It seek "---HACKERS_CUT_HERE---" and load all bytes past this text. Then xoring it with 0xFF + pos key. When deciphering is done, starts new process, system32/lsass.exe, frozing it, load EP from EAX and clear all process memory. After this, writing deciphered bytes to lsass process and replacing EAX with his own entrypoint address. Dont work when binded exe is non-ASLR on ASLR systems.
This method is called thread inject or something similiar.