{"id":3093,"date":"2015-06-19T17:08:33","date_gmt":"2015-06-19T17:08:33","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=3093"},"modified":"2015-06-19T17:10:03","modified_gmt":"2015-06-19T17:10:03","slug":"basic-intro-to-wmi-and-wql-queries","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2015\/06\/19\/basic-intro-to-wmi-and-wql-queries\/","title":{"rendered":"Basic intro to WMI and WQL queries"},"content":{"rendered":"<p><a href=\"https:\/\/en.wikipedia.org\/wiki\/Windows_Management_Instrumentation\">WMI<\/a> is an important component of Windows OS and everyone knows about it so I won&#8217;t get into detail about what it is (read the linked wikipedia article if you want to know). I will focus on practical stuff instead which we come across more and more often.<\/p>\n<p>I will begin by saying that nowadays lots of malware is using WMI &#8211; either to establish a stealthy persistence mechanism, or query various information from the system. This typically is done using WQL queries which are so popular that even a couple of typical OS commands are implemented as &#8216;processors&#8217; simply interpreting results of many WQL queries instead of actually using old-school APIs.<\/p>\n<p>A good example is a tasklist.exe. If you ever launched it from a command line and observed a slight delay before it returned the data it is because it has to &#8216;talk&#8217; to WMI first and sometimes WMI initialization may take a while.<\/p>\n<p>This particular program is actually a good example we can use to show what exactly happens when it &#8216;talks&#8217; to WMI.<\/p>\n<p>Have a look at the Tasklist.exe log below.<\/p>\n<ul>\n<li>First WMI connects to the WMI server &#8211; the &#8216;root\\cimv2&#8217; is a namespace used by most WMI classes<\/li>\n<li>Then it executes the WQL query<\/li>\n<\/ul>\n<pre>     SELECT \r\n        __PATH,\r\n        ProcessId, \r\n        CSName, \r\n        Caption, \r\n        SessionId, \r\n        ThreadCount, \r\n        WorkingSetSize, \r\n        KernelModeTime, \r\n        UserModeTime\u00a0 \r\n     FROM \r\n        Win32_Process<\/pre>\n<ul>\n<li>Then the result returned by the query is processed using the IWbemClassObject::Get method<\/li>\n<li>Finally, this obtained data is sent to the the console using a WriteConsoleW function<\/li>\n<\/ul>\n<p>Apart from tasklist.exe, we can also find WQL in taskkill.exe.<\/p>\n<p>Killing a process requires a different query, one that specifies f.ex. a name of the process:<\/p>\n<pre>\u00a0\u00a0\u00a0\u00a0 SELECT\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 __PATH,\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ProcessId,\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 CSName,\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Caption,\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 SessionId,\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ThreadCount,\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 WorkingSetSize,\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 KernelModeTime,\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 UserModeTime,\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ParentProcessId\r\n\u00a0\u00a0\u00a0\u00a0 FROM\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Win32_Process\r\n\u00a0\u00a0\u00a0\u00a0 WHERE\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 (\u00a0 Caption = \"notepad.exe\")<\/pre>\n<p>which is ran when we execute<\/p>\n<pre>taskkill.exe \/im notepad.exe \/f<\/pre>\n<p>The WMI is then queried for a method &#8216;Terminate&#8217; which is supposed to kill the object. All of these queries are ran via COM so it&#8217;s a bit of a pain to analyze it, but once you get used to it it&#8217;s actually manageable (just a bit mundane).<\/p>\n<p>Refer to a short Taskkill.exe log below.<\/p>\n<p>As I mentioned above, malware often uses WQL queries and the most popular are listed below:<\/p>\n<ul>\n<li>select * from antispywareproduct<\/li>\n<li>select * from antivirusproduct<\/li>\n<li>select * from firewallproduct<\/li>\n<li>select * from win32_baseboard<\/li>\n<li>select * from win32_bios where manufacturer like &#8216;%xen%&#8217; or (smbiosbiosversion like &#8216;%vbox%&#8217;) or (smbiosbiosversion like &#8216;%bochs%&#8217;) or (smbiosbiosversion like &#8216;%qemu%&#8217;) or (smbiosbiosversion like &#8216;%virtualbox%&#8217;)<\/li>\n<li>select * from win32_bios<\/li>\n<li>select * from win32_cdromdrive<\/li>\n<li>select * from win32_computersystem<\/li>\n<li>select * from win32_computersystemproduct<\/li>\n<li>select * from win32_diskdrive<\/li>\n<li>select * from win32_networkadapter where (name like &#8216;%tap%&#8217;) and (not pnpdeviceid like &#8216;%*isatap%&#8217;) and (netenabled = true)<\/li>\n<li>select * from win32_onboarddevice<\/li>\n<li>select * from win32_operatingsystem<\/li>\n<li>select * from win32_physicalmedia<\/li>\n<li>select * from win32_processor<\/li>\n<li>select * from win32_systemenclosure<\/li>\n<li>select * from win32_useraccount<\/li>\n<li>select * from win32_videocontroller<\/li>\n<li>select name, executablepath from win32_process<\/li>\n<\/ul>\n<p>There are many more which often focus on sandbox detection, but I may cover them in a separate post.<\/p>\n<p><strong>Taskkill.exe log<\/strong><\/p>\n<p>IWbemLocator::ConnectServer: &#8216;root\\cimv2&#8217;<br \/>\nIWbemServices::ExecQuery: (&#8216;SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE (\u00a0 Caption = &#8220;notepad.exe&#8221;)&#8217;)<br \/>\nIWbemServices::GetObjectA: Win32_Process<br \/>\nIWbemClassObject::GetMethod: Terminate<\/p>\n<p><strong>Tasklist.exe log<\/strong><\/p>\n<pre>WbemLocator::ConnectServer): 'root\\cimv2'\r\nIWbemServices::ExecQuery ('SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime\u00a0 FROM Win32_Process')\r\nIWbemClassObject::Get: __PATH=\\\\&lt;hostname&gt;\\root\\cimv2:Win32_Process.Handle=\"0\"\r\nIWbemClassObject::Get: ProcessId=0\r\nIWbemClassObject::Get: CSName=&lt;hostname&gt;\r\nIWbemClassObject::Get: Caption=System Idle Process\r\nIWbemClassObject::Get: ThreadCount=1\r\nIWbemClassObject::Get: KernelModeTime=649121406250\r\nIWbemClassObject::Get: UserModeTime=0\r\nIWbemClassObject::Get: SessionId=0\r\nIWbemClassObject::Get: WorkingSetSize=28672\r\nIWbemClassObject::Get: __PATH=\\\\&lt;hostname&gt;\\root\\cimv2:Win32_Process.Handle=\"4\"\r\nIWbemClassObject::Get: ProcessId=4\r\nIWbemClassObject::Get: CSName=&lt;hostname&gt;\r\nIWbemClassObject::Get: Caption=System\r\nIWbemClassObject::Get: ThreadCount=48\r\nIWbemClassObject::Get: KernelModeTime=103437500\r\nIWbemClassObject::Get: UserModeTime=0\r\nIWbemClassObject::Get: SessionId=0\r\nIWbemClassObject::Get: WorkingSetSize=241664\r\nIWbemClassObject::Get: __PATH=\\\\&lt;hostname&gt;\\root\\cimv2:Win32_Process.Handle=\"412\"\r\nIWbemClassObject::Get: ProcessId=412\r\nIWbemClassObject::Get: CSName=&lt;hostname&gt;\r\nIWbemClassObject::Get: Caption=smss.exe\r\nIWbemClassObject::Get: ThreadCount=3\r\nIWbemClassObject::Get: KernelModeTime=156250\r\nIWbemClassObject::Get: UserModeTime=156250\r\nIWbemClassObject::Get: SessionId=0\r\nIWbemClassObject::Get: WorkingSetSize=442368\r\nIWbemClassObject::Get: __PATH=\\\\&lt;hostname&gt;\\root\\cimv2:Win32_Process.Handle=\"628\"\r\nIWbemClassObject::Get: ProcessId=628\r\nIWbemClassObject::Get: CSName=&lt;hostname&gt;\r\nIWbemClassObject::Get: Caption=csrss.exe\r\nIWbemClassObject::Get: ThreadCount=11\r\nIWbemClassObject::Get: KernelModeTime=12343750\r\nIWbemClassObject::Get: UserModeTime=5312500\r\nIWbemClassObject::Get: SessionId=0\r\nIWbemClassObject::Get: WorkingSetSize=4444160\r\nIWbemClassObject::Get: __PATH=\\\\&lt;hostname&gt;\\root\\cimv2:Win32_Process.Handle=\"720\"\r\nIWbemClassObject::Get: ProcessId=720\r\nIWbemClassObject::Get: CSName=&lt;hostname&gt;\r\nIWbemClassObject::Get: Caption=winlogon.exe\r\nIWbemClassObject::Get: ThreadCount=17\r\nIWbemClassObject::Get: KernelModeTime=15156250\r\nIWbemClassObject::Get: UserModeTime=2343750\r\nIWbemClassObject::Get: SessionId=0\r\nIWbemClassObject::Get: WorkingSetSize=5029888\r\nIWbemClassObject::Get: __PATH=\\\\&lt;hostname&gt;\\root\\cimv2:Win32_Process.Handle=\"764\"\r\nIWbemClassObject::Get: ProcessId=764\r\nIWbemClassObject::Get: CSName=&lt;hostname&gt;\r\nIWbemClassObject::Get: Caption=services.exe\r\nIWbemClassObject::Get: ThreadCount=15\r\nIWbemClassObject::Get: KernelModeTime=8927500000\r\nIWbemClassObject::Get: UserModeTime=901250000\r\nIWbemClassObject::Get: SessionId=0\r\nIWbemClassObject::Get: WorkingSetSize=3727360\r\nIWbemClassObject::Get: __PATH=\\\\&lt;hostname&gt;\\root\\cimv2:Win32_Process.Handle=\"776\"\r\nIWbemClassObject::Get: ProcessId=776\r\nIWbemClassObject::Get: CSName=&lt;hostname&gt;\r\nIWbemClassObject::Get: Caption=lsass.exe\r\nIWbemClassObject::Get: ThreadCount=20\r\nIWbemClassObject::Get: KernelModeTime=143437500\r\nIWbemClassObject::Get: UserModeTime=28906250\r\nIWbemClassObject::Get: SessionId=0\r\nIWbemClassObject::Get: WorkingSetSize=1490944\r\nIWbemClassObject::Get: __PATH=\\\\&lt;hostname&gt;\\root\\cimv2:Win32_Process.Handle=\"932\"\r\nIWbemClassObject::Get: ProcessId=932\r\nIWbemClassObject::Get: CSName=&lt;hostname&gt;\r\nIWbemClassObject::Get: Caption=vmacthlp.exe\r\nIWbemClassObject::Get: ThreadCount=1\r\nIWbemClassObject::Get: KernelModeTime=0\r\nIWbemClassObject::Get: UserModeTime=156250\r\nIWbemClassObject::Get: SessionId=0\r\nIWbemClassObject::Get: WorkingSetSize=2768896\r\nIWbemClassObject::Get: __PATH=\\\\&lt;hostname&gt;\\root\\cimv2:Win32_Process.Handle=\"948\"\r\nIWbemClassObject::Get: ProcessId=948\r\nIWbemClassObject::Get: CSName=&lt;hostname&gt;\r\nIWbemClassObject::Get: Caption=svchost.exe\r\nIWbemClassObject::Get: ThreadCount=17\r\nIWbemClassObject::Get: KernelModeTime=781250\r\nIWbemClassObject::Get: UserModeTime=468750\r\nIWbemClassObject::Get: SessionId=0\r\nIWbemClassObject::Get: WorkingSetSize=5214208\r\nIWbemClassObject::Get: __PATH=\\\\&lt;hostname&gt;\\root\\cimv2:Win32_Process.Handle=\"1032\"\r\nIWbemClassObject::Get: ProcessId=1032\r\nIWbemClassObject::Get: CSName=&lt;hostname&gt;\r\nIWbemClassObject::Get: Caption=svchost.exe\r\nIWbemClassObject::Get: ThreadCount=9\r\nIWbemClassObject::Get: KernelModeTime=625000\r\nIWbemClassObject::Get: UserModeTime=781250\r\nIWbemClassObject::Get: SessionId=0\r\nIWbemClassObject::Get: WorkingSetSize=4546560\r\nIWbemClassObject::Get: __PATH=\\\\&lt;hostname&gt;\\root\\cimv2:Win32_Process.Handle=\"1152\"\r\nIWbemClassObject::Get: ProcessId=1152\r\nIWbemClassObject::Get: CSName=&lt;hostname&gt;\r\nIWbemClassObject::Get: Caption=svchost.exe\r\nIWbemClassObject::Get: ThreadCount=49\r\nIWbemClassObject::Get: KernelModeTime=125937500\r\nIWbemClassObject::Get: UserModeTime=50781250\r\nIWbemClassObject::Get: SessionId=0\r\nIWbemClassObject::Get: WorkingSetSize=17682432\r\nIWbemClassObject::Get: __PATH=\\\\&lt;hostname&gt;\\root\\cimv2:Win32_Process.Handle=\"1188\"\r\nIWbemClassObject::Get: ProcessId=1188\r\nIWbemClassObject::Get: CSName=&lt;hostname&gt;\r\nIWbemClassObject::Get: Caption=svchost.exe\r\nIWbemClassObject::Get: ThreadCount=5\r\nIWbemClassObject::Get: KernelModeTime=781250\r\nIWbemClassObject::Get: UserModeTime=312500\r\nIWbemClassObject::Get: SessionId=0\r\nIWbemClassObject::Get: WorkingSetSize=3985408\r\nIWbemClassObject::Get: __PATH=\\\\&lt;hostname&gt;\\root\\cimv2:Win32_Process.Handle=\"1224\"\r\nIWbemClassObject::Get: ProcessId=1224\r\nIWbemClassObject::Get: CSName=&lt;hostname&gt;\r\nIWbemClassObject::Get: Caption=svchost.exe\r\nIWbemClassObject::Get: ThreadCount=4\r\nIWbemClassObject::Get: KernelModeTime=0\r\nIWbemClassObject::Get: UserModeTime=156250\r\nIWbemClassObject::Get: SessionId=0\r\nIWbemClassObject::Get: WorkingSetSize=3346432\r\nIWbemClassObject::Get: __PATH=\\\\&lt;hostname&gt;\\root\\cimv2:Win32_Process.Handle=\"1396\"\r\nIWbemClassObject::Get: ProcessId=1396\r\nIWbemClassObject::Get: CSName=&lt;hostname&gt;\r\nIWbemClassObject::Get: Caption=spoolsv.exe\r\nIWbemClassObject::Get: ThreadCount=11\r\nIWbemClassObject::Get: KernelModeTime=625000\r\nIWbemClassObject::Get: UserModeTime=156250\r\nIWbemClassObject::Get: SessionId=0\r\nIWbemClassObject::Get: WorkingSetSize=6545408\r\nIWbemClassObject::Get: __PATH=\\\\&lt;hostname&gt;\\root\\cimv2:Win32_Process.Handle=\"1776\"\r\nIWbemClassObject::Get: ProcessId=1776\r\nIWbemClassObject::Get: CSName=&lt;hostname&gt;\r\nIWbemClassObject::Get: Caption=explorer.exe\r\nIWbemClassObject::Get: ThreadCount=10\r\nIWbemClassObject::Get: KernelModeTime=21718750\r\nIWbemClassObject::Get: UserModeTime=6093750\r\nIWbemClassObject::Get: SessionId=0\r\nIWbemClassObject::Get: WorkingSetSize=19316736\r\nIWbemClassObject::Get: __PATH=\\\\&lt;hostname&gt;\\root\\cimv2:Win32_Process.Handle=\"2008\"\r\nIWbemClassObject::Get: ProcessId=2008\r\nIWbemClassObject::Get: CSName=&lt;hostname&gt;\r\nIWbemClassObject::Get: Caption=vmtoolsd.exe\r\nIWbemClassObject::Get: ThreadCount=5\r\nIWbemClassObject::Get: KernelModeTime=17031250\r\nIWbemClassObject::Get: UserModeTime=8593750\r\nIWbemClassObject::Get: SessionId=0\r\nIWbemClassObject::Get: WorkingSetSize=12140544\r\nIWbemClassObject::Get: __PATH=\\\\&lt;hostname&gt;\\root\\cimv2:Win32_Process.Handle=\"2024\"\r\nIWbemClassObject::Get: ProcessId=2024\r\nIWbemClassObject::Get: CSName=&lt;hostname&gt;\r\nIWbemClassObject::Get: Caption=ctfmon.exe\r\nIWbemClassObject::Get: ThreadCount=1\r\nIWbemClassObject::Get: KernelModeTime=156250\r\nIWbemClassObject::Get: UserModeTime=312500\r\nIWbemClassObject::Get: SessionId=0\r\nIWbemClassObject::Get: WorkingSetSize=3600384\r\nIWbemClassObject::Get: __PATH=\\\\&lt;hostname&gt;\\root\\cimv2:Win32_Process.Handle=\"476\"\r\nIWbemClassObject::Get: ProcessId=476\r\nIWbemClassObject::Get: CSName=&lt;hostname&gt;\r\nIWbemClassObject::Get: Caption=PERSFW.exe\r\nIWbemClassObject::Get: ThreadCount=6\r\nIWbemClassObject::Get: KernelModeTime=2187500\r\nIWbemClassObject::Get: UserModeTime=1093750\r\nIWbemClassObject::Get: SessionId=0\r\nIWbemClassObject::Get: WorkingSetSize=6897664\r\nIWbemClassObject::Get: __PATH=\\\\&lt;hostname&gt;\\root\\cimv2:Win32_Process.Handle=\"516\"\r\nIWbemClassObject::Get: ProcessId=516\r\nIWbemClassObject::Get: CSName=&lt;hostname&gt;\r\nIWbemClassObject::Get: Caption=vmtoolsd.exe\r\nIWbemClassObject::Get: ThreadCount=7\r\nIWbemClassObject::Get: KernelModeTime=124531250\r\nIWbemClassObject::Get: UserModeTime=63281250\r\nIWbemClassObject::Get: SessionId=0\r\nIWbemClassObject::Get: WorkingSetSize=13619200\r\nIWbemClassObject::Get: __PATH=\\\\&lt;hostname&gt;\\root\\cimv2:Win32_Process.Handle=\"1472\"\r\nIWbemClassObject::Get: ProcessId=1472\r\nIWbemClassObject::Get: CSName=&lt;hostname&gt;\r\nIWbemClassObject::Get: Caption=TPAutoConnSvc.exe\r\nIWbemClassObject::Get: ThreadCount=5\r\nIWbemClassObject::Get: KernelModeTime=1093750\r\nIWbemClassObject::Get: UserModeTime=468750\r\nIWbemClassObject::Get: SessionId=0\r\nIWbemClassObject::Get: WorkingSetSize=4669440\r\nIWbemClassObject::Get: __PATH=\\\\&lt;hostname&gt;\\root\\cimv2:Win32_Process.Handle=\"1796\"\r\nIWbemClassObject::Get: ProcessId=1796\r\nIWbemClassObject::Get: CSName=&lt;hostname&gt;\r\nIWbemClassObject::Get: Caption=TPAutoConnect.exe\r\nIWbemClassObject::Get: ThreadCount=1\r\nIWbemClassObject::Get: KernelModeTime=5312500\r\nIWbemClassObject::Get: UserModeTime=2500000\r\nIWbemClassObject::Get: SessionId=0\r\nIWbemClassObject::Get: WorkingSetSize=5267456\r\nIWbemClassObject::Get: __PATH=\\\\&lt;hostname&gt;\\root\\cimv2:Win32_Process.Handle=\"2040\"\r\nIWbemClassObject::Get: ProcessId=2040\r\nIWbemClassObject::Get: CSName=&lt;hostname&gt;\r\nIWbemClassObject::Get: Caption=cmd.exe\r\nIWbemClassObject::Get: ThreadCount=1\r\nIWbemClassObject::Get: KernelModeTime=156250\r\nIWbemClassObject::Get: UserModeTime=156250\r\nIWbemClassObject::Get: SessionId=0\r\nIWbemClassObject::Get: WorkingSetSize=2961408\r\nIWbemClassObject::Get: __PATH=\\\\&lt;hostname&gt;\\root\\cimv2:Win32_Process.Handle=\"588\"\r\nIWbemClassObject::Get: ProcessId=588\r\nIWbemClassObject::Get: CSName=&lt;hostname&gt;\r\nIWbemClassObject::Get: Caption=wmiprvse.exe\r\nIWbemClassObject::Get: ThreadCount=7\r\nIWbemClassObject::Get: KernelModeTime=0\r\nIWbemClassObject::Get: UserModeTime=156250\r\nIWbemClassObject::Get: SessionId=0\r\nIWbemClassObject::Get: WorkingSetSize=6332416\r\nIWbemClassObject::Get: __PATH=\\\\&lt;hostname&gt;\\root\\cimv2:Win32_Process.Handle=\"1592\"\r\nIWbemClassObject::Get: ProcessId=1592\r\nIWbemClassObject::Get: CSName=&lt;hostname&gt;\r\nIWbemClassObject::Get: Caption=tasklist.exe\r\nIWbemClassObject::Get: ThreadCount=4\r\nIWbemClassObject::Get: KernelModeTime=2031250\r\nIWbemClassObject::Get: UserModeTime=2187500\r\nIWbemClassObject::Get: SessionId=0\r\nIWbemClassObject::Get: WorkingSetSize=5816320<\/pre>\n<pre><\/pre>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>WMI is an important component of Windows OS and everyone knows about it so I won&#8217;t get into detail about what it is (read the linked wikipedia article if you want to know). I will focus on practical stuff instead &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2015\/06\/19\/basic-intro-to-wmi-and-wql-queries\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3093"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=3093"}],"version-history":[{"count":4,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3093\/revisions"}],"predecessor-version":[{"id":3097,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3093\/revisions\/3097"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=3093"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=3093"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=3093"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}