Parent page of this data file: https://divinity-in-action.com/articles/pegasusspyware/macbooks/

Spyware Found on Irina Bright’s MacBooks, Which May Be Related to Pegasus Spyware.


File name: 	WindowServer_2018-02-25-160020_Irinas-MacBook-Pro.wakeups_resource.diag
Downloaded from: 	McBook > Library_Logs_DiagnosticReports.


Date/Time:       2018-02-25 15:55:30.024923 +0000
OS Version:      Mac OS X 10.13.3 (Build 17D102)
Architecture:    x86_64
Report Version:  19

Command:         WindowServer
Path:            /System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer
Version:         ??? (???)
Parent:          launchd [1]
PID:             165

Event:           wakeups
Wakeups:         45001 wakeups over the last 284 seconds (158 wakeups per second average), exceeding limit of 150 wakeups per second over 300 seconds
Action taken:    none
Duration:        284.08s
Steps:           135

Hardware model:  MacBookPro9,2
Active cpus:     4

Fan speed:       2010 rpm


Powerstats for:  WindowServer [165]
UUID:            BD323A05-A87E-3D6E-846C-32A16D2E5CB3
Start time:      2018-02-25 15:55:35 +0000
End time:        2018-02-25 16:00:14 +0000
Parent:          launchd
Microstackshots: 114 samples (84%)
Primary state:   39 samples Non-Frontmost App, Kernel mode, Effective Thread QoS Unspecified, Requested Thread QoS Unspecified, Override Thread QoS Unspecified
User Activity:   114 samples Idle, 0 samples Active
Power Source:    114 samples on Battery, 0 samples on AC
  48  ??? (WindowServer + 3550) [0x1014f6dde]
    48  SLXServer + 832 (SkyLight) [0x7fff526352b9]
      38  CGXRunOneServicesPass + 247 (SkyLight) [0x7fff526346fe]
        38  run_timer_pass + 495 (SkyLight) [0x7fff52604ce4]
          37  update_display_callback(void*, double) + 257 (SkyLight) [0x7fff525bdf86]
            36  CGXUpdateDisplay + 5711 (SkyLight) [0x7fff525bf808]
              34  prepare_CoreAnimation_update_state(CGXConnection*, CGXWindowSubArray, bool, bool) + 554 (SkyLight) [0x7fff525c29c5]
                27  CGXBeginSurfaceLayerUpdate + 7388 (SkyLight) [0x7fff52527e99]
                  25  invalidate_window_surface_region + 189 (SkyLight) [0x7fff525226d0]
                    9   reschedule_callback_on_session + 65 (SkyLight) [0x7fff526044e8]
                      9   CGSessionControlIsSessionDefunct + 79 (SkyLight) [0x7fff525b7736]
                        9   CFDictionaryContainsValue + 119 (CoreFoundation) [0x7fff30ae2367]
                          2   CFBasicHashGetCountOfValue + 548 (CoreFoundation) [0x7fff30ae25d4]
                            2   _Block_object_dispose + 73 (libsystem_blocks.dylib) [0x7fff58502c82]
                              2   <User mode>
                          2   CFBasicHashGetCountOfValue + 447 (CoreFoundation) [0x7fff30ae256f]
                            2   <User mode>
                          2   CFBasicHashGetCountOfValue + 430 (CoreFoundation) [0x7fff30ae255e]
                            1   CFBasicHashGetBucket + 46 (CoreFoundation) [0x7fff30aace1e]
                              1   <User mode>
                            1   CFBasicHashGetBucket + 42 (CoreFoundation) [0x7fff30aace1a]
                              1   <User mode>
                          2   CFBasicHashGetCountOfValue + 395 (CoreFoundation) [0x7fff30ae253b]
                            2   <User mode>
                          1   _Block_object_dispose + 1 (libsystem_blocks.dylib) [0x7fff58502c3a]
                            1   <User mode>
                    3   malloc + 1 (libsystem_malloc.dylib) [0x7fff5865b4f4]
                      3   <User mode>
                    2   reschedule_callback_on_session + 279 (SkyLight) [0x7fff526045be]
                      2   <User mode>
                    2   updateConnectionIdleState + 97 (SkyLight) [0x7fff524a53bc]
                      2   <User mode>
                    1   DYLD-STUB$$madvise + 6 (SkyLight) [0x7fff5264295a]
                      1   <User mode>
                    1   SLSCurrentRealTime + 1 (SkyLight) [0x7fff525a8b34]
                      1   <User mode>
                    1   CGXInvalidateDisplayShape + 134 (SkyLight) [0x7fff525cc561]
                      1   CGRegionRelease + 22 (CoreGraphics) [0x7fff30f2ade2]
                        1   assert_check_shape + 23 (CoreGraphics) [0x7fff30f2a2f2]
                          1   <User mode>
                    1   reschedule_callback_on_session + 206 (SkyLight) [0x7fff52604575]
                      1   <User mode>
                    1   updateConnectionIdleState + 63 (SkyLight) [0x7fff524a539a]
                      1   <User mode>
                    1   CGXInvalidateDisplayShape + 528 (SkyLight) [0x7fff525cc6eb]
                      1   <User mode>
                    1   reschedule_callback_on_session + 46 (SkyLight) [0x7fff526044d5]
                      1   <User mode>
                    1   CGXPackagesNoteModificationActivityForConnection + 19 (SkyLight) [0x7fff524a5945]
                      1   SLSCurrentRealTime + 13 (SkyLight) [0x7fff525a8b40]
                        1   mach_absolute_time + 56 (libsystem_kernel.dylib) [0x7fff585f9c8f]
                          1   <User mode>
                    1   reschedule_callback_on_session + 217 (SkyLight) [0x7fff52604580]
                      1   <User mode>
                  1   CGRectContainsRect + 450 (CoreGraphics) [0x7fff30f2adcc]
                    1   <User mode>
                  1   CGXInvalidateDisplayShape + 1 (SkyLight) [0x7fff525cc4dc]
                    1   <User mode>
                2   CGXBeginSurfaceLayerUpdate + 2075 (SkyLight) [0x7fff525269d8]
                  2   CARenderUpdateAddContext2 + 48 (QuartzCore) [0x7fff3bd4236c]
                    2   CA::Render::Update::add_context(CA::Render::Context*, CA::Render::Layer*, CA::Transform const*) + 1439 (QuartzCore) [0x7fff3bc75b49]
                      2   CA::Render::Updater::prepare_layer0(CA::Render::Updater::GlobalState&, CA::Render::LayerNode*, CA::Render::Layer*, CA::Render::Updater::LocalState0&, unsigned long long) + 9716 (QuartzCore) [0x7fff3bd3cd83]
                        2   CA::Render::Updater::prepare_sublayer0(CA::Render::Updater::GlobalState&, CA::Render::Updater::LocalState0&, CA::Render::Layer*) + 45 (QuartzCore) [0x7fff3bd3a57f]
                          2   CA::Render::Updater::layer_node(CA::Render::Layer*, CA::Render::Updater::GlobalState const&, CA::Render::Updater::LocalState0 const&, bool&) + 304 (QuartzCore) [0x7fff3bd3a3b8]
                            2   <User mode>
                2   CGXBeginSurfaceLayerUpdate + 1670 (SkyLight) [0x7fff52526843]
                  2   WSGetCompositorMetal + 147 (SkyLight) [0x7fff524ddf22]
                    2   <User mode>
                1   CGXBeginSurfaceLayerUpdate + 6979 (SkyLight) [0x7fff52527d00]
                  1   _CFRelease + 300 (CoreFoundation) [0x7fff30bd8ccc]
                    1   region_finalize + 40 (CoreGraphics) [0x7fff30f2ae75]
                      1   free_tiny + 628 (libsystem_malloc.dylib) [0x7fff58674254]
                        1   get_tiny_previous_free_msize + 63 (libsystem_malloc.dylib) [0x7fff5865de59]
                          1   <User mode>
                1   CGXBeginSurfaceLayerUpdate + 7324 (SkyLight) [0x7fff52527e59]
                  1   <User mode>
                1   CGXBeginSurfaceLayerUpdate + 7023 (SkyLight) [0x7fff52527d2c]
                  1   CGRegionEqualToRegion + 39 (CoreGraphics) [0x7fff30f2d07d]
                    1   assert_check_region + 7 (CoreGraphics) [0x7fff30f2a6ff]
                      1   <User mode>
              2   prepare_CoreAnimation_update_state(CGXConnection*, CGXWindowSubArray, bool, bool) + 671 (SkyLight) [0x7fff525c2a3a]
            1   CGXUpdateDisplay + 14294 (SkyLight) [0x7fff525c198f]
              1   WS::DisplaySurface::Present(DisplaySurfaceSyncType) + 366 (SkyLight) [0x7fff52579112]
                1   ??? (CoreDisplay + 117602) [0x7fff309d0b62]
                  1   ??? (CoreDisplay + 112044) [0x7fff309cf5ac]
                    1   ??? (CoreDisplay + 526402) [0x7fff30a34842]
                      1   ??? (CoreDisplay + 264651) [0x7fff309f49cb]
                        1   IOPresentmentDisplayPipe::IOPresentmentEnd(__IOPresentmentTransaction*, unsigned long long, bool) + 1982 (IOPresentment) [0x7fff4ab0f924]
                          1   IOAccelDisplayPipeTransactionEnd + 74 (IOAccelerator) [0x7fff4aaf9388]
                            1   IOConnectCallStructMethod + 38 (IOKit) [0x7fff332ad0f7]
                              1   IOConnectCallMethod + 186 (IOKit) [0x7fff332abfc4]
                                1   io_connect_method + 369 (IOKit) [0x7fff332ac197]
                                  1   mach_msg_trap + 10 (libsystem_kernel.dylib) [0x7fff585fa7c2]
          1   window_post_move_event + 304 (SkyLight) [0x7fff524a5f19]
            1   CGXPostEventByConnection + 418 (SkyLight) [0x7fff52614e93]
              1   add_events_to_tap + 388 (SkyLight) [0x7fff52459a63]
                1   post_events_after_tap_id + 136 (SkyLight) [0x7fff52459f5b]
                  1   CGSEncodeEventRecord + 58 (SkyLight) [0x7fff5250903a]
                    1   event_create_data_with_options(__CFAllocator const*, __CGEvent*, SLEventCreateDataOptions, unsigned int) + 7490 (SkyLight) [0x7fff52508165]
                      1   szone_size + 96 (libsystem_malloc.dylib) [0x7fff5865d8c9]
                        1   <User mode>
      10  CGXRunOneServicesPass + 460 (SkyLight) [0x7fff526347d3]
        9   run_one_server_pass + 337 (SkyLight) [0x7fff52634999]
          9   mach_msg_trap + 10 (libsystem_kernel.dylib) [0x7fff585fa7c2]
        1   run_one_server_pass + 536 (SkyLight) [0x7fff52634a60]
          1   <User mode>
  39  <Effective Thread QoS Default, Requested Thread QoS Default>

  Binary Images:
         0x1014f6000 -        0x1014f6fff  WindowServer (312.23.4) <BD323A05-A87E-3D6E-846C-32A16D2E5CB3> /System/Library/PrivateFrameworks/SkyLight.framework/Resources/WindowServer
      0x7fff309b4000 -     0x7fff30a80fff  com.apple.CoreDisplay 1.0 (81.7) <D8030B81-097E-3FA2-A85C-AE1A3B8EBCFB> /System/Library/Frameworks/CoreDisplay.framework/Versions/A/CoreDisplay
      0x7fff30a81000 -     0x7fff30f1afff  com.apple.CoreFoundation 6.9 (1451) <739D6558-3DF3-3181-AA07-BBE3882D3B7F> /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
      0x7fff30f1c000 -     0x7fff31547ff7  com.apple.CoreGraphics 2.0 (1129.5) <C3E052A6-B0EF-3017-A1EB-4C86CE986B8C> /System/Library/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics
      0x7fff332a8000 -     0x7fff33343fff  com.apple.framework.IOKit 2.0.2 <9CFA07B9-BA6E-31E4-AD4F-C47071A8C522> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
      0x7fff3bc3f000 -     0x7fff3be87fff  com.apple.QuartzCore 1.11 (584.8.102) <4479AF33-E6EA-3037-A2C1-3C6F12B1260A> /System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore
      0x7fff4aaf3000 -     0x7fff4aafaffb  com.apple.IOAccelerator 376.6 (376.6) <A47129CC-F386-3C31-AD66-C19A70615A50> /System/Library/PrivateFrameworks/IOAccelerator.framework/Versions/A/IOAccelerator
      0x7fff4aafe000 -     0x7fff4ab15fff  com.apple.IOPresentment 1.0 (32.1) <B95F06EA-9D5D-311D-9912-978AE42ECFCE> /System/Library/PrivateFrameworks/IOPresentment.framework/Versions/A/IOPresentment
      0x7fff523ea000 -     0x7fff52684fff  com.apple.SkyLight 1.600.0 <455CE6F6-CD58-3E08-8300-CA8BDD3377FC> /System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/SkyLight
      0x7fff58502000 -     0x7fff58502fff  libsystem_blocks.dylib (67) <F2493BB5-B1C6-3C4D-9F1F-1B402E0F1DB7> /usr/lib/system/libsystem_blocks.dylib
      0x7fff585e8000 -     0x7fff5860dff7  libsystem_kernel.dylib (4570.41.2) <5155A4C3-825B-3178-AC51-0D2D2F2A6618> /usr/lib/system/libsystem_kernel.dylib
      0x7fff5865a000 -     0x7fff58679fff  libsystem_malloc.dylib (140.40.1) <36B22C99-D772-3039-9A4C-AA31389965E1> /usr/lib/system/libsystem_malloc.dylib


Powerstats for:  CiscoVideoGuardM
UUID:            26970BC3-D274-3FC8-A666-24BF4BD7531B
Start time:      2018-02-25 15:55:37 +0000
End time:        2018-02-25 15:59:51 +0000
Microstackshots: 16 samples (11%)
Primary state:   13 samples Non-Frontmost App, Kernel mode, Effective Thread QoS Default, Requested Thread QoS Default, Override Thread QoS Unspecified
User Activity:   16 samples Idle, 0 samples Active
Power Source:    16 samples on Battery, 0 samples on AC
  16 _pthread_start + 357 (libsystem_pthread.dylib) [0xa782c3b2]
    16 _pthread_body + 347 (libsystem_pthread.dylib) [0xa782c50d]
      16 ??? (CiscoVideoGuardMonitor + 2525622) [0x3659b6]
        16 ??? (CiscoVideoGuardMonitor + 263818) [0x13d68a]
          16 ??? (CiscoVideoGuardMonitor + 262612) [0x13d1d4]
            15 ??? (CiscoVideoGuardMonitor + 345957) [0x151765]
              13 ??? (CiscoVideoGuardMonitor + 346807) [0x151ab7]
                13 pthread_cond_timedwait$UNIX2003 + 52 (libsystem_pthread.dylib) [0xa7832535]
                  13 __psynch_cvwait + 10 (libsystem_kernel.dylib) [0xa76fdd26]
              2  ??? (CiscoVideoGuardMonitor + 346877) [0x151afd]
                2  ??? (CiscoVideoGuardMonitor + 2529764) [0x3669e4]
                  2  ??? (CiscoVideoGuardMonitor + 2538193) [0x368ad1]
                    2  <User mode>
            1  ??? (CiscoVideoGuardMonitor + 345007) [0x1513af]
              1  gettimeofday + 1 (libsystem_c.dylib) [0xa7603d28]
                1  <User mode>

  Binary Images:
             0xfd000 -           0x410ff3  com.cisco.videoguardmonitor 1.0 (1.0) <26970BC3-D274-3FC8-A666-24BF4BD7531B> /Users/USER/Library/Cisco/*/VideoGuardMonitor.bundle/Contents/MacOS/CiscoVideoGuardMonitor
          0xa75f3000 -         0xa767ffff  libsystem_c.dylib (1244.30.3) <8BCBF89D-5CE7-3950-884A-86E37DBF2660> /usr/lib/system/libsystem_c.dylib
          0xa76e1000 -         0xa7704ff7  libsystem_kernel.dylib (4570.41.2) <649BB7E7-6378-3D2C-BBC6-ED2577E551B9> /usr/lib/system/libsystem_kernel.dylib
          0xa7829000 -         0xa7833ff3  libsystem_pthread.dylib (301.30.1) <7409C1E5-F3BA-3AB3-ADC1-9DCD356C6C13> /usr/lib/system/libsystem_pthread.dylib