Just a quick tip and some x64dbg scripts that can be used to spy on the C Runtime interface. This will only work if the C Runtime is dynamically linked which is uncommon for msvc compiled malware, but is the default for gcc/minGW compiled malware.
References