When you run the program without any parameters, it exits immediately.

The main function is located at 0x00000001400010C0. You can spot the call to main by looking for a function call that accepts an integer and two pointers as parameters.

The string ocl.exe is stored on the stack.

To have this program run its payload without changing the filename of the executable, you can patch the jump instruction at 0x0000000140001213 so that it is a NOP instead.

The name of the executable is being compared against the string jzm.exe by the call to strncmp at 0x0000000140001205.

The function at 0x00000001400013C8 takes one parameter, which contains the socket created to the remote host.

The call to CreateProcess takes 10 parameters. ...