{"id":988,"date":"2024-08-27T16:22:32","date_gmt":"2024-08-27T16:22:32","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=988"},"modified":"2025-07-28T09:31:40","modified_gmt":"2025-07-28T09:31:40","slug":"analysis-of-malware-sample-proforma-invoice","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/analysis-of-malware-sample-proforma-invoice\/","title":{"rendered":"Analysis of Malware Sample &#8211; Proforma Invoice"},"content":{"rendered":"<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img fetchpriority=\"high\" decoding=\"async\" width=\"454\" height=\"318\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/08\/Proforma-Sample-featured-image_1.webp\" alt=\"\" class=\"wp-image-1030\"\/><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">Version:1.0 StartHTML:000000270 EndHTML:000015702 StartFragment:000007053 EndFragment:000015634 StartSelection:000007053 EndSelection:000015630 SourceURL:https:\/\/www.lmntrix.com\/Lab\/Lab_info.php?id=9&amp;url=Analysis%20of%20Malware%20Sample%20-%20Proforma%20Invoice LMNTRIX Labs LMNTRIX Labs<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Summary<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">This malware sample masquerading as a Proforma Invoice was identified through a recent spear phishing attack on one of our client networks. The sample in question is a .NET file and comes with the name \u2018Proforma Invoice\u2019. We are sharing it for the benefit of the community.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">File Details<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">MD5 3ed79c9a988e427db39aa62e625a2116<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">SHA-1 85b0198ba27fa5b8e1d3625dbcd45776d64cd741<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">SHA-256 de30a5cc95453a372b717a632fc6c9ec0b101c2afa9ba5e472e95025fd227ddd<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Size 929.5 KB (951808 bytes)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Type Win32 EXE<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Magic PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono\/.Net assembly<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Detection ratio 37 \/ 57<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">First submission 2016-09-23 07:41:57 UTC ( 5 months, 1 week ago )<br>This malware is already present in Virus Total, having been initially submitted in September 2016.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Characteristics and Behavior<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Sends PC main information to external server<\/li>\n\n\n\n<li>Injects code into other processes<\/li>\n\n\n\n<li>Common autorun registry key<\/li>\n\n\n\n<li>Access browser sensitive data: Mozilla SeaMonkey<\/li>\n\n\n\n<li>Access Mozilla Firefox security module<\/li>\n\n\n\n<li>Contains cryptographic functionality<\/li>\n\n\n\n<li>Access Opera passwords<\/li>\n\n\n\n<li>Steals Internet Explorer passwords<\/li>\n\n\n\n<li>Loads PE into other process memory<\/li>\n\n\n\n<li>Runs dropped executable<\/li>\n\n\n\n<li>Access Mozilla Firefox history<\/li>\n\n\n\n<li>Contains HTML page<\/li>\n\n\n\n<li>Access Mozilla Firefox passwords<\/li>\n\n\n\n<li>Access email client software sensitive data: Thunderbird<\/li>\n\n\n\n<li>Access email client software sensitive data: Windows Livemail<\/li>\n\n\n\n<li>Access email client software sensitive data: Outlook<\/li>\n\n\n\n<li>Access email client software sensitive data: IncrediMail<\/li>\n\n\n\n<li>Access email client software sensitive data: Eudora<\/li>\n\n\n\n<li>Access email client software sensitive data: Group Mail<\/li>\n\n\n\n<li>Access Mozilla Firefox certificates<\/li>\n\n\n\n<li>Access FTP software sensitive data: Filezilla<\/li>\n\n\n\n<li>Access instant messaging software sensitive data: Google Talk<\/li>\n\n\n\n<li>Access Mozilla Firefox file that stores the annotations, bookmarks, favorite icons, input history, keywords, and browsing history<\/li>\n\n\n\n<li>Access instant messaging software sensitive data: Paltalk<\/li>\n\n\n\n<li>Access instant messaging software sensitive data: Yahoo Pager<\/li>\n\n\n\n<li>Runs existing executable<\/li>\n\n\n\n<li>Suspicious delay<\/li>\n\n\n\n<li>Check user main folders path<\/li>\n\n\n\n<li>Drops .EXE file<\/li>\n\n\n\n<li>Access Windows sensitive data: Windows Profiles information<\/li>\n\n\n\n<li>EntryPoint points inside a writable section<\/li>\n\n\n\n<li>Gathers system main data (MachineGUID, ComputerName, SystemBiosVersion \u2026)<\/li>\n\n\n\n<li>Loads PE into its own memory<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Process, Registry, Network Activities<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">%appdata%\\sapp.exe<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This created sample is a duplicate of an original file \u2013 it also created an autostart entry for this file to keep persistence.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run &#8220;Application&#8221;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>    Type: REG_SZ\n\n    Data: C:\\Documents and Settings\\user\\Application Data\\sapp.exe<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">We noticed that sample creates a new process called Regasm.exe, which is part of the .net framework in Windows. Strings within regasm.exe confirmed that this malware collects passwords by logging keystrokes.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Very Important Strings<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Important.exe<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">hxxp:\/\/www(.)twentysixjune(.)biz\/jonoTwo-4sept-14oct\/<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Window title:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">End:]\n\n\n\n<p class=\"wp-block-paragraph\">Machine Time:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Keystrokes typed:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Keystrokes<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">[Back]\n\n\n\n<p class=\"wp-block-paragraph\">Notification<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Time:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Text:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">$C$l$i$p$b$oa$rd$<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">SupremeQuality<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">MediumQuality<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">LowQuality<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">image#\/#upload#.#php<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">.jpg<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">ylbmessAgnitucexEteG<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Key<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">$pos$t$.$ph$p$?$ty$p$e$=$k$eys$tro$ke$s$&amp;$mac$hi$ne$na$me$=$<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&amp;windowtitle=<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&amp;keystrokestyped=<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">=emitenihcam&amp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">sdrowssaP<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">po#st.#ph#p?#typ#e=p#assw#ords#&amp;mach#inen#ame=<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&amp;application=<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&amp;link=<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&amp;username=<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">=drowssap&amp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">draobpilC<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">$po$st$.$ph$p$?$ty$pe$=$cl$ip$boa$rd&amp;$mac$hine$nam$e=$<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&amp;clipboardtext=<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Screenshot<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">$pos$t.$p$hp$?$typ$e=$not$ific$a$tion$&amp;$mac$h$in$e$n$a$m$e$=$<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Software\\Paltalk<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">InstallerAppDir<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Win32_LogicalDisk.DeviceID=&#8221;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">VolumeSerialNumber<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Software\\Paltalk\\<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">nickname<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">pwd<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Passwords<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Paltalk<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Program: FileZilla<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">FileZilla\\recentservers.xml<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">FileZilla\\sitemanager.xml<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">$&lt;$H$os$t$&gt;$<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">$&lt;$\/H$o$s$t$&gt;$<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">$$<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">$&lt;$\/$P$a$ss$&gt;$<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Filezilla<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Programfiles(x86)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">programfiles<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">$\\jDow$nloader\\$config\\dat$abase.scr$ipt<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">programfiles(x86)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">$\\jD$ownloader\\con$fig\\databa$se.sc$ript<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">INS#ERT INT#O CON#FIG VA#LUE#S(&#8216;A#ccoun#tContr#oller#&#8217;,&#8217;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">JDownloader<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Software\\DownloadManager\\Passwords\\<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Program: Internet Download Manager &gt;6<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">User<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">EncPassword<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">IDM<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Advapi32<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">RegOpenKeyEx<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">RegCloseKey<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">RegQueryValueEx<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Software\\IMVU\\username<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Software\\IMVU\\password<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Imvu<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Chrome<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Firefox<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Internet Explorer<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Opera<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Safari<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">URL<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">User Name :<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Password :<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">URL :<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Web Browser :<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Browsers.txt<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Password<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\/stext<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">RecoverBrowsers<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Outlook<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">_Thunder_bird<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Eudora<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Incredimail<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Netscape<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\\Mails.txt<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">RecoverMail<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Application<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Email :<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Server :<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Application :<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">kernel32<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">KeyBase<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">ntdll<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">LoadLibraryA<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">.dll<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">user32<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">$Set$Window$sHook$Ex$A$<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">These strings show that this file is a password stealer. It collects keystrokes and copies clipboard images then uploads them to <strong>hxxp:\/\/www.twentysixjune.biz\/jonoTwo-4sept-14oct\/image\/upload.php<\/strong><br>It also collects information from the following:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Software\\Paltalk\\<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">nickname<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">pwd<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Program: FileZilla<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">FileZilla\\recentservers.xml<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">$\\jDow$nloader\\$config\\dat$abase.scr$ipt<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">JDownloader<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">IDM<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Software\\IMVU\\username<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Software\\IMVU\\password<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Imvu<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Chrome<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Firefox<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Internet Explorer<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Opera<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Safari<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">URL<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">User Name :<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Password :<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">URL :<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Web Browser :<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Browsers.txt<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Password<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\/stext<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">RecoverBrowsers<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Outlook<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">_Thunder_bird<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Eudora<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Incredimail<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Netscape<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\\Mails.txt<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">RecoverMail<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Application<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Email<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Malicious URL<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">hxxp:\/\/twentysixjune(.)biz<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Ip address is: 80(.)82(.)78(.)57 : 80<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This is the malicious url we found within the strings, even Virus Total flagged this url as malicious by six vendors.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">https:\/\/virustotal.com\/en\/url\/03f84b1e66f394d4d506d16c44434136496399f7ed3cfeccb69c9725951d5ea2\/analysis\/1488780554<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">AegisLab WebGuard Malicious site<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Sophos Malicious site<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Trustwave Malicious site<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">BitDefender Malware site<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Fortinet Malware site<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">G-Data Malware site<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Code Injection<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Process &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Code size Virtual Address&nbsp;<\/strong><br><br>C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe&nbsp;&nbsp; &nbsp;516096 &nbsp; &nbsp; &nbsp;400000<br><br>C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe&nbsp;&nbsp; &nbsp;364544 &nbsp; &nbsp; &nbsp;400000<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Conclusion<\/strong><br><br>We recommend blocking the malicious URL and searching for the executable (sapp.exe) in the application data location then removing the sapp.exe.<br><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This malware sample masquerading as a Proforma Invoice was identified through a recent spear phishing attack on one of our client networks. The sample in question is a .NET file and comes with the name \u2018Proforma Invoice\u2019. We are sharing it for the benefit of the community.<\/p>\n","protected":false},"author":1,"featured_media":1030,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-988","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/988","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=988"}],"version-history":[{"count":4,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/988\/revisions"}],"predecessor-version":[{"id":4081,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/988\/revisions\/4081"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/1030"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=988"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=988"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=988"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}