We have a MX84 that alerted this morning about a "Retrospective" File Disposition Change. The event in question appears to be an exe download:
am_base_07038dbbb574078315e3d4d6d8e45491a4db3bd0.exe
sha256: e9ab8d11545dbad0ebf6ef6a35750d7051b0af2e72ba1fd8d464203140bcb55f
...downloaded from an apparently legit Microsoft domain:
au.download.windowsupdate.com
I am unable to find any documentation detailing why this file is being flagged. The virustotal results look clean as well. Can anyone shed any light?