Physical memory forensic« has grown in popularity in recent years. Since malware typically operate in user space, it is important to reconstruct and track their process behavior. This paper focuses on detecting malware through a comparison of the information in the user space memory data structures. In order to expedite information extraction and ensure accuracy, the data in multiple memory management structures in the user space and the kernel are used concurrently. In the proposed methodising descriptions of memory structures, weextractmalware artifactsrelated to registry changes as well as, calls to library files and operating system functions. The extracted features are then evaluated, and samples are classified according to the selected attributes. The best results include a 98% detection rate and false positive rate of 16%, which indicates the effectiveness of the proposed behavior extraction method.