{"id":2365,"date":"2021-05-21T09:41:30","date_gmt":"2021-05-21T07:41:30","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=2365"},"modified":"2026-06-08T22:57:19","modified_gmt":"2026-06-08T22:57:19","slug":"agent-tesla-campaign-may-2021","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/agent-tesla-campaign-may-2021\/","title":{"rendered":"Agent Tesla \u2014 campaign of 20 May 2021"},"content":{"rendered":"\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-8f761849 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:66.66%\">\n<h2 class=\"wp-block-heading\">Agent Tesla<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as legitimate software on the dedicated website where this malware is sold. <br> The spyware is created using the .Net software framework. It is aimed at stealing personal data and transmitting it back to the C2 server. The malware is able to access information from web browsers, email clients and FTP servers. <br> The malware comes equipped with multiple persistence mechanisms that help it avoid antivirus detection. As such, it can resume operation automatically after a system reboot. It is also able to turn off Windows processes to stay hidden.<\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:33.33%\">\n<h2 class=\"wp-block-heading\">SilverTerrier<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/attack.mitre.org\/groups\/G0083\">SilverTerrier<\/a>&nbsp;is a Nigerian threat group that has been active since 2014.&nbsp;<a href=\"https:\/\/attack.mitre.org\/groups\/G0083\">SilverTerrier<\/a>&nbsp;primarily targets organizations in high technology, higher education, and manufacturing.<\/p>\n<\/div>\n<\/div>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<p class=\"wp-block-paragraph\">In recent weeks we detected a new malware campaign containing Agent Tesla. Below is an analysis of the malware and the offensive infrastructure.<br> <br>Sandbox analysis link: <a href=\"https:\/\/app.any.run\/tasks\/1f2f6acd-d1a7-4175-a06f-38524a5f9b0d\/\" class=\"ek-link\">https:\/\/app.any.run\/tasks\/1f2f6acd-d1a7-4175-a06f-38524a5f9b0d\/<\/a><\/p>\n\n\n\n<div class=\"wp-block-cover has-background-dim\" style=\"background-image:url(https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/05\/AGENTTESLA.png)\"><div class=\"wp-block-cover__inner-container is-layout-flow wp-block-cover-is-layout-flow\">\n<p class=\"has-text-align-center has-large-font-size wp-block-paragraph\"><strong>Malware and offensive infrastructure analysis<\/strong><\/p>\n<\/div><\/div>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Dynamic analysis<\/h3>\n\n\n\n<h5 class=\"wp-block-heading\">Process tree<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">Upon execution, the malware spawns two subprocesses:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>schtasks.exe<\/strong><\/li><li><strong>RegSvcs.exe<\/strong><\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">The first is exploited to create scheduled tasks via the command:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p><strong>&#8220;C:\\Windows\\System32\\schtasks.exe&#8221; \/Create \/TN &#8220;Updates\\ysZeGjU&#8221; \/XML &#8220;C:\\Users\\admin\\AppData\\Local\\Temp\\tmp9D6C.tmp&#8221;<\/strong><\/p><cite>Persistence command<\/cite><\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">which launches the <strong>malware ysZeGjU.exe<\/strong> at each logon<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The second sample is identified as <strong>Agent Tesla<\/strong>; through this process all malware activities are executed:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Creation of registry keys<\/li><li>Exfiltration of information from web browsers<ul><li><strong>C:\\Users\\user\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini<\/strong><\/li><\/ul><\/li><li>Exfiltration of user personal information<ul><li><strong>C:\\Users\\user\\AppData\\Roaming\\Thunderbird\\profiles.ini<\/strong><\/li><\/ul><\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/05\/image.png\" alt=\"\" class=\"wp-image-2375\" loading=\"lazy\" \/><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h5 class=\"wp-block-heading\">Dropped files<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">During sample execution, unpacking and malware persistence occur. This process results in the creation of new files:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>C:\\Users\\admin\\AppData\\Roaming\\NewApp\\<strong>NewApp.exe<\/strong><\/li><li>C:\\Users\\admin\\AppData\\Roaming\\<strong>ysZeGjU.exe<\/strong><\/li><li>C:\\Users\\admin\\AppData\\Local\\Temp\\<strong>tmpD59.tmp<\/strong><\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">The file <strong>ysZeGjU.exe<\/strong> is the actual malware that will be executed at each system startup to obtain remote and persistent access.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<h5 class=\"wp-block-heading\">Registry keys created<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">These keys are created to achieve persistence on the system, enabling malware execution at each machine reboot.<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>KEY <\/strong>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run  <ul><li><strong>NAME <\/strong>NewApp  <\/li><li><strong>VALUE <\/strong>C:\\Users\\admin\\AppData\\Roaming\\NewApp\\NewApp.exe <\/li><\/ul><\/li><li><strong>KEY <\/strong> KEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run <ul><li><strong>NAME <\/strong>NewApp  <\/li><li><strong>VALUE <\/strong>C:\\Users\\admin\\AppData\\Roaming\\NewApp\\NewApp.exe<\/li><\/ul><\/li><\/ul>\n<\/div><\/div>\n\n\n\n<h5 class=\"wp-block-heading\">Network activity<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">The malware contacts the C2 (command and control) server to which it transmits exfiltrated victim information and enables remote system control:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Domain <\/strong>mail[.]tradzilanilaw[.]co[.]za <\/li><li><strong>IP  <\/strong>69[.]46[.]6[.]238 <\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">As illustrated in the figure below, the domain and IP contacted by the <em>sample<\/em> under analysis have been observed in use across additional malware campaigns and other specimens of the same family (<em>Agent Tesla<\/em>). Our <a href=\"https:\/\/fortgale.com\/en\/cyber-threat-intelligence\/\">Cyber Threat Intelligence<\/a> infrastructure has tracked this infrastructure across multiple threat actors, indicating shared tooling or operational overlap within the Agent Tesla ecosystem.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/05\/image-1.png\" alt=\"\" class=\"wp-image-2390\" loading=\"lazy\" \/><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<h3 class=\"wp-block-heading\">Static Analysis<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Through initial static analysis of the <strong>Agent Tesla initial sample<\/strong>, we extracted the following indicators of interest:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li> <strong>md5 <\/strong>63CCA7B824B315FE272B8B4768CCB44E<\/li><li> <strong>sha1 <\/strong>D3B145B0C415488815B430F71EA82BA8F4289F05<\/li><li> <strong>sha256 <\/strong>46CE9BBD88955426CB51DB89E2767E46B5A1718B1D90407C5845B648EE8DC7C8<\/li><li> <strong>first-bytes-hex<\/strong> 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 <\/li><li> <strong>entry-point<\/strong> FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <\/li><li> <strong>file-version<\/strong> 0.8.0.0<\/li><li> <strong>cpu <\/strong>32-bit<\/li><li> <strong>compiler-stamp<\/strong> 0x60A58B3F (Thu May 20 00:03:43 2021)<\/li><li> <strong>code-page<\/strong> Unicode UTF-16, little endian<\/li><li> <strong>CompanyName<\/strong> Fayva<\/li><li> <strong>FileDescription<\/strong> wsManager<\/li><li> <strong>InternalName<\/strong> 8MUWA2d1M.exe<\/li><li> <strong>LegalCopyright <\/strong>Copyright \u00a9  Fayva<\/li><li> <strong>OriginalFilename<\/strong> 8MUWA2d1M.exe<\/li><li> <strong>ProductName<\/strong> webshellManager  <\/li><\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h5 class=\"wp-block-heading\">ysZeGjU.exe<\/h5>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>md5 <\/strong>63CCA7B824B315FE272B8B4768CCB44E<\/li><li> <strong>sha1 <\/strong>D3B145B0C415488815B430F71EA82BA8F4289F05<\/li><li> <strong>sha256 <\/strong>46CE9BBD88955426CB51DB89E2767E46B5A1718B1D90407C5845B648EE8DC7C8<\/li><li> <strong>first-bytes-hex<\/strong> 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 <\/li><li> <strong>imphash <\/strong>F34D5F2D4577ED6D9CEEC516C1F5A744<\/li><li><strong> entry-point<\/strong> FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <\/li><li><strong> file-version<\/strong> 0.8.0.0<\/li><li> <strong>description <\/strong>wsManager<\/li><li> <strong>cpu <\/strong>32-bit<\/li><li> <strong>compiler-stamp<\/strong> 0x60A58B3F (Thu May 20 00:03:43 2021)<\/li><li> <strong>CompanyName <\/strong>Fayva<\/li><li> <strong>FileDescription <\/strong>wsManager<\/li><li> <strong>FileVersion <\/strong>0.8.0.0<\/li><li> <strong>InternalName <\/strong>8MUWA2d1M.exe<\/li><li> <strong>LegalCopyright <\/strong>Copyright \u00a9  Fayva<\/li><li> <strong>OriginalFilename<\/strong> 8MUWA2d1M.exe<\/li><li> <strong>ProductName <\/strong>webshellManager <\/li><\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h5 class=\"wp-block-heading\">NewApp.exe<\/h5>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>md5 <\/strong>0E06054BEB13192588E745EE63A84173<\/li><li> <strong>sha1 <\/strong>30B7D4D1277BAFD04A83779FD566A1F834A8D113<\/li><li> <strong>sha256 <\/strong>C5D6D56DED55FBD6C150EE3A0EB2E5671CAE83106BE2BE4D70CE50AA50BAB768<\/li><li> <strong>first-bytes-hex<\/strong> 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 <\/li><li> <strong>imphash <\/strong>F34D5F2D4577ED6D9CEEC516C1F5A744<\/li><li> <strong>entry-point<\/strong> FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <\/li><li> <strong>file-version<\/strong> 4.7.3062.0 built by: NET472REL1<\/li><li> <strong>description <\/strong>Microsoft .NET Services Installation Utility<\/li><li> <strong>cpu <\/strong>32-bit<\/li><li> <strong>compiler-stamp<\/strong> 0x5AB95109 (Mon Mar 26 21:59:05 2018 )<\/li><li> <strong>code-page<\/strong> Unicode UTF-16, little endian<\/li><li> <strong>CompanyName <\/strong>Microsoft Corporation<\/li><li> <strong>FileDescription <\/strong>Microsoft .NET Services Installation Utility<\/li><li> <strong>InternalName <\/strong>RegSvcs.exe<\/li><li> <strong>LegalCopyright <\/strong>\u00a9 Microsoft Corporation.  All rights reserved.<\/li><li> <strong>OriginalFilename <\/strong>RegSvcs.exe<\/li><li> <strong>ProductName <\/strong>Microsoft\u00ae .NET Framework <\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><em>NewApp <\/em>is identified as the Microsoft tool <strong>RegSvcs.exe<\/strong>, through which registry keys can be created.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h5 class=\"wp-block-heading\"> <strong>tmpD59.tmp<\/strong> <\/h5>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>md5 <\/strong>C0089F5200712CEBEC6B695A682611B3<\/li><li> <strong>sha1 <\/strong>F30A3BDACB50B9CA066EC23BAB70164025ADF439<\/li><li> <strong>sha256 <\/strong>050749E86B5846DD70D4F2A8324B742C0F87109D7CDB356D33968AFDC57CED96<\/li><li> <strong>first-bytes-hex<\/strong> 3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31 2E 30 22 20 65 6E 63 6F 64 69 6E 67 3D 22 55 54 46 <\/li><li> <strong>first-bytes-text<\/strong> &lt; ? x m l   v e r s i o n = &#8221; 1 . 0 &#8221;   e n c o d i n g = &#8221; U T F <\/li><\/ul>\n\n\n\n<p>File content excerpt:<\/p>\n<blockquote>\n<p>&lt;LogonTrigger&gt;<br>&lt;Enabled&gt;true&lt;\/Enabled&gt; <br>&lt;UserId&gt;USER-PC\\admin&lt;\/UserId&gt;<br>&lt;\/LogonTrigger&gt; &lt;Command&gt;C:\\Users\\admin\\AppData\\Roaming\\ysZeGjU.exe&lt;\/Command&gt;<\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">Employed as a persistence mechanism for the malware (<strong>ysZeGjU.exe<\/strong>) upon each logon of the affected user.<\/p>\n<\/div><\/div>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">Additional IOCs correlated with Agent Tesla<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li> 69[.]46[.]6[.]238 <\/li><li>192[.]185[.]226[.]148<\/li><li> 198[.]154[.]240[.]47<\/li><li> 166[.]62[.]27[.]182<\/li><li> 192[.]168[.]100[.]167<\/li><li> 69[.]16[.]231[.]57<\/li><li> 103[.]14[.]20[.]94<\/li><li> 198[.]54[.]115[.]249<\/li><li> 204[.]11[.]56[.]48<\/li><li> 199[.]188[.]206[.]58<\/li><li> 198[.]49[.]72[.]29<\/li><li> 63[.]247[.]140[.]70<\/li><li> 198[.]54[.]115[.]130<\/li><li> 198[.]54[.]116[.]236<\/li><li> 209[.]99[.]40[.]222<\/li><li> 207[.]174[.]214[.]206<\/li><li> 78[.]198[.]121[.]158<\/li><li> 104[.]194[.]10[.]93<\/li><li> 68[.]65[.]123[.]141<\/li><li> 185[.]61[.]153[.]106<\/li><li> 193[.]239[.]84[.]207<\/li><\/ul>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<p class=\"wp-block-paragraph\">List of hashes for Agent Tesla executable samples detected: <\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>45c22ef191a04d054c8a9e4f873c8ccfe34527944da8c9f60dbb656c7a1dd30e <\/li><li>878a4f96c80d638d087347f2f4d9fd09df01b3bff20ce362c9fff16bca94e5bb<\/li><li>0fbeab0e8f28875b8961f590ff42267c3e21ce9ea587a02fb9573fdfe9c4fb3c <\/li><li>1137a5b1100685623a208af986d530c8f603f82e874721bdac8ce48488baf08e<\/li><li>595991e7a071216bcda0f04df68de57a54f8bd31197031b4b4d473675aa285f1<\/li><li>f7ad9b234d31ce511b8b0915c52e8611b3a7667c71ed5ffd6cc26ce99d2ba5b4<\/li><li>46ce9bbd88955426cb51db89e2767e46b5a1718b1d90407c5845b648ee8dc7c8<\/li><\/ul>\n<\/div><\/div>\n\n\n\n<ul class=\"wp-block-list\"><li>46CE9BBD88955426CB51DB89E2767E46B5A1718B1D90407C5845B648EE8DC7C8<\/li><li>009865EA20036C19381086A91108D419A8294DF7CF4C1DF5919D9DA1D613F4AE<\/li><li>8C452BB85D7C88B9B0DD44023EC6F4D63ABD7E2AD66205B598B32A6D31F36888<\/li><li>47243E179BC23FE9057253F84684C37EBE99F2E70DA2E8236F56042E64C335B5<\/li><li>98377E01641DAD941B567A822A9F99C843CEFB38FE4B641D99CE0E83E3E0C498<\/li><li>DDE9D304BD76E5070A8837EB4B8859B8CF73F5F97154EAC84F55859CCDF01758<\/li><li>824A19B9DC158B71EAFF47E2EE64688CFD315E493DF198FAB0166370488D9553<\/li><li>19AA079C6DE34EB550070AA69F98C741AEFD04D8B83B1C7E23BF89576BA1B69B<\/li><li>BF046025515879E2A468B9FF5305EB34C927B6C3E6B1ADBE50277B24A255FC9F<\/li><li>456A91ABABAF84F414409B11CCD8C3707B4BB960FF1EA7C2C4D0994786C10523<\/li><li>5B8643A221D028761328525EC881250FB02840F97792557020A49A226D23E7E6<\/li><li>9692D3FCBE8181EB9B964C8CE0D960A3C3F64E84E231BAA607798971C744CDE8<\/li><li>CC8712E3A1EF6A730A68805E62971D3DA99EFCBF120FB627D1C7315B3CA35F8B<\/li><li>ED16AF86E5BA09E46175311CF0EB7E3E1684ABA68ED59BE8E7327B4A47245326<\/li><li>5753294933668F57E487079FFFF070BAF9D275E30798A5D9CF9D54EEFEC352C4<\/li><li>82F1CEE3C16BA6868870E1B45CCF5DFB126562A42F1B3EA0DA7122A965F5A400<\/li><li>34CD4FCF758566CCFD538E85988330EC7DB2C7823375448353DC7A8F9B4EB53B<\/li><li>C218F628B56B2316CBE236C3A15EB3AA1D138CCD85FC5D5CE76CCAA61BF75032<\/li><li>0498C1E68E0FB59171E05BEE6AFDC6E4697F28FEC80BA0E9C70D4B5A7A6AD198<\/li><li>90EBC7865DF4E941AACD68DD89BEA0EFCD6A082CEBCBA405FE0400C39CACD21D<\/li><li>C5712FAD8759DCBF70ADD6208D6E4824680DC6F452D1E63AC1F2FC1CA8B0F24F<\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\"><li> mail[.]tradzilanilaw[.]co[.]za  <\/li><li>webmail[.]mdist[.]us<\/li><li> mail[.]axes[.]com[.]pe<\/li><li> mail[.]vpb[.]pe<\/li><li> api[.]ip[.]sb<\/li><li> www[.]newcontemporaryartists[.]com<\/li><li> joophesh[.]com<\/li><li> outtlook[.]com<\/li><li> www[.]adblockgenesis[.]com<\/li><li> concordiaoperativo[.]com<\/li><li> mail[.]aceconsulting[.]in<\/li><li> smtp[.]syametal[.]com<\/li><li> smtp[.]robotah[.]eu<\/li><li> smtp[.]globaloffs-site[.]com<\/li><li> smtp[.]kaeiser[.]com<\/li><li> smtp[.]frtsolutinos[.]com<\/li><li> smtp[.]ternptechindia[.]com<\/li><li> esclavage-indemnites[.]fr<\/li><li> smtp[.]freislandcampina[.]co<\/li><li> smtp[.]sierametals[.]com<\/li><li> smtp[.]nilkarnal[.]com<\/li><\/ul>\n\n\nCorrelation of infrastructure and file artifacts enables defenders to identify and block Agent Tesla distribution chains at multiple points in the attack lifecycle.","protected":false},"excerpt":{"rendered":"<p>Agent Tesla campaign of 20 May 2021: spearphishing templates, dropper chain, exfiltration channels and host-level indicators for endpoint detection.<\/p>\n","protected":false},"author":1,"featured_media":2409,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[25,1553,61,75,3241,3212,198,212,285,320,331],"class_list":["post-2365","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-agent","tag-agent-tesla-it","tag-c2","tag-command","tag-dropper-chain","tag-information-stealer","tag-keylogger","tag-malware","tag-rat","tag-silver-terrier","tag-spearphishing"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2365","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=2365"}],"version-history":[{"count":1,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2365\/revisions"}],"predecessor-version":[{"id":9886,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2365\/revisions\/9886"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=2365"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=2365"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=2365"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}