The "High" classification is a generic risk severity indicator utilized by heuristic antivirus engines and threat intelligence platforms. It is not a specific malware family, but rather a definitive flag indicating that an analyzed file or process exhibits behaviors fundamentally dangerous to the security and integrity of a system.
Behavioral Context and Detection Mechanisms
Security tools assign a "High" risk label when a file engages in activities that strongly correlate with destructive malware or advanced persistent threats (APTs), even if the file's static signature does not match a known database entry. Behaviors that trigger a "High" severity alert include:
Ransomware Indicators: Rapid, mass encryption of files in user directories, or attempts to delete Volume Shadow Copies (`vssadmin.exe delete shadows`).
Privilege Escalation: Unauthorized attempts to exploit known local vulnerabilities (e.g., exploiting outdated drivers) to gain `SYSTEM` level access.
Defense Evasion: Actively attempting to terminate security processes, disable Windows Defender, or unhook user-mode APIs used by EDR solutions.
Risk Assessment and Incident Triage
An alert classified as "High" requires immediate, critical incident response. Unlike generic adware labels, a "High" detection indicates an active attempt to compromise the network, steal data, or cause significant operational disruption.
Response and Eradication Strategy
Immediate Containment: The endpoint triggering the "High" alert must be instantly severed from the corporate network, either physically or via network isolation features within the EDR platform, to halt lateral movement.
Forensic Capture: Capture a memory dump and disk image of the isolated endpoint for forensic analysis to determine the scope of the breach and identify the specific threat actor or malware family involved.
Threat Hunting: Utilize the behavioral indicators that triggered the alert (e.g., specific command-line arguments, dropped file paths) to conduct a proactive threat hunt across the entire enterprise environment.
Known aliases
Threat reports may refer to this family under multiple names:
This family has been observed using the following ATT&CK techniques: T1204
Generated Detections (Boilerplate)
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
YARA Rule
rule MALWARE_WIN_HIGH {
meta:
description = "Detects High (generic_detection)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "high" ascii wide nocase
$s2 = "highrisk" ascii wide nocase
$s3 = "risk.high" ascii wide nocase
$s4 = "generic.high" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}
Sigma Rule
title: Suspicious High Activity
id: 8d966b2253a917086c8604959e152243
status: experimental
description: Detects generic indicators of the high malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*high*"
- "*highrisk*"
- "*risk.high*"
- "*generic.high*"
condition: selection
level: medium