This was before the client even connected for the first time. And the IPs were well known C&C servers used for collecting keystrokes and screenshots of your O.S
Checking if their various servers exist on install seems likely. And well known C&C servers probably hide their actual IP, they'd be fairly easy to shut down if they didn't.