Hardware Performance Counter Analysis of Ransomware Behavior: Observed Inverse Correlations Across Heterogeneous x86 Platforms

During startup, ransomware is associated with abnormal fluctuations in underlying hardware resources. Hardware Performance Counters (HPC) can characterize this ultra-early behavior without interference from software-based countermeasures. However, existing studies lack a cross-platform hardware-layer analysis paradigm and typically neglect the first 10 s post-execution. This study selects two platforms—Windows 7 (homogeneous x86) and Windows 10 (Intel performance hybrid architecture with P-core (performance core) and E-core (efficiency core))—and constructs a large-scale dataset (1721 ransomware and 1039 benign samples on Windows 7; 1562 ransomware and 718 benign on Windows 10). On Windows 7, 25 HPC events are monitored. On Windows 10, each event yields two instance-level metrics (P-core and E-core), resulting in 42 instance-level metrics. Using statistical analysis (Pearson correlation, fold change) and feature selection (Random Forest + clustering), four core metrics are independently selected per platform. Windows 7 favors LLC and branch events (increasing trends, fold change ≥ 1.5, e.g., LLC-store_std), while Windows 10 favors P/E-core branch and cache events (decreasing trends, fold change ≤ 0.667, e.g., cpu_atom_branch-load-misses_max). The 10 s window is divided into startup (0–2 s), key generation (2–5 s), and encryption (5–10 s) phases. Results indicate opposite correlation patterns: resource-enhanced disturbance (positive correlation, fold change ≥ 1.5) on Windows 7 versus resource-suppressed disturbance (negative correlation, fold change ≤ 0.667) on Windows 10. Critically, startup-phase HPC events exhibit substantially stronger correlation on Windows 10 (S-level, >85%) compared to Windows 7 (A-level, 70–84%). This difference may be associated with the fine-grained P/E-core separation, which preserves core-type behavioral information that is aggregated and lost on homogeneous platforms. This study contributes a cross-platform correlation framework, observes an architecture-dependent inversion pattern of HPC responses, and suggests that core-type granularity—rather than event quantity—is associated with stronger feature–behavior correlations on heterogeneous architectures, providing preliminary empirical insights for future lightweight detection system design.