Isn't SmartScreen's job to validate the signature of the executable file with Microsoft? So it might just be sending the executable's signed public key to check for validity/revocation. Since OP hasn't posted the unencrypted communication we may not know. Doesn't Google do something similar with chrome, it sends a part of the hash of every site you visit to its servers for comparison to a list of malwares and phishing sites?
Not with a 100% accuracy I must say. If you are a company developing products, you would have many different product and all of those products end up being signed using a single private key. So assuming that it only sends a company's public key for validation, it would still have to take a guess as to which product was downloaded.
