The source for the executable is in the repo:
amiga_exotic_players/test_player/test_player_win.c
The reason for the false positives is that the build was unusual. I was trying to make a single .exe with zero installed-runtime dependency, which led to a build profile that looks like the textbook "shape" of a packer or shellcode loader to heuristic AV engines. The "Gen:Variant.Lazy" family is specifically Bitdefender's structural heuristic, which a dozen other engines license, which is why the same pattern showed up under different names across so many vendors. The "!ml" suffix means machine-learning detection, not a signature match.
The main flags it hit:
CRT-free build with a custom mainCRTStartup entry, hand-rolled memset/memcpy/sin, etc. baked into the binary. Almost no legit Windows software does this.
Imports only kernel32, user32, winmm. A minimal import table is a known indicator for binaries that resolve APIs dynamically at runtime.
No VERSIONINFO resource, no application manifest, missing ASLR/DEP/NX bits.
Unsigned (the biggest factor long-term, but signing certs cost money).
Made a new executable (VirusTotal screenshot attached, now 0/71).
Its roughly twice the size, which is the cost of linking with the standard CRT:
Imports: KERNEL32.dll, msvcrt.dll, WINMM.dll. Three system DLLs, all present on every Windows since the 90s, no installed runtime needed.
DllCharacteristics: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT (full ASLR/DEP/NX).
VS_VERSION_INFO block, embedded application manifest, normal int main() entry, recognizable CRT call shape in the code section.
Looks like a normal program now.
Code is pushed to the repo.
/vtlmks
