diff --git a/Docs/2004.06195.pdf b/Docs/2004.06195.pdf
new file mode 100644
index 0000000..dcb8dee
Binary files /dev/null and b/Docs/2004.06195.pdf differ
diff --git a/Docs/Equation_group_questions_and_answers.pdf b/Docs/Equation_group_questions_and_answers.pdf
new file mode 100644
index 0000000..99eecf0
Binary files /dev/null and b/Docs/Equation_group_questions_and_answers.pdf differ
diff --git a/Docs/Fanny.BMP(DementiaWheel)_Technical_Report_By_WilliamMartens-2021-10Feb.pdf b/Docs/Fanny.BMP(DementiaWheel)_Technical_Report_By_WilliamMartens-2021-10Feb.pdf
new file mode 100644
index 0000000..251db0f
Binary files /dev/null and b/Docs/Fanny.BMP(DementiaWheel)_Technical_Report_By_WilliamMartens-2021-10Feb.pdf differ
diff --git a/Docs/README.md b/Docs/README.md
new file mode 100644
index 0000000..2a45ff2
--- /dev/null
+++ b/Docs/README.md
@@ -0,0 +1,12 @@
+# Docs
+
+
+*Special Note:*
+> 
+> Providing a copy of Alejandro and McDougall's research
+which includes stuxnet. Why stuxnet when this is a fanny repo? Well,
+in essence, knowing a bit about how stuxnet work, is a good way of understanding how fanny works. And vice versa.
+> 
+> Also, their report also explains how to setup a malware infection, and using tools to detect it. very neat report!
+
+Have a nice tea!
diff --git a/Docs/handson-report-McDougall-Ugas-FINAL.pdf b/Docs/handson-report-McDougall-Ugas-FINAL.pdf
new file mode 100644
index 0000000..bd9872c
Binary files /dev/null and b/Docs/handson-report-McDougall-Ugas-FINAL.pdf differ
diff --git a/Docs/us-18-Guri-AirGap.pdf b/Docs/us-18-Guri-AirGap.pdf
new file mode 100644
index 0000000..ff5a3a3
Binary files /dev/null and b/Docs/us-18-Guri-AirGap.pdf differ
diff --git a/Media/Pictures.7z b/Media/Pictures.7z
new file mode 100644
index 0000000..a30595e
Binary files /dev/null and b/Media/Pictures.7z differ
diff --git a/Media/README.md b/Media/README.md
new file mode 100644
index 0000000..b80e687
--- /dev/null
+++ b/Media/README.md
@@ -0,0 +1,88 @@
+# PROOF OF CONCEPTS (aka testing)
+
+# Deep Dive
+### video_1
+>
+> just shows the malware test
+
+
+### video_2
+>
+>  shows a re-creation (or a custom exploit) based on the malware [GIST - MSG BOX](https://gist.github.com/loneicewolf/c588f95287c55454ef6a5c28e8babd30) is here:
+
+- If you prefer `Console Application`, I include that code!
+- Same if you prefer a `DLL`, including that!
+
+
+
+## Console Application
+```cpp
+// i686-w64-mingw32-gcc -o M msgbox.c
+#include <stdio.h>
+#include <windows.h>
+int main(int argc, char *argv[]){
+  if(argc != 3){
+    printf("usage: %s  MESSAGE  TITLE",argv[0]);
+  }
+  // MessageBox function (winuser.h)
+  //  Displays a modal dialog box that contains
+  //    a system icon,
+  //    a set of buttons,
+  //    and a brief application-specific message,
+  /// such as status or error information.
+  /// The message box returns an integer value that indicates which button the user clicked.
+  // ref https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-messagebox
+  MessageBox(
+              0,       /*   [in, optional] HWND    hWnd,      */
+              argv[2], /*   [in, optional] LPCTSTR lpText,    */
+              argv[1], /*   [in, optional] LPCTSTR lpCaption, */
+              1        /*   [in]           UINT    uType      */
+             );
+  return 0;
+}
+```
+
+
+
+
+# DLL
+```cpp
+#define WIN32_LEAN_AND_MEAN
+#include <windows.h>
+// __declspec(dllexport) THING
+__declspec(dllexport) BOOL APIENTRY DllMain(HMODULE hModule,
+											DWORD ul_reason_for_call,
+											LPVOID lpReserved
+											)
+{
+	switch(ul_reason_for_call){
+	
+		case DLL_PROCESS_ATTACH:
+			{
+				// https://gist.github.com/loneicewolf/c588f95287c55454ef6a5c28e8babd30
+				// loneicewolf/win_msgbox.c 
+				MessageBox(
+				0,       /*   [in, optional] HWND    hWnd,      */
+				"TEXT", /*   [in, optional] LPCTSTR lpText,     */
+				"TITLE", /*   [in, optional] LPCTSTR lpCaption, */
+				1        /*   [in]           UINT    uType      */
+				);
+				break;
+			}
+		case DLL_PROCESS_DETACH:
+			{
+				break;
+			}
+		case DLL_THREAD_ATTACH:
+			{
+				break;
+			}
+		case DLL_THREAD_DETACH:
+			{
+				break;
+			}
+	
+	}
+	return TRUE;
+}
+```
diff --git a/Media/VIDEOS.7z b/Media/VIDEOS.7z
new file mode 100644
index 0000000..e56a157
Binary files /dev/null and b/Media/VIDEOS.7z differ
diff --git a/README.md b/README.md
index bc0e6d8..d0e3dec 100644
--- a/README.md
+++ b/README.md
@@ -1,44 +1,172 @@
-# fanny.bmp
-FANNY BMP MALWARE SOURCE + BINARY
-- fanny.bmp malware Source
-- Binary
-- Decompiles as well as some other Details.
+### ⚠️ MALWARE AHEAD! — RESEARCH ONLY ⚠️
 
-Link to stuxnet: https://github.com/loneicewolf/Stuxnet-Source
+> **If you don’t know what this is, stop here.**
+>
+> This repository contains malware samples and research materials for **academic, reverse engineering, and forensics purposes only.**
+>
+> **Do NOT run anything outside of isolated environments (e.g., air-gapped VMs).**
 
-fanny.bmp malware sample (with lnk files, hexdumps and checksums)
+---
 
-Warning! Live Malware!
+## Fanny.BMP / DementiaWheel Overview
+
+* Related to `Brutal_Kangaroo`
+* Connected to [`nls_933w.dll`](https://github.com/loneicewolf/nls_933w_dll)
+* Infects via USB using [CVE-2010-2568](https://nvd.nist.gov/vuln/detail/CVE-2010-2568)
+* Shares DNA with Stuxnet and Flame, gauss and duqu respectievely
+
+- [modules LNK 1 RAPID7 fanny_bmp_check - By Me](https://www.rapid7.com/db/modules/post/windows/gather/forensics/fanny_bmp_check/)
+- [vulnerabilities LNK 2 RAPID7 fanny_bmp_check - By Me](https://www.rapid7.com/db/vulnerabilities/post/windows/gather/forensics/fanny_bmp_check/)
+- [metasploit-framework LNK 3 SRC of fanny_bmp_check - By Me](https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/forensics/fanny_bmp_check.rb)
+---
+
+##  Rootkit Demonstration
+
+### `shelldoc.dll` GUI Stealth Sample:
+![image](https://github.com/user-attachments/assets/66352a1f-99af-4e41-8138-559060cf560e)
+![runas demo](https://github.com/loneicewolf/fanny.bmp/assets/68499986/1839659e-adf7-4b3b-96e7-4f1b382f3a70)
+
+> ✔️ Demonstrates that the rootkit hides `.lnk` and keyword-matching files even from system UI dialogs. **Which demonstrates it's not just a simple file hider, it's a generalized rootkit that hides dirs(verify this claim)/files[x]/even strings[x]**
+
+---
+
+## Technical Report
+
+A full report was written, but will be rewritten soon for clarity and accuracy.
+The update will focus on:
+
+* Technical deep dives
+* Relationship to Equation Group tools
+* Ethical simulation techniques
+
+---
+
+## 🗂️ Project Contributions
+
+Fanny detection added to:
+
+* [Rapid7 Metasploit](https://blog.rapid7.com/2021/01/29/metasploit-wrap-up-96/)
+* [Metasploit Module: `fanny_bmp_check`](https://github.com/rapid7/metasploit-framework/tree/master/modules/post/windows/gather/forensics/)
+* [POC Video](https://www.youtube.com/watch?v=Uto_lcD2f38)
+
+---
+
+## 🧪 Basic Malware Info
+
+<details>
+<summary>Click to expand</summary>
+
+```
+Name:         Fanny.BMP (aka DementiaWheel)
+Type:         USB-propagating Worm
+Exploits:     CVE-2010-2568 (LNK exploit)
+Targets:      Windows XP → Windows 10
+Payloads:     Explorer rootkit, USB storage exfiltration, persistence via ACM driver
+
+CVE:          CVE-2010-2568
+Reference:    https://securelist.com/a-fanny-equation-i-am-your-father-stuxnet/68787/
+```
+
+</details>
+
+---
+
+## POCs & Hashes
+
+<details>
+<summary>Click to expand full list of samples + VirusTotal links</summary>
 
 Includes:
 
-    d.lnk
-    e.lnk
-    f.lnk
-    g.lnk
-    h.lnk
-    i.lnk
-    j.lnk
-    fanny.bmp
+* All `__*.lnk` USB autoloaders
+* `comhost.dll`, `mscorwin.dll`, `shelldoc.dll`, `ECELP4.ACM`, `agentcpd.dll`
+* Primary dropper (`fanny.bmp`)
+* Temporary file (`~DE1923.tmp`)
+
+Example:
+
+* `fanny.bmp` → [VT](https://www.virustotal.com/gui/file/0d9bb9a9e3a6f8836a1ef51862ae1c28f086da3a9006d1c7040fe57ed8c26231)
+* `shelldoc.dll` → [VT](https://www.virustotal.com/gui/file/6eb00b34d1daffa49b2f4c90841705b2c994563bde672bf35eb1c46cdb19a1ed)
+
+</details>
+
+---
+
+## Metasploit Integration
+
+> You can detect Fanny infections using the `fanny_bmp_check` module in Metasploit:
+
+```bash
+meterpreter > run post/windows/gather/forensics/fanny_bmp_check
+```
+
+Expected output:
+
+```
+[+] HKEY_LOCAL_MACHINE\SYSTEM\...\ECELP4\Driver found
+[+] HKEY_LOCAL_MACHINE\SYSTEM\...\ECELP4\filter2 found
+...
+```
+
+---
+
+## POC Videos
+
+* [Rootkit behavior demo](https://youtu.be/Uto_lcD2f38)
+* [Crash test from hiding corrupted .lnk files](https://github.com/loneicewolf/fanny.bmp/blob/main/SanUltra%20%28Fanny.bmp%20Bug%29.png)
+
+---
+
+## Reproduction Bugs & Notes
 
+> Creating `.lnk` files named `__e__.lnk` under XP with `shelldoc.dll` active may crash Explorer.
+>
+> ✔️ This has been captured and documented in video + screenshots.
 
+---
 
+## Future Plans
 
+* Improved USB C2 bridge w/ Metasploit
+* C+Lua tooling for USB backdoor command & control
+* Fully structured academic writeup
+* Screenshots and annotated source
 
-- https://www.wired.com/2015/02/nsa-firmware-hacking/
+---
 
+## Related Research
 
+* [Stuxnet Source](https://github.com/loneicewolf/Stuxnet-Source)
+* [Agent.BTZ Sample](https://github.com/loneicewolf/Agent.btz)
+* [DUQU](https://github.com/loneicewolf/DUQU)
+* [Gauss-Src](https://github.com/loneicewolf/Gauss-Src)
+* [flame-sourcecode V2](https://github.com/loneicewolf/flame-sourcecode) 
+* [MINI-FLAME-Skywiper](https://github.com/loneicewolf/MINI-FLAME-Skywiper) 
 
+---
 
+## Why Release This?
 
+> To help defenders, researchers, and detection engineers.
+> These files are hard to find. Collecting + analyzing them helps strengthen infosec.
 
-(Q) Why would you want to upload malware? You're literally providing CyberWeapons!
-(A) I believe in Open-Source, and that even though in this scenario, can hopefully help malware researchers provide better protection.
+---
 
+## References
 
+* [Securelist: Equation Group](https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/)
+* [Rapid7 Blog](https://blog.rapid7.com/2021/01/29/metasploit-wrap-up-96/)
+* [Fanny Detection Module](https://github.com/loneicewolf/metasploit_fanny_check_module)
 
-Urgent Contacts: (Malware Researchers)
-Discord: Ken-Kaneki#3978
-Mail:    william-martens@protonmail.ch
+---
 
+# MALWARE AHEAD # 
+**Branch of interest:**
+- [🔗 `only_malware` branch (live payloads)](https://github.com/loneicewolf/fanny.bmp/tree/only_malware)
 
+# Acknowledgements
+**Thanks to**
+- [Fyyre](https://github.com/Fyyre/) - for your [DrvMon](https://github.com/Fyyre/DrvMon)
+- [Hfiref0x](https://github.com/hfiref0x) - for your [KDU](https://github.com/hfiref0x/KDU)
+- [GPT(O3-PRO)](https://chatgpt.com/?model=o3-pro) For helping me check the formulation of this repo, like MarkDown, etc.
+- [FSU's 2 Students Alejandro Ugas and McDougall for their Research](https://github.com/loneicewolf/fanny.bmp/blob/main/Docs/handson-report-McDougall-Ugas-FINAL.pdf)
diff --git a/fannybmpZIP.zip b/fannybmpZIP.zip
deleted file mode 100644
index 3a1f6a5..0000000
Binary files a/fannybmpZIP.zip and /dev/null differ
diff --git a/password.md b/password.md
deleted file mode 100644
index d90f620..0000000
--- a/password.md
+++ /dev/null
@@ -1,27 +0,0 @@
-## PLEASE READ THIS FIRST ##
-############################
-
-
-THIS IS LIVE MALWARE. 
-
-IF YOU DO NOT KNOW WHAT YOU ARE DOING HERE, PLEASE CONSIDER LEAVING.
-
-EVEN IF YOU DO KNOW WHAT YOU ARE DOING; USE CAUTION, PLEASE.
-
-
-THE FILES INCLUDED ARE:
-
- - checksums /
- - hex_dumps /
- - __d__.lnk
- - __e__.lnk
- - __f__.lnk
- - __g__.lnk
- - __h__.lnk
- - __i__.lnk
- - __j__.lnk
- - fanny.bmp
-
-Note: the .lnk files should have 2x underscores in them '_' but github won't let me format it that way.
-
-password: INFECTEDIDOKNOWWHATIAMDOING