Decent writeup from CS with that evasion method described -

https://www.crowdstrike.com/en-us/blog/anatomy-of-alpha-spid...