> I'm just curious more than anything.

What version of windows were they using and what browser was used to
download your installer?

What you describe is quite likely a compromised installer or your
program inside.

If you still have the installer, if you can setup a vmware guest with
no network access, could you install this dodgy installer and find out
if your program hashes have changed? If they havent, then its possible
the installer maybe compromised in some way, it might be doing stuff to
windows like creating a new user with remote access or any number of
things to compromise a system.

Thing is installers are perfect attack vectors to compromising a system
so you & I and every other software company is an attack vector.

Has your customer seen any of these weird behaviours?

Since the latest updates to Win10 1903 came down which forced all users
of VMware to upgrade to Player/workstation 15.5 (see a thread in
c.l.c.), I have been experiencing at least once or twice a day, website
certificate errors with MS Edge for some international big companies,
eg MS and Dailymail.

I've never seen so many website certficate errors happening over so
many days now, but I would suspect web browsers are primary attack
vectors.

Youtube (a google company) also seems to do some pretty funky stuff to
the computer, where the cpu fan spins up to max for periods of time and
it has crossed my mind that they might be testing windows systems,
considering how Google likes to embarrass MS over zero days etc and
Google does also have the best intelligence website for zero days,
namely virustotal. A bit conspiratorial of me, but other big business
have done questionable things in the past, so why not Google?<vbg>

It is a case of who do you trust.<g>

--
-- Richard