TororoImo

Before that, start Task Scheduler as administrator. You can do this from a Windows admin account, or you can type Task Scheduler into the Windows search bar and click on the option to start it as administrator. Running Task Scheduler as a standard user will not allow you to see most of the scheduled tasks, including Epson PowerENGAGE. Sorry to dribble out this advice, but the original version of this part kept getting blocked because the wording apparently looked like potential spam, so I had to posting it a piece at a time to try to figure out which was the offending part. Another false positive...

If anyone comes across a similar issue: Then open "Task Scheduler Library," expand the window, then sort by "Last Run Time" by clicking on it. Look for a task that ran at the same time as the Malwarebytes-reported RTP event.

Thank you, Porthos. Epson Support's reply consisted of instructions on how to uninstall Epson PowerENGAGE through the usual Windows method (Settings > Apps). I did so, and doing so also removed the Task Scheduler entry.

Installing an Epson printer also installed something called Epson PowerENGAGE. From what I have gathered online, other printer manufacturers install their own versions of PowereENGAGE. It seems to be some kind of marketing software. Installation also placed an item in Task Scheduler that launches Epson PowerENGAGE.exe every 6 hours. Earlier this month, Malwarebytes Premium real time protection started to detect the launch as an exploit and shut it down. The log did not name PowerENGAGE specifically, but it did include the following: Malware.Exploit.Agent.Generic, C:\WINDOWS\sysnative\cmd.exe C:\WINDOWS\sysnative\cmd.exe \c C:\WINDOWS\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography \v MachineGuid, (and then some numbers) -Exploit Data- Affected Application: cmd Protection Layer: Application Behavior Protection Protection Technique: Exploit payload process blocked File Name: C:\WINDOWS\sysnative\cmd.exe C:\WINDOWS\sysnative\cmd.exe \c C:\WINDOWS\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography \v MachineGuid URL: Since the offending program was not listed, figuring out that PowerENGAGE was the problem took some work. The big clue was that Malwarebytes detected this exploit twice, and both detections took place at 44 minutes after the hour. I went to Task Scheduler and looked for anything scheduled to run at HH:44, and sure enough, there was Epson PowerENGAGE. Anyway, I went to C:\Program Files (x86)\Epson PowerENGAGE and double-clicked on Epson PowerEngage.exe, and it triggered the same Malwarebytes detection. I have sent an email to Epson support asking them about this app. I will probably uninstall it. Anyway, if anyone gets these same detections, you might look in Task Scheduler for some version of PowerEngage. I spent many hours trying to track this down, and I hope I can save others the trouble.

Same here. Uninstalling and reinstalling did not help.