albchen

Hi, I noticed in my PowerShell logs that there is a base-64 encoded command run by evernote.exe to open an image saved in C:\Users\myusername\Appdata\Local\Temp\Attachments\<unique id>\<another id>\image.png. I investigated the image and my system logs, and it appears that this command is just opening the image, and not executing any embedded scripts. However, the command caught my eye since it appears extremely suspicious. Would the EverNote team be able to kindly confirm this is normal behavior? Thank you. The encoded command was preceded with suspicious use of PowerShell: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell -NoProfile -NonInteractive –ExecutionPolicy Bypass -EncodedCommand