Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
http://74.248.123.196/d/msdownload/update/software/defu/2024/10/updateplatform.amd64fre_d3f6f8300855e56b8ed00da6dac55a3c4cbf8c20.exe?cacheHostOrigin=au.download.windowsupdate.com

Overview

General Information

Sample URL:http://74.248.123.196/d/msdownload/update/software/defu/2024/10/updateplatform.amd64fre_d3f6f8300855e56b8ed00da6dac55a3c4cbf8c20.exe?cacheHostOrigin=au.download.windowsupdate.com
Analysis ID:1541081
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Usage Of Web Request Commands And Cmdlets
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

  • System is w10x64
  • cmd.exe (PID: 6368 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://74.248.123.196/d/msdownload/update/software/defu/2024/10/updateplatform.amd64fre_d3f6f8300855e56b8ed00da6dac55a3c4cbf8c20.exe?cacheHostOrigin=au.download.windowsupdate.com" > cmdline.out 2>&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • conhost.exe (PID: 6484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • wget.exe (PID: 6628 cmdline: wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://74.248.123.196/d/msdownload/update/software/defu/2024/10/updateplatform.amd64fre_d3f6f8300855e56b8ed00da6dac55a3c4cbf8c20.exe?cacheHostOrigin=au.download.windowsupdate.com" MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)
  • cleanup
No configs have been found
No yara matches
Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://74.248.123.196/d/msdownload/update/software/defu/2024/10/updateplatform.amd64fre_d3f6f8300855e56b8ed00da6dac55a3c4cbf8c20.exe?cacheHostOrigin=au.download.windowsupdate.com" > cmdline.out 2>&1, CommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://74.248.123.196/d/msdownload/update/software/defu/2024/10/updateplatform.amd64fre_d3f6f8300855e56b8ed00da6dac55a3c4cbf8c20.exe?cacheHostOrigin=au.download.windowsupdate.com" > cmdline.out 2>&1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4564, ProcessCommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://74.248.123.196/d/msdownload/update/software/defu/2024/10/updateplatform.amd64fre_d3f6f8300855e56b8ed00da6dac55a3c4cbf8c20.exe?cacheHostOrigin=au.download.windowsupdate.com" > cmdline.out 2>&1, ProcessId: 6368, ProcessName: cmd.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: unknownTCP traffic detected without corresponding DNS query: 74.248.123.196
Source: unknownTCP traffic detected without corresponding DNS query: 74.248.123.196
Source: unknownTCP traffic detected without corresponding DNS query: 74.248.123.196
Source: unknownTCP traffic detected without corresponding DNS query: 74.248.123.196
Source: unknownTCP traffic detected without corresponding DNS query: 74.248.123.196
Source: unknownTCP traffic detected without corresponding DNS query: 74.248.123.196
Source: unknownTCP traffic detected without corresponding DNS query: 74.248.123.196
Source: unknownTCP traffic detected without corresponding DNS query: 74.248.123.196
Source: unknownTCP traffic detected without corresponding DNS query: 74.248.123.196
Source: unknownTCP traffic detected without corresponding DNS query: 74.248.123.196
Source: global trafficHTTP traffic detected: GET /d/msdownload/update/software/defu/2024/10/updateplatform.amd64fre_d3f6f8300855e56b8ed00da6dac55a3c4cbf8c20.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: */*Accept-Encoding: identityHost: 74.248.123.196Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /d/msdownload/update/software/defu/2024/10/updateplatform.amd64fre_d3f6f8300855e56b8ed00da6dac55a3c4cbf8c20.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: */*Accept-Encoding: identityHost: 74.248.123.196Connection: Keep-Alive
Source: wget.exe, 00000002.00000002.1708127260.0000000000A10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://74.24
Source: wget.exe, 00000002.00000002.1708127260.0000000000A17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://74.248.123.196/d/msdownload/update/software/defu/2024/10/updateplatform.
Source: cmdline.out.0.drString found in binary or memory: http://74.248.123.196/d/msdownload/update/software/defu/2024/10/updateplatform.amd64fre_d3f6f8300855
Source: classification engineClassification label: clean1.win@4/1@0/1
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Desktop\cmdline.outJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6484:120:WilError_03
Source: C:\Windows\SysWOW64\wget.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://74.248.123.196/d/msdownload/update/software/defu/2024/10/updateplatform.amd64fre_d3f6f8300855e56b8ed00da6dac55a3c4cbf8c20.exe?cacheHostOrigin=au.download.windowsupdate.com" > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://74.248.123.196/d/msdownload/update/software/defu/2024/10/updateplatform.amd64fre_d3f6f8300855e56b8ed00da6dac55a3c4cbf8c20.exe?cacheHostOrigin=au.download.windowsupdate.com"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://74.248.123.196/d/msdownload/update/software/defu/2024/10/updateplatform.amd64fre_d3f6f8300855e56b8ed00da6dac55a3c4cbf8c20.exe?cacheHostOrigin=au.download.windowsupdate.com" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: wget.exe, 00000002.00000002.1708127260.0000000000A17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /c wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "http://74.248.123.196/d/msdownload/update/software/defu/2024/10/updateplatform.amd64fre_d3f6f8300855e56b8ed00da6dac55a3c4cbf8c20.exe?cachehostorigin=au.download.windowsupdate.com" > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "http://74.248.123.196/d/msdownload/update/software/defu/2024/10/updateplatform.amd64fre_d3f6f8300855e56b8ed00da6dac55a3c4cbf8c20.exe?cachehostorigin=au.download.windowsupdate.com"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "http://74.248.123.196/d/msdownload/update/software/defu/2024/10/updateplatform.amd64fre_d3f6f8300855e56b8ed00da6dac55a3c4cbf8c20.exe?cachehostorigin=au.download.windowsupdate.com" Jump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Command and Scripting Interpreter
1
DLL Side-Loading
1
Process Injection
1
Masquerading
OS Credential Dumping1
Security Software Discovery
Remote ServicesData from Local System1
Non-Application Layer Protocol
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
1
Process Injection
LSASS Memory1
System Information Discovery
Remote Desktop ProtocolData from Removable Media1
Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading
Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Ingress Tool Transfer
Automated ExfiltrationData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1541081 URL: http://74.248.123.196/d/msd... Startdate: 24/10/2024 Architecture: WINDOWS Score: 1 5 cmd.exe 2 2->5         started        process3 7 wget.exe 1 5->7         started        10 conhost.exe 5->10         started        dnsIp4 12 74.248.123.196, 49737, 49738, 80 SUDDENLINK-COMMUNICATIONSUS United States 7->12
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://74.24wget.exe, 00000002.00000002.1708127260.0000000000A10000.00000004.00000020.00020000.00000000.sdmpfalse
    unknown
    http://74.248.123.196/d/msdownload/update/software/defu/2024/10/updateplatform.wget.exe, 00000002.00000002.1708127260.0000000000A17000.00000004.00000020.00020000.00000000.sdmpfalse
      unknown
      http://74.248.123.196/d/msdownload/update/software/defu/2024/10/updateplatform.amd64fre_d3f6f8300855cmdline.out.0.drfalse
        unknown
        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs
        IPDomainCountryFlagASNASN NameMalicious
        74.248.123.196
        unknownUnited States
        19108SUDDENLINK-COMMUNICATIONSUSfalse
        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1541081
        Start date and time:2024-10-24 11:53:05 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 1m 32s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:urldownload.jbs
        Sample URL:http://74.248.123.196/d/msdownload/update/software/defu/2024/10/updateplatform.amd64fre_d3f6f8300855e56b8ed00da6dac55a3c4cbf8c20.exe?cacheHostOrigin=au.download.windowsupdate.com
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:3
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Detection:CLEAN
        Classification:clean1.win@4/1@0/1
        EGA Information:Failed
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 0
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Unable to download file
        • Not all processes where analyzed, report is missing behavior information
        • VT rate limit hit for: http://74.248.123.196/d/msdownload/update/software/defu/2024/10/updateplatform.amd64fre_d3f6f8300855e56b8ed00da6dac55a3c4cbf8c20.exe?cacheHostOrigin=au.download.windowsupdate.com
        No simulations
        No context
        No context
        No context
        No context
        No context
        Process:C:\Windows\SysWOW64\cmd.exe
        File Type:ASCII text, with CRLF line terminators
        Category:modified
        Size (bytes):659
        Entropy (8bit):5.181218388305314
        Encrypted:false
        SSDEEP:12:HRWb27qAgT/FB1De5RhXF/u3NFt7qAgT/FB1De5RhXFwh:xv8xePPG3d8xePgh
        MD5:46E872CBA229BEEE33F79A4F7FC49337
        SHA1:C1F0DD964C5036BC5AA2DC2D3EA2B1E70D0B45BD
        SHA-256:BFE2DFE8F3CEB8C67B8FF905E5F47D32A398D3A3AAA52EBCE9D561864C2F37B4
        SHA-512:B4EF091BB2AB1F2416B41EDA456A7B2E3590E7B80A071453FF6CD9A5D130D94983E223B56182B9218477DA965A338F865250813D1996244148AC297597688B84
        Malicious:false
        Reputation:low
        Preview:--2024-10-24 05:53:59-- http://74.248.123.196/d/msdownload/update/software/defu/2024/10/updateplatform.amd64fre_d3f6f8300855e56b8ed00da6dac55a3c4cbf8c20.exe?cacheHostOrigin=au.download.windowsupdate.com..Connecting to 74.248.123.196:80... connected...HTTP request sent, awaiting response... No data received...Retrying.....--2024-10-24 05:54:00-- (try: 2) http://74.248.123.196/d/msdownload/update/software/defu/2024/10/updateplatform.amd64fre_d3f6f8300855e56b8ed00da6dac55a3c4cbf8c20.exe?cacheHostOrigin=au.download.windowsupdate.com..Connecting to 74.248.123.196:80... connected...HTTP request sent, awaiting response... No data received...Giving up.....
        No static file info
        TimestampSource PortDest PortSource IPDest IP
        Oct 24, 2024 11:54:00.925663948 CEST4973780192.168.2.474.248.123.196
        Oct 24, 2024 11:54:00.931035995 CEST804973774.248.123.196192.168.2.4
        Oct 24, 2024 11:54:00.931185961 CEST4973780192.168.2.474.248.123.196
        Oct 24, 2024 11:54:00.932332039 CEST4973780192.168.2.474.248.123.196
        Oct 24, 2024 11:54:00.936590910 CEST804973774.248.123.196192.168.2.4
        Oct 24, 2024 11:54:00.936702967 CEST4973780192.168.2.474.248.123.196
        Oct 24, 2024 11:54:00.936898947 CEST4973780192.168.2.474.248.123.196
        Oct 24, 2024 11:54:00.937676907 CEST804973774.248.123.196192.168.2.4
        Oct 24, 2024 11:54:00.941965103 CEST804973774.248.123.196192.168.2.4
        Oct 24, 2024 11:54:00.942204952 CEST804973774.248.123.196192.168.2.4
        Oct 24, 2024 11:54:01.944308996 CEST4973880192.168.2.474.248.123.196
        Oct 24, 2024 11:54:01.949604034 CEST804973874.248.123.196192.168.2.4
        Oct 24, 2024 11:54:01.949690104 CEST4973880192.168.2.474.248.123.196
        Oct 24, 2024 11:54:01.950690031 CEST4973880192.168.2.474.248.123.196
        Oct 24, 2024 11:54:01.955128908 CEST804973874.248.123.196192.168.2.4
        Oct 24, 2024 11:54:01.955322981 CEST4973880192.168.2.474.248.123.196
        Oct 24, 2024 11:54:01.955322981 CEST4973880192.168.2.474.248.123.196
        Oct 24, 2024 11:54:01.955930948 CEST804973874.248.123.196192.168.2.4
        Oct 24, 2024 11:54:01.960623026 CEST804973874.248.123.196192.168.2.4
        Oct 24, 2024 11:54:01.960634947 CEST804973874.248.123.196192.168.2.4
        • 74.248.123.196
        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        0192.168.2.44973774.248.123.196806628C:\Windows\SysWOW64\wget.exe
        TimestampBytes transferredDirectionData
        Oct 24, 2024 11:54:00.932332039 CEST346OUTGET /d/msdownload/update/software/defu/2024/10/updateplatform.amd64fre_d3f6f8300855e56b8ed00da6dac55a3c4cbf8c20.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1
        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko
        Accept: */*
        Accept-Encoding: identity
        Host: 74.248.123.196
        Connection: Keep-Alive


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        1192.168.2.44973874.248.123.196806628C:\Windows\SysWOW64\wget.exe
        TimestampBytes transferredDirectionData
        Oct 24, 2024 11:54:01.950690031 CEST346OUTGET /d/msdownload/update/software/defu/2024/10/updateplatform.amd64fre_d3f6f8300855e56b8ed00da6dac55a3c4cbf8c20.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1
        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko
        Accept: */*
        Accept-Encoding: identity
        Host: 74.248.123.196
        Connection: Keep-Alive


        Click to jump to process

        Click to jump to process

        Click to dive into process behavior distribution

        Click to jump to process

        Target ID:0
        Start time:05:53:59
        Start date:24/10/2024
        Path:C:\Windows\SysWOW64\cmd.exe
        Wow64 process (32bit):true
        Commandline:C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://74.248.123.196/d/msdownload/update/software/defu/2024/10/updateplatform.amd64fre_d3f6f8300855e56b8ed00da6dac55a3c4cbf8c20.exe?cacheHostOrigin=au.download.windowsupdate.com" > cmdline.out 2>&1
        Imagebase:0x240000
        File size:236'544 bytes
        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:low
        Has exited:true

        Target ID:1
        Start time:05:53:59
        Start date:24/10/2024
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff7699e0000
        File size:862'208 bytes
        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:low
        Has exited:true

        Target ID:2
        Start time:05:53:59
        Start date:24/10/2024
        Path:C:\Windows\SysWOW64\wget.exe
        Wow64 process (32bit):true
        Commandline:wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://74.248.123.196/d/msdownload/update/software/defu/2024/10/updateplatform.amd64fre_d3f6f8300855e56b8ed00da6dac55a3c4cbf8c20.exe?cacheHostOrigin=au.download.windowsupdate.com"
        Imagebase:0x400000
        File size:3'895'184 bytes
        MD5 hash:3DADB6E2ECE9C4B3E1E322E617658B60
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:low
        Has exited:true

        No disassembly