Domino targets Windows OS, it is based on Hidden Tear, and its current method of distribution is unknown. It masquerades as a KMSPico Windows activation crack installation file. When executed, it places a randomly named file into the %Temp% folder which then extracts a password-protected zip file named Help.zip. The password for this ZIP file is abc123456 and, within it, are two additional files: help.exe, which launches the encryption process, and HelloWorld.exe, the executable responsible for generating the ransom note. Encrypted files will display the .domino file extension. Domino demands a ransom payment of 1 Bitcoin and threatens to delete the victim’s decryption key after 72 hours.