Introduction In the last arcitle about Ursnif campaign have been presented the ursnif powershell downloader, which was also able to download the GandCrab payload. This payload was injected as DLL library into the running process and during the last analysis I have extracted it. Now, it is time to look more closely at this GandCrab sample. Obfuscated strings After a quick look at the disassembly we can notice many calls to one particular function, in our case named by IDA as sub_10009E69.