home

setup.exe

Deepwell

The application setup.exe by Deepwell has been detected as adware by 18 anti-malware scanners. The program is a setup application that uses the Tomorrow Software Installer installer. The file has been seen being downloaded from www.downthat.com.
Publisher:
Full Savvy Install  (signed by Deepwell)

Product:
Full Savvy Install

Version:
75.9.4.6363

MD5:
5f55335883514fc54f8af7546a88bc0c

SHA-1:
efeaf5ec928c3071dfc670de912140c2d4130819

SHA-256:
c0e52af47739343faff6b8d7902197c80ef8fe93b53afd8d871f7a4c78315433

Scanner detections:
18 / 68

Status:
Adware

Explanation:
Bundles additional software, mostly toolbars and other potentially unwanted applications using the Vittalia monitization installer.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
8/6/2025 4:03:06 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.Agent
7.1.1

AVG
Generic
2017.0.2843

Baidu Antivirus
PUA.Win32.DownloadAdmin
4.0.3.1624

Bkav FE
W32.HfsAdware
1.3.0.7383

Dr.Web
Trojan.Vittalia.735
9.0.1.035

ESET NOD32
Win32/DownloadAdmin.P potentially unwanted (variant)
10.12462

Fortinet FortiGate
Riskware/DownloadAdmin
2/4/2016

F-Prot
W32/S-3bfe598a
v6.4.7.1.166

K7 AntiVirus
Adware
13.212.17641

Malwarebytes
PUP.Optional.DownLoadAdmin
v2016.02.04.12

McAfee
Artemis!0EF26F8F2FF4
5600.6499

NANO AntiVirus
Trojan.Win32.Vittalia.dxxgfw
0.30.26.3947

Qihoo 360 Security
HEUR/QVM10.1.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.TomorrowSoftware.Deepwell.Bundler (M)
16.2.4.12

Rising Antivirus
PE:Malware.RDM.04!5.A[F1]
23.00.65.16202

Sophos
Download Admin (PUA)
4.98

VIPRE Antivirus
Trojan.Win32.Generic
44806

Zillya! Antivirus
Adware.AdPeak.Win32.252
2.0.0.2472

File size:
866.8 KB (887,600 bytes)

Product version:
75.9.4.6363

Copyright:
Copyright (C) 2015

Original file name:
setup.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Tomorrow Software Installer

Language:
English (United States)

Common path:
C:\users\{user}\downloads\setup.exe

Digital Signature
Signed by:
Deepwell

Authority:
GoDaddy.com, Inc.

Valid from:
9/10/2015 3:38:55 PM

Valid to:
9/10/2016 3:38:55 PM

Subject:
CN=Deepwell, O=Deepwell, L=San Francisco, S=California, C=US

Issuer:
CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
0080C523CA00812FD1

File PE Metadata
Compilation timestamp:
10/14/2014 11:32:28 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
24576:Ip3Bg30Lwf92kZhVPHpCxCR+QGZMP8EL6T6Op:k00L49phLCxS+iP8EmT6e

Entry address:
0x36CF

Entry point:
E8, BC, A1, 00, 00, E9, BE, 9A, 00, 00, CC, CC, CC, CC, CC, CC, CC, FF, 25, 4C, 47, 41, 00, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 83, EC, 78, 56, 57, E8, C6, 0C, 00, 00, E8, F1, DE, FF, FF, 8B, B4, 24, 88, 00, 00, 00, 8B, BC, 24, 84, 00, 00, 00, 56, 57, E8, 5C, 10, 00, 00, 56, 57, E8, B5, E1, FF, FF, 8B, 06, 83, C4, 10, 50, FF, 15, 4C, F0, 40, 00, 83, F8, FF, 74, 2E, 8B, 0E, 68, D4, 46, 41, 00, 68, C8, 44, 41, 00, 68, 04, 01, 00, 00, 51, FF, 15, DC, F0, 40, 00, 85, C0, 74, 07, 3D, 04, 01, 00, 00, 76, 2B...
 
[+]

Code size:
52.5 KB (53,760 bytes)

The file setup.exe has been seen being distributed by the following URL.

http://www.downthat.com/.../300?sub_id=31430933141417708299&pub_id=303&template=lp3

Remove setup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.