DiffView is able to start monitoring on various types of items. Start analyzing a process, pick a file, or just type your own command line. As long as it's valid, a monitored process will be attached or created.
It also provides a real-time running processes list to ease attaching to existing processes. When a process is monitored, everything it does will be logged and displayed.
DiffView lets you choose what information you need to collect. It can be process manipulation, filesystem modifications or registry activity.
All of these events will be displayed in nice tree/table views, for easier understanding of what the monitored process is doing.
Analysis Score & Report
During the events collection, the analysis engine performs filtering and classification. The results of this computing produces indicators and a malicious score.
Upon completion, a full report is done and archived for later sharing and display. Happy sandboxing !
Mathew L. - April 2020
A very good portable sandbox
I've been analyzing malware for 15 years. It's always complicated to get malware behavioral analysis without using online sandboxes like Cuckoo, ANY.RUN or similar. It takes time to complete, and requires sharing the sample with them, and potentially 3rd parties. I tried DiffView recently, with the promise of having everything localized on a test machine I own.
I have to admit it does a pretty good job. It runs fast, it's very easy to deploy (just a file to drop) and the indicators and the score are neat. They help a lot with classification.
I use DiffView mostly on preliminary runs, when I need to know what the malware is doing, to find its weak points. I do recommend.