Parent page of this data file: https://divinity-in-action.com/articles/pegasusspyware/macbooks/ Spyware Found on Irina Bright’s MacBooks, Which May Be Related to Pegasus Spyware. File name: system_installd_2018-02-06-062659_Irinas-MacBook-Pro.memory_resource.diag Downloaded from: McBook > Library_Logs_DiagnosticReports. Date/Time: 2018-02-06 06:23:42.593994 +0000 OS Version: Mac OS X 10.13.3 (Build 17D47) Architecture: x86_64 Report Version: 19 Command: system_installd Path: /System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/system_installd Version: ??? (???) Bundle Id: com.apple.system_installd PID: 1812 Coalition ID: 717 Wall Time Alive: 102 Footprint: 0MB Limit: 200 Process Flags: Active Event: memory high watermark Action taken: none -- this exception is advisory Duration: 102.08s Steps: 0 Hardware model: MacBookPro9,2 Active cpus: 4 Signature: MALLOC_SMALL MallocStack Sig: Section: footprint --summary ========================================================================================== system_installd [1812] (corpse): 64-bit Footprint: 201 MB (4096 bytes per page) ========================================================================================== Dirty (Swapped) Clean Reclaimable (Wired) Regions Category --- --- --- --- --- --- --- 174 MB 44 MB 0 B 0 B 0 B 270 MALLOC_SMALL 20 MB 8192 B 0 B 0 B 0 B 137 MALLOC_LARGE 4640 KB 1628 KB 0 B 0 B 0 B 6 MALLOC_TINY 324 KB 0 B 0 B 0 B 0 B 1 libdispatch 304 KB 76 KB 940 KB 0 B 0 B 15 untagged ("VM_ALLOCATE") 188 KB 36 KB 0 B 0 B 0 B 9 stack 76 KB 32 KB 0 B 0 B 0 B 26 malloc metadata 12 KB 0 B 0 B 0 B 0 B 1 Activity Tracing 8192 B 0 B 0 B 0 B 0 B 1 os_alloc_once 724 KB 240 KB 264 KB 0 B 0 B 854 Other --- --- --- --- --- --- --- 201 MB 46 MB 1204 KB 0 B 0 B 1320 TOTAL Auxiliary data: Kernel memory: KPRVT: 8192 B KSHRD: 0 B phys_footprint: 0 B Powerstats for: system_installd [1812] UUID: ED306731-AA89-3406-817B-ADE51C32086E Start time: 2018-02-06 06:25:01 +0000 End time: 2018-02-06 06:25:21 +0000 Parent: launchd Microstackshots: 7 samples Primary state: 6 samples Non-Frontmost App, Kernel mode, Effective Thread QoS Utility, Requested Thread QoS Utility, Override Thread QoS Unspecified User Activity: 0 samples Idle, 7 samples Active Power Source: 0 samples on Battery, 7 samples on AC 4 _pthread_wqthread + 1387 (libsystem_pthread.dylib) [0x7fff6827c1ca] 4 _dispatch_worker_thread3 + 101 (libdispatch.dylib) [0x7fff67fb96ed] 4 _dispatch_root_queue_drain + 902 (libdispatch.dylib) [0x7fff67fb9ac4] 4 _dispatch_client_callout + 8 (libdispatch.dylib) [0x7fff67fb7d50] 4 _dispatch_call_block_and_release + 12 (libdispatch.dylib) [0x7fff67fbf591] 2 -[PKInstall _installMain:] + 1306 (PackageKit) [0x7fff5d1a7398] 2 -[PKInstallAnalyzer initWithInstallRequest:includeObsoletion:] + 494 (PackageKit) [0x7fff5d1d4cc9] 2 -[PKInstallAnalyzer _analyzeIncludingObsoletion:] + 829 (PackageKit) [0x7fff5d1d5152] 2 -[PKInstallAnalyzer _findObsoleteOnDiskFilesForPackageSpecifier:] + 259 (PackageKit) [0x7fff5d1d5f12] 2 +[PKReceipt(LibraryReceipts) receiptWithIdentifier:volume:] + 100 (PackageKit) [0x7fff5d1c27e8] 2 +[PKReceipt(LibraryReceipts) receiptsOnVolumeAtPath:] + 88 (PackageKit) [0x7fff5d1c2711] 2 +[PKReceipt(LibraryReceipts) _findReceiptsOnVolumeAtPath:] + 281 (PackageKit) [0x7fff5d1c2508] 2 +[PKReceipt(LibraryReceipts) __findReceiptsFromBOMsDirectory:] + 407 (PackageKit) [0x7fff5d1c212c] 2 -[PKReceipt initWithBOMPath:] + 117 (PackageKit) [0x7fff5d1c1b1b] 2 +[NSDictionary(NSDictionary) dictionaryWithContentsOfFile:] + 45 (Foundation) [0x7fff4272488a] 2 +[NSDictionary(NSDictionary) newWithContentsOf:immutable:] + 115 (Foundation) [0x7fff4271f7d9] 2 -[NSData(NSData) initWithContentsOfFile:options:maxLength:error:] + 200 (Foundation) [0x7fff4283695c] 2 _NSReadBytesFromFileWithExtendedAttributes + 833 (Foundation) [0x7fff4271e1e8] 2 read + 10 (libsystem_kernel.dylib) [0x7fff6814241a] 2 -[PKInstall _installMain:] + 3221 (PackageKit) [0x7fff5d1a7b13] 2 -[PKInstallOperationController run] + 238 (PackageKit) [0x7fff5d1e4a71] 2 -[PKInstallOperation start] + 106 (PackageKit) [0x7fff5d1e5d83] 2 -[__NSOperationInternal _start:] + 778 (Foundation) [0x7fff427455de] 2 -[PKExtractInstallOperation main] + 796 (PackageKit) [0x7fff5d1e7dc5] 2 -[PKExtractInstallOperation _extractPayloadForPackageSpecifier:error:] + 198 (PackageKit) [0x7fff5d1e705d] 2 -[PKLeopardPackage payloadExtractorWithDestination:externalRoot:error:] + 139 (PackageKit) [0x7fff5d1b692e] 2 -[PKXARArchive _fileOffsetForPath:error:] + 112 (PackageKit) [0x7fff5d1a5094] 2 -[PKXARArchive _xarFileIsValid:] + 94 (PackageKit) [0x7fff5d1a4411] 2 xar_data_verify + 149 (libxar.1.dylib) [0x7fff67cbb173] 1 read + 10 (libsystem_kernel.dylib) [0x7fff6814241a] 1 xar_attrcopy_from_heap + 418 (libxar.1.dylib) [0x7fff67cbd914] 1 xar_hash_toheap_out + 213 (libxar.1.dylib) [0x7fff67cbcb5a] 1 CCDigestUpdate + 47 (libcommonCrypto.dylib) [0x7fff67e90ef4] 1 ccdigest_update + 278 (libcorecrypto.dylib) [0x7fff67ebf02b] 1 ccsha1_vng_intel_compress_AVX1 + 1887 (libcorecrypto.dylib) [0x7fff67ee59ff] 1 3 _pthread_wqthread + 980 (libsystem_pthread.dylib) [0x7fff6827c033] 3 _dispatch_workloop_worker_thread + 880 (libdispatch.dylib) [0x7fff67fd0d16] 3 _dispatch_root_queue_drain_deferred_wlh + 332 (libdispatch.dylib) [0x7fff67fccf02] 3 _dispatch_queue_invoke + 373 (libdispatch.dylib) [0x7fff67fbf0fd] 3 _dispatch_queue_serial_drain + 222 (libdispatch.dylib) [0x7fff67fcc06f] 3 _dispatch_queue_invoke + 373 (libdispatch.dylib) [0x7fff67fbf0fd] 3 _dispatch_queue_serial_drain + 907 (libdispatch.dylib) [0x7fff67fcc31c] 3 _dispatch_client_callout + 8 (libdispatch.dylib) [0x7fff67fb7d50] 3 _dispatch_call_block_and_release + 12 (libdispatch.dylib) [0x7fff67fbf591] 3 ??? (AppleFSCompression + 30737) [0x7fff502ec811] 3 ??? (AppleFSCompression + 30404) [0x7fff502ec6c4] 3 ??? (AppleFSCompression + 32458) [0x7fff502ececa] 3 pwrite + 10 (libsystem_kernel.dylib) [0x7fff681423ea] Binary Images: 0x103d39000 - 0x103d3aff3 system_installd (727.1) /System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd 0x7fff4270b000 - 0x7fff42ad0fff com.apple.Foundation 6.9 (1451) /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation 0x7fff502e5000 - 0x7fff502f4ff7 com.apple.AppleFSCompression 96.30.2 (1.0) /System/Library/PrivateFrameworks/AppleFSCompression.framework/Versions/A/AppleFSCompression 0x7fff5d188000 - 0x7fff5d2a7fe7 com.apple.PackageKit 3.0 (727.1) /System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/PackageKit 0x7fff67cb6000 - 0x7fff67cc3fff libxar.1.dylib (400) <0316128D-3B47-3052-995D-97B4FE5491DC> /usr/lib/libxar.1.dylib 0x7fff67e8d000 - 0x7fff67e97ff3 libcommonCrypto.dylib (60118.30.2) <674286D3-7744-36A3-9AAA-49DFCD97A986> /usr/lib/system/libcommonCrypto.dylib 0x7fff67ea9000 - 0x7fff67f2efff libcorecrypto.dylib (562.30.10) <8A53EFE1-AFCA-3676-BEE1-FA5ED9F0E222> /usr/lib/system/libcorecrypto.dylib 0x7fff67fb6000 - 0x7fff67fefff7 libdispatch.dylib (913.30.4) <7D0E3183-282B-3FEE-A734-2C0ADC092084> /usr/lib/system/libdispatch.dylib 0x7fff68125000 - 0x7fff6814aff7 libsystem_kernel.dylib (4570.41.2) <5155A4C3-825B-3178-AC51-0D2D2F2A6618> /usr/lib/system/libsystem_kernel.dylib 0x7fff68279000 - 0x7fff68284fff libsystem_pthread.dylib (301.30.1) /usr/lib/system/libsystem_pthread.dylib