Track modifications made by a program on your system

  • Our rating
User Rating 4.67 (3 votes)
Adlice DiffView is a portable sandbox, helping during malware analysis. DiffView is able to log modifications in the filesystem, in the registry and all processes activity. It's also helps classifying samples by providing a malicious score using indicators generated during events capture.
Choose your plan
  •    Registration
    If machine registration is available
  •    Custom plans
    If custom plans are available (Ex: company)
  •    Analysis
    Parse PE files
  •    Malicious Indicators
    Get information about malicious actions found during analysis
  •    Dump created
    Get a copy of all files created during analysis in the folder of your choice
  •    Support
    Get support for your questions or feedback
  •    Automatic Updates
    Update the software with one click


  • Special plans available for companies.
  • Unlimited
  • Private emails and public forum


  • Limited
    Nag window every analysis
  • Public Forum.
  • Manual Updates.

IconDownload DiffView
AuthorAdlice Software
File Size24.32 MB
Operating SystemWindows XP, Vista, 7, 8, 8.1, 10. 32/64 bits
Tags   analysis     difference     filesystem     malware     process     registry     research     sandbox  

Adlice DiffView is a software used by researchers at Antivirus companies or CERT worldwide in order to perform dynamic malware analysis.

It's often complicated to know what a software is really doing on a machine. Some people rely on various software, like Process Monitor, Cuckoo, or even firewalls, to get a rough idea of its behavior. But such tools generate very big reports that are hard to analyze or are complicated to setup.

Adlice DiffView logs only relevant activity to help researchers making up their mind on a suspicious file. The software uses kernel level driver to monitor the system and heuristics engine to build indicators and malicious score.

DiffView is fully portable and doesn't require any server side installation, nor specific architecture or software requirements. Just run it on your favorite VM and that's it.



  • Unlike "classic" sandboxes, DiffView does NOT block malicious actions. Do NOT analyze malware on production environments.
  • DiffView is still in BETA version, and may contain bugs. Please use with caution and report them.



  • Start analysis on a file
  • Start analysis on a running process (pid)
  • Start analysis on a command line
  • Capture processes activity (creation/destruction)
  • Capture filesystem modifications (files creation/write/...)
  • Capture registry modifications (key or values creation/write/...)
  • Dump files created in a folder your choice (Premium)
  • Malicious score with indicators (Premium)
  • Cherry pick analysis options for faster execution
  • Generate a text report of each analysis (history available)



Please refer to the general documentation.

setup.exe (Installer 32/64 bits)Download 
DiffView.exe (32 bits)Download 
DiffView.exe (64 bits)Download