Execution of a sample program being evaluated for malware is initiated and then suspended to set breakpoints on timing operations of the sample program. Execution of the sample program is suspended again when a breakpoint is hit, at which time a loop is identified in the sample program and evaluated for presence of stalling code. Execution flow of the sample program is changed to exit the loop when the loop is determined to include the stalling code.