From where does Windows know, if a file is from a trusted or untrusted source? Microsofts Smartscreen writes the downloaded origin into the NTFS Alternate DataStreams of the file. In earlier version of windows it was the Zone, since Windows10 its the source URL, too.
Example: I've downloaded procexp.com from https://live.sysinternals.com/procexp.exe:
as ZoneID, ReferrerURL and HostUrl. This is also called Windows Defender SmartScreen Extended Mark of the Web.
Additional testing for Microsoft Defender Smartscreen can be found here: https://demo.smartscreen.msft.net/ & https://docs.microsoft.com/en-us/deployedge/microsoft-edge-security-smartscreen
.png)
