Obfuscated malware, use runtime linking to access libraries, instead of accessing the libraries at startup, they access them whenever they want. In order to find out about Dynamically linked malware, we use Dependancy Walker.
Kernel32.dll:- Deals with memory management threads, syncing.
Advapi32.dll:- This Dynamic Library provides access services and registry components.
User32.dll:- This is the userinterface base, hacking this file allows external themes
Gdi32.dll:- This DLL contains functions for displaying and manipulating graphics.
Ntdll.dll :- This DLL is not for programmer, is is an interface for the Native API, the language used by Windows to communicate itself, it is used during boot when other services and stuff have not loaded. When an application loads this, you can be nearly sure it is an malware.
WSock32.dll :- This is networking DLL. Programs use this to hook into your internet connections and sniff passwords.
Wininet.dll :- For FTP, HTTP, NTP.
These are the basics DLL's used by any program that can be got using dependancy walker.