Anti-malware companies receive thousands of malware samples every day. And the malware increase kept surging in 2009 for historical new high. So, how to let the antivirus program more effective is an important and urgent problem. Traditionally, people detect malware by signature. However, if the malware is packed or the signature is changed, the antivirus program will not be able to find the malware. So we want to provide a new way to solve this problem. By Cisco’s research, 70%-80% malwares are packed. In this thesis, we provide a new way for detecting packed malwares. When a malware does something special to a user’s computer, we can detect the behavior and tell the user this is a suspicious behavior by malware. We propose a scalable clustering approach to identify and group malware samples that exhibit similar behaviors. And we use the number register to let our system be more effective. The result of our extensive experiment shows that our system can find the malware more effective than the existing tools.