wasted a lot of time....
installed clean win 7 in virtual machine
installed .net 4
installed sandboxie
installed avg (this time i used avg)
added folder to exception list
unpacked miner
started in sandbox
same result
from sandboxie
https://i.imgur.com/J2Vu8CE.pngwithout sandboxie
https://i.imgur.com/UHHzVZx.pngupdate
program ...... just copy itself O_O with that name to that appdata folder
https://i.imgur.com/hoUmAt9.pngsame md5
anyway. name is way too suspicious and detection made me panic.