Abstract: To solve the existing problems of malicious behavior analysis technology based on virtual machine, such as the detection points are single, the anti-interference ability is weak, and the reliability of test results do not have high reliability, a method of multidimensional attribute extraction and reconstruction for virtual memory process was proposed. According to the characteristics of VMware virtual environment memory, the serialized behavior patterns in the lifecycle of the process were reconstructed such as startup, hiding, suspicious operations, network communication, etc. And the formal description as < name relationship, father-son relationship, time relationship, file relationship, communication relationship, user relationship > was given. Ulteriorly, the six tuples were extended into evidence chain and a malicious behavior recognition model based on improved k-means algorithm was proposed. By calculating the similarity between the six tuples of different processes, the set of malicious processes was used to initialize the cluster center combined with a priori knowledge. And then the relevance and dependence of behavioral evidence in virtual memory was analyzed. The test results show that the detection rate of malicious processes in 1 000 samples is as high as 91.98%. Compared with the traditional memory forensics technology, the virtual memory process information reconstructed in this paper is more sufficient, and the result of malicious behavior judgment is more accurate and reliable.