Joe Sandbox DEC is a decompilation plugin for the Joe Sandbox product family that converts malware binaries into readable C code using a technique called Hybrid Decompilation. The tool operates on unpacked PE files extracted directly from process memory dumps. It applies static decompilation techniques while incorporating dynamic analysis data from Hybrid Code Analysis (HCA) to improve and extend the decompilation output. Key capabilities include: - Reconstruction of function prototypes and local variables from raw disassembly - Generation of high-level control structures (if, switch/case, do/while/for loops) from low-level jumps and comparisons - Recovery of high-level type information using an extensive database of Windows API types and function prototypes - Resolution of indirect function calls using dynamic data from Hybrid Code Analysis - Annotation of generated C code with runtime comments (e.g., statement execution status, variable runtime values) The decompilation process is fully automatic and produces C code that is embedded directly into the Joe Sandbox behavior report. Joe Sandbox DEC is designed to reduce the time analysts spend reviewing raw disassembly by providing an equivalent, higher-level C code representation of malware samples. It functions as a plugin and is compatible with Joe Sandbox Desktop, Joe Sandbox Light, and Joe Sandbox Ultimate.