⚙️

Base64 Encoder / Decoder

Encode and decode Base64, Hex and URL-encoded strings instantly. Includes a dedicated PowerShell encoded command decoder for malware analysis and incident response.

Encode / Decode
Could not decode. Input may not be valid for this encoding type.
Output will appear here...
PowerShell Encoded Command Decoder

Attackers frequently use powershell -EncodedCommand <base64> to obfuscate malicious scripts. Paste the Base64 string from a -EncodedCommand or -enc argument here to decode it. Uses UTF-16LE encoding as PowerShell does internally.

Not a valid Base64 encoded PowerShell command.
Decoded script will appear here...
Try These Examples

About Base64, Hex and URL Encoding

Base64 is a binary-to-text encoding scheme that converts binary data into a set of 64 printable ASCII characters. It is widely used in IT and web development to safely transmit data through systems that only handle text. Common uses include encoding email attachments in MIME, embedding images directly in HTML or CSS as data URIs, passing credentials in HTTP Basic Authentication headers and storing binary data in JSON or XML payloads.

Hex encoding converts each byte of data into its two-character hexadecimal representation. This is commonly used in network protocol debugging, memory dump analysis, cryptographic key representation and low-level hardware work. A byte value of 65 (the letter A) becomes the hex string 41.

URL encoding, also called percent encoding, replaces characters that are not safe in URLs with a percent sign followed by two hex digits. For example, a space becomes %20 and an ampersand becomes %26. This is essential when passing special characters in query strings or form submissions.

Common Use Cases

  • 🔐
    HTTP Basic Authentication. Credentials are sent as Base64 in the Authorization header. Decode them to verify what credentials an application is using, for example YWRtaW46cGFzc3dvcmQ= decodes to admin:password.
  • 🛡️
    Malware analysis. Attackers encode PowerShell with -EncodedCommand to bypass plain-text detection. The dedicated decoder reveals the actual script using the correct UTF-16LE encoding PowerShell uses internally.
  • 🌐
    API debugging. Decode Base64 tokens from API responses or JWT payloads to inspect their content during development or troubleshooting.
  • 🔗
    URL sanitisation. URL-encode query string parameters before passing them to avoid breaking the URL structure when values contain special characters like &, =, + or spaces.
  • 📋
    Windows Event ID 4104. PowerShell script block logging captures encoded commands. Use this tool alongside Event ID 4104 to decode and read the actual script that was executed.

Encoding Examples

Base64 encode
Input: Hello, IT World! Output: SGVsbG8sIElUIFdvcmxkIQ==
Hex encode
Input: 192.168.1.1 Output: 31 39 32 2e 31 36 38 2e 31 2e 31
URL encode
Input: user=admin&pass=P@$$w0rd! Output: user%3Dadmin%26pass%3DP%40%24%24w0rd%21
HTTP Basic Auth decode
Input: YWRtaW46UEBTJCRXMHJkIQ== Output: admin:P@S$$W0rd!
Why does Base64 output end with == sometimes?
Base64 works in groups of 3 bytes. When the input is not divisible by 3, padding characters (=) are added to fill the last group. One = means one byte of padding, two == means two bytes of padding.
Why does PowerShell use UTF-16LE for encoding?
Windows and .NET use UTF-16 as their native string encoding internally. When PowerShell base64-encodes a command, it first converts the string to UTF-16LE bytes, then base64-encodes those bytes. Standard UTF-8 base64 decoders will produce garbled output because they do not account for the two-byte character representation.