Understanding the behavior of a malware is a difficult task because malware writers distort the binary executable with obfuscation techniques. Moreover, obfuscation techniques become sophisticated and diverse, and even the virtualization technique is applied. With virtualization of a binary executable, original instructions are transformed into bytecodes of unidentifiable virtual machine (VM) that simulates VM bytecodes during the execution. The virtualization modifies the structure of the programs and causes hard and time-consuming analyses. Furthermore, variations of VM hinder to devise a standard reverse-engineering technique. Nonetheless, since an obfuscated program inevitably has the same semantics as the original program, monitoring dynamic behaviors of the program will help the analyzers to figure out the inside based on the structure and semantics of its run traces. In this paper, we describe our observation on virtualization-obfuscation and present dynamic analysis algorithms and implement an analysis tool that analyzes the structure and semantics of run traces. We expect malware analyzers to save time in understanding an obfuscated malware with our tool.