I spotted loads of malicious network traffic, and using the Sysinternals Autoruns[0] utility I was able to spot attempts at persistence. I also checked the outbound connections and they were C&C servers. I can't remember if the installer was digitally signed or not, but there was definitely malware in it. I always make sure to opt-out of any AD ware that might be bundled with an installer, but this seems to have been injected surreptitiously, and installed with very little interaction.
Just be careful with the bespoke VPN clients as they are very juicy targets for MITM attacks. I know I would be going after VPN software if I wanted to do ex-filtration for a small subset of users trying to hide their tracks from governments and ISPs.
So an installer was trying to set up autoruns, and the outbound connection IP's were on some list? The first part seems like expected behavior, the second sounds like your list of bad IP's included several that one of the most popular VPN providers use.
This was before the client even connected for the first time. And the IPs were well known C&C servers used for collecting keystrokes and screenshots of your O.S
Checking if their various servers exist on install seems likely. And well known C&C servers probably hide their actual IP, they'd be fairly easy to shut down if they didn't.
Just be careful with the bespoke VPN clients as they are very juicy targets for MITM attacks. I know I would be going after VPN software if I wanted to do ex-filtration for a small subset of users trying to hide their tracks from governments and ISPs.
[0] https://technet.microsoft.com/en-us/sysinternals/bb963902.as...