This analytic detects suspicious behavior related to the creation and registration of the 'dynwrapx.dll' file, an ActiveX component often used in malicious scripts to leverage Windows API functions. The detection relies on the Endpoint datamodel's process and filesystem events. When a process writes 'dynwrapx.dll' to disk and modifies the registry to register this component, it indicates a potential security threat, as this activity typically signifies attempts by an attacker to execute arbitrary code, escalate privileges, or establish persistence within a target environment. The analytic suggests immediate investigation of any related processes and registry changes to assess the legitimacy of the activity. Analysts should prioritize reviewing additional telemetry surrounding the processes involved to confirm or negate malicious intent.