The fact that new malware appear every day demands a strong response from anti-malware forces. For that sake, an analysis of new samples must be performed. Usually, one tries to replay the behavior of malware in a safe environment. However, some samples activate a malicious function only if they receive some particular inputs from its command and control server. The problem is then to get some grasp on the interactions between the malware and its environment. For that sake, we propose to work in four steps. First, we enumerate all possible execution path following the reception of a message. Second, we describe for all execution path the set of corresponding messages. Third, we build an automaton that discriminate types of runs given an arbitrary word. Finally, we unify some equivalent run, and simplify the underlying automaton.