I have it running locally, and i don't want to add credentials to the vm with the malware.

According to qwen:

It's cross platform

It has a bunch of persistence mechanisms.

It downloads another pack from pub-1fe39d600a4447ba895ef1c848d32e7e.r2.dev, Verified I got the secondary payload

This pack looks like a python 3.10 environment along with an executable called cupsd.

And downloads another js script from http://138.201.125.58:1224/client/99/77

That script then proceeds to download three python scripts that use the aforementioned python environment and do their business, qwen is having trouble de-obfuscating their urls and I am busy.