execute shellcode via Windows callback function

The rule is too loose which leads to the memory allocation getting matched against unrelated APIs.

trigger: https://www.virustotal.com/gui/file/aa793f51fe674d40eed90d7cfde89fa8a001bc0507463447a901f4e5a5f90fe6/behavior