Upon execution, nbmssl.dll (MD5: d51d485f98810ab1278df4e41b692761) decrypts strings and URLs utilizing two observed encryption keys. One for string decryption and another for URL decryption. Strings are decrypted and then concatenated to build URLs which may be backup C2 nodes. Additionally, three URLs are decrypted to test for network connectivity. First, google.com is decrypted followed by yahoo.com. A DNS request is then generated for google.com, if that fails it attempts to reach yahoo.com. If an attempt succeeds, the file calls out to what appears to be a C2 node named maylaytravelgroup.com with multiple GET requests.