The imports and the string
cmd are the only interesting
strings that appear statically in the binary.
It terminates without doing much.
Rename the file ocl.exe before you run it.
A string is being built on the stack, which is used by attackers to obfuscate strings from simple strings utilities and basic static analysis techniques.
1qaz2wsx3edc and a pointer to a buffer of data
are passed to subroutine 0x401089.
The malware uses the domain practicalmalwareanalysis.com.
The malware will XOR the encoded DNS name with the string
1qaz2wsx3edc to decode the domain name.
The malware is setting the
stdin handles (used in the
STARTUPINFO structure of
CreateProcessA) to the socket. Since