In the present age, the amount of malware is growing very rapidly, and the kinds and behaviors of malware are becoming very diverse. This poses social security threats such as data loss, leakage of personal and financial information, system damage, and the destruction of IT infrastructures. Unlike existing malicious codes, modified or new types of malicious codes are being identified, and it is very inefficient for analysts to manually analyze one by one from the beginning. Malware analysts to solve these problems are analyzed and studied effective way to reduce the time and cost of analysis. In this paper, we propose a way to express the characteristics by using the API Sequence for malware detection and classification. It compares and analyzes several existing expression methods and verifies the efficiency through actual malicious code samples. Using the expression method proposed in the paper, we detected four malicious behaviors: DLL Injection, Downloader, Key Logger, and Anti debugging. As a result, it was detected more than the conventional detection method, and it can be seen that the more complex the malicious behavior, the higher the detection efficiency. In addition, although static analysis was adopted as the main method, the flow of malicious behavior can be analyzed because it searches for execution condensation.