The modified executable got rated as Trusted by “Cloud Lookup” which was enabled when the file was ran.
When Cloud Lookup is disabled the modified executable gets rated as Unrecognized and runs Virtually.
It seems the modified file is known in the Cloud Lookup database.
Yes, that’s exactly what happened. I reproduced it multiple times and each time the modified file got trusted by Cloud Lookup.
I’m still a bit surprised by this though.
So a valid question would be: Does Cloud Lookup database contains both signed trusted and unsigned trusted files?
If so, then everything is fine.