process, we learnt that OneDrive can be installed “per
user” or “per machine”. In the default “per user” installation, the folder where OneDrive is located is writeable by nonelevated users, meaning that a malicious dll could be dropped there, or executable files can be modified or completely
overwritten (OneDrive.exe, OneDriveStandaloneUpdater.exe).

OneDrive was specifically chosen in this attack because it permits the actor to achieve easy persistence. Adding
OneDrive to startup is an action done by the dropper malware, but even if it did not do so, OneDriveStandaloneUpdater.
**exe is by default scheduled to execute each day. Of the detections we received, 95.5% came from**
**OneDriveStandaloneUpdater.exe loading the malicious secur32.dll. However, Microsoft recommends that customers**
[choose the “per machine” install under the Program Files folder as per the instructions available here.](https://docs.microsoft.com/en-us/onedrive/per-machine-installation)

Given that the “per machine” installation method may not be suitable for all environments and privilege levels, user
caution should be one of the strongest lines of defense against commodity malware. Bitdefender recommends that
users ensure their AVs and operating systems are up to date, to avoid cracked software and game cheats and to
download software from trusted locations only.

### Bibliography

1. [https://besteffortteam.it/onedrive-and-teams-dll-hijacking/](https://besteffortteam.it/onedrive-and-teams-dll-hijacking/)

2. [https://www.syxsense.com/onedrive-vulnerability/](https://www.syxsense.com/onedrive-vulnerability/)

3. [https://labs.redyops.com/index.php/2020/04/27/onedrive-privilege-of-escalation/](https://labs.redyops.com/index.php/2020/04/27/onedrive-privilege-of-escalation/)

4. [https://en.wikipedia.org/wiki/Fowler%E2%80%93Noll%E2%80%93Vo_hash_function](https://en.wikipedia.org/wiki/Fowler%E2%80%93Noll%E2%80%93Vo_hash_function)

5. [https://github.com/xmrig/xmrig](https://github.com/xmrig/xmrig)

6. [https://github.com/Lolliedieb/lolMiner-releases](https://github.com/Lolliedieb/lolMiner-releases)

7. [https://businessresources.bitdefender.com/hubfs/Bitdefender-Business-2015-SolutionPaper-ATC-93030-](https://businessresources.bitdefender.com/hubfs/Bitdefender-Business-2015-SolutionPaper-ATC-93030-en_EN-web.pdf)
[en_EN-web.pdf](https://businessresources.bitdefender.com/hubfs/Bitdefender-Business-2015-SolutionPaper-ATC-93030-en_EN-web.pdf)

8. [https://docs.microsoft.com/en-us/onedrive/per-machine-installation](https://docs.microsoft.com/en-us/onedrive/per-machine-installation)


-----

### MITRE techniques breakdown

**Execution** **Persistence** **Defense Evasion**

[Boot or Logon](https://attack.mitre.org/techniques/T1547/001/)

[User](https://attack.mitre.org/techniques/T1204/002/)

[Autostart](https://attack.mitre.org/techniques/T1547/001/) [Hijack Execution](https://attack.mitre.org/techniques/T1574/002/)

[Execution:](https://attack.mitre.org/techniques/T1204/002/)

[Execution: Registry](https://attack.mitre.org/techniques/T1547/001/) [Flow: DLL Side-](https://attack.mitre.org/techniques/T1574/002/)

[Malicious](https://attack.mitre.org/techniques/T1204/002/)

[Run Keys / Startup](https://attack.mitre.org/techniques/T1547/001/) [Loading](https://attack.mitre.org/techniques/T1574/002/)

[File](https://attack.mitre.org/techniques/T1204/002/)

[Folder](https://attack.mitre.org/techniques/T1547/001/)

[Process](https://attack.mitre.org/techniques/T1055/012/)

[Native API](https://attack.mitre.org/techniques/T1106/) [Injection: Process](https://attack.mitre.org/techniques/T1055/012/)

[Hollowing](https://attack.mitre.org/techniques/T1055/012/)

### Indicators of compromise

##### Hashes

- malicious secur32.dll

`o` fed6517a5f84eecc29edee5586d7feeb

`o` 9b0d09fd16c24a1691fa7e316351399d

`o` 9b1c1fd2556275a985bb4ce4aba99975

`o` ec36e1abbf75584a9d0bb4a15f8f2c33

- modified OneDrive.exe

`o` f3af73070387fb75b19286826cc3126c

- droppers

`o` 7de8b8015540bf923385c36f60b9d5ae

`o` 656a4c1fcc572e855ac2e512c04ae206

`o` 7bbeb20cfcabcfa69d668c24a235082e

`o` 7c64bb78b589054079a1048f9fc79708

`o` 73cef9a93e9572c148a5785434708c41

`o` 7c64bb78b589054079a1048f9fc79708

##### URLs

- github.com/Lolliedieb/lolMiner-releases/releases/
download/1.48/lolMiner_v1.48_Win64.zip

- github.com/Lolliedieb/lolMiner-releases/releases/
download/1.51a/lolMiner_v1.51a_Win64.zip

- github.com/xmrig/xmrig/releases/download/v6.17.0/
xmrig-6.17.0-msvc-win64.zip


Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild

**Discovery** **Command and Control** **Impact**

[Application Layer](https://attack.mitre.org/techniques/T1071/001/)

[Process](https://attack.mitre.org/techniques/T1057/) [Resource](https://attack.mitre.org/techniques/T1496/)

[Protocol: Web](https://attack.mitre.org/techniques/T1071/001/)

[Discovery](https://attack.mitre.org/techniques/T1057/) [Hijacking](https://attack.mitre.org/techniques/T1496/)

[Protocols](https://attack.mitre.org/techniques/T1071/001/)

[System](https://attack.mitre.org/techniques/T1082/)
[Information](https://attack.mitre.org/techniques/T1082/)
[Discovery](https://attack.mitre.org/techniques/T1082/)

[System](https://attack.mitre.org/techniques/T1614/)
[Location](https://attack.mitre.org/techniques/T1614/)
[Discovery](https://attack.mitre.org/techniques/T1614/)

##### • Files dropped/ modified/ deleted

  - %appdata%\Local\Microsoft\OneDrive\Secur32.dll

  - %appdata%\Local\Microsoft\<random_characters>_s

  - %appdata%\Local\Microsoft\<random_characters>_g

  - %appdata%\Local\Microsoft\<random_characters>_c

##### Registry
Places OneDrive to be launched at startup by adding:

  - Key: HKCU\Software\Microsoft\Windows\
CurrentVersion\Run

  - Value: OneDrive

  - Type: REG_SZ

  - Data: %LocalAppData%\Microsoft\OneDrive\OneDrive.
exe

Enables startup action for OneDrive by setting:

  - Key: HKCU\Software\Microsoft\Windows\
CurrentVersion\Explorer\StartupApproved\Run

  - Value: OneDrive

  - Type: REG_BINARY

  - Data: 020000000000000000000000

|Execution|Persistence|Defense Evasion|Discovery|Command and Control|Impact|
|---|---|---|---|---|---|
|User Execution: Malicious File|Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder|Hijack Execution Flow: DLL Side- Loading|Process Discovery|Application Layer Protocol: Web Protocols|Resource Hijacking|
|Native API||Process Injection: Process Hollowing|System Information Discovery|||
||||System Location Discovery|||


-----

Bitdefender is a cybersecurity leader delivering best-in-class threat

prevention, detection, and response solutions worldwide. Guardian

over millions of consumer, business, and government environments,

Bitdefender is one of the industry’s most trusted experts for

eliminating threats, protecting privacy and data, and enabling cyber

resilience. With deep investments in research and development,

Bitdefender Labs discovers over 400 new threats each minute and

validates around 40 billion daily threat queries. The company has

pioneered breakthrough innovations in antimalware, IoT security,

behavioral analytics, and artificial intelligence, and its technology is

licensed by more than 150 of the world’s most recognized technology

brands. Launched in 2001, Bitdefender has customers in 170+

countries with offices around the world.

For more information, visit https://www.bitdefender.com.

All Rights Reserved. © 2022 Bitdefender.

All trademarks, trade names, and products referenced herein are the property of their respective owners.

##### UNDER THE SIGN OF THE WOLF

**Founded 2001, Romania** A trade of brilliance, data security is an industry where only the clearest view, sharpest mind and deepest insight can
**Number of employees 1800+** win — a game with zero margin of error. Our job is to win every single time, one thousand times out of one thousand,

and one million times out of one million.

**Headquarters**
Enterprise HQ – Santa Clara, CA, United States And we do. We outsmart the industry not only by having the clearest view, the sharpest mind and the deepest insight,
Technology HQ – Bucharest, Romania but by staying one step ahead of everybody else, be they black hats or fellow security experts. The brilliance of our

collective mind is like a luminous Dragon-Wolf on your side, powered by engineered intuition, created to guard against

**WORLDWIDE OFFICES** all dangers hidden in the arcane intricacies of the digital realm.
**USA & Canada: Ft. Lauderdale, FL | Santa Clara, CA | San Antonio, TX |**
Toronto, CA This brilliance is our superpower and we put it at the core of all our game-changing products and solutions.
**Europe: Copenhagen, DENMARK | Paris, FRANCE | München, GERMANY |**
Milan, ITALY | Bucharest, Iasi, Cluj, Timisoara, ROMANIA | Barcelona, SPAIN
| Dubai, UAE | London, UK | Hague, NETHERLANDS


-----