Parent page of this data file: https://divinity-in-action.com/articles/pegasusspyware/macbooks/ Spyware Found on Irina Bright’s MacBooks, Which May Be Related to Pegasus Spyware. File name: WindowServer_2018-02-28-132828_Irinas-MacBook-Pro.wakeups_resource.diag Downloaded from: McBook > Library_Logs_DiagnosticReports. Date/Time: 2018-02-28 13:23:29.994772 +0000 OS Version: Mac OS X 10.13.3 (Build 17D102) Architecture: x86_64 Report Version: 19 Command: WindowServer Path: /System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer Version: ??? (???) Parent: launchd [1] PID: 167 Event: wakeups Wakeups: 45001 wakeups over the last 291 seconds (155 wakeups per second average), exceeding limit of 150 wakeups per second over 300 seconds Action taken: none Duration: 290.64s Steps: 142 Hardware model: MacBookPro9,2 Active cpus: 4 Fan speed: 2017 rpm Powerstats for: WindowServer [167] UUID: BD323A05-A87E-3D6E-846C-32A16D2E5CB3 Start time: 2018-02-28 13:23:34 +0000 End time: 2018-02-28 13:28:19 +0000 Parent: launchd Microstackshots: 119 samples (83%) Primary state: 63 samples Non-Frontmost App, User mode, Effective Thread QoS Unspecified, Requested Thread QoS Unspecified, Override Thread QoS Unspecified User Activity: 119 samples Idle, 0 samples Active Power Source: 0 samples on Battery, 119 samples on AC 67 ??? (WindowServer + 3550) [0x1026afdde] 67 SLXServer + 832 (SkyLight) [0x7fff593142b9] 65 CGXRunOneServicesPass + 247 (SkyLight) [0x7fff593136fe] 65 run_timer_pass + 495 (SkyLight) [0x7fff592e3ce4] 65 update_display_callback(void*, double) + 257 (SkyLight) [0x7fff5929cf86] 64 CGXUpdateDisplay + 5711 (SkyLight) [0x7fff5929e808] 59 prepare_CoreAnimation_update_state(CGXConnection*, CGXWindowSubArray, bool, bool) + 554 (SkyLight) [0x7fff592a19c5] 27 CGXBeginSurfaceLayerUpdate + 7388 (SkyLight) [0x7fff59206e99] 13 invalidate_window_surface_region + 189 (SkyLight) [0x7fff592016d0] 6 reschedule_callback_on_session + 65 (SkyLight) [0x7fff592e34e8] 4 CGSessionControlIsSessionDefunct + 79 (SkyLight) [0x7fff59296736] 2 CFDictionaryContainsValue + 6 (CoreFoundation) [0x7fff377c12f6] 1 CFDictionaryContainsValue + 75 (CoreFoundation) [0x7fff377c133b] 1 CFDictionaryContainsValue + 119 (CoreFoundation) [0x7fff377c1367] 1 CFBasicHashGetCountOfValue + 430 (CoreFoundation) [0x7fff377c155e] 1 CFBasicHashGetBucket + 243 (CoreFoundation) [0x7fff3778bee3] 2 _Block_object_assign + 349 (libsystem_blocks.dylib) [0x7fff5f1e1c39] 3 reschedule_callback_on_session + 387 (SkyLight) [0x7fff592e362a] 1 free + 116 (libsystem_malloc.dylib) [0x7fff5f33c6d1] 1 szone_size + 333 (libsystem_malloc.dylib) [0x7fff5f33c9b6] 1 szone_size + 30 (libsystem_malloc.dylib) [0x7fff5f33c887] 3 reschedule_callback_on_session + 94 (SkyLight) [0x7fff592e3505] 3 malloc + 24 (libsystem_malloc.dylib) [0x7fff5f33a50b] 3 malloc_zone_malloc + 103 (libsystem_malloc.dylib) [0x7fff5f33b201] 2 szone_malloc_should_clear + 422 (libsystem_malloc.dylib) [0x7fff5f33b403] 2 tiny_malloc_from_free_list + 135 (libsystem_malloc.dylib) [0x7fff5f33c25c] 1 szone_malloc_should_clear + 1288 (libsystem_malloc.dylib) [0x7fff5f33b765] 1 reschedule_callback_on_session + 275 (SkyLight) [0x7fff592e35ba] 5 invalidate_window_surface_region + 50 (SkyLight) [0x7fff59201645] 3 CGXCreateScreenVisibleContentShapeForWindow + 35 (SkyLight) [0x7fff5914328d] 3 create_opaque_shape_above_for_window + 42 (SkyLight) [0x7fff59142c0a] 2 WSGetGeometrySeed + 10 (CoreDisplay) [0x7fff3772ea7c] 2 CGXGetCurrentSessionScoreboardDisplaySet + 36 (SkyLight) [0x7fff592f5b4d] 1 CGXSenderCanSynthesizeEvents + 159 (SkyLight) [0x7fff592f5b29] 2 CGXCreateScreenVisibleContentShapeForWindow + 62 (SkyLight) [0x7fff591432a8] 2 CGRegionCreateIntersectionWithRegion + 104 (CoreGraphics) [0x7fff37c0a071] 2 shape_intersect + 125 (CoreGraphics) [0x7fff37c0a0fa] 2 malloc + 24 (libsystem_malloc.dylib) [0x7fff5f33a50b] 2 malloc_zone_malloc + 103 (libsystem_malloc.dylib) [0x7fff5f33b201] 2 szone_malloc_should_clear + 2721 (libsystem_malloc.dylib) [0x7fff5f33bcfe] 3 invalidate_window_surface_region + 140 (SkyLight) [0x7fff5920169f] 3 region_create_with_shape + 37 (CoreGraphics) [0x7fff37bfe04a] 3 CGTypeCreateInstance + 46 (CoreGraphics) [0x7fff37bfd083] 3 _CFRuntimeCreateInstance + 284 (CoreFoundation) [0x7fff377631ac] 3 malloc_zone_malloc + 103 (libsystem_malloc.dylib) [0x7fff5f33b201] 3 szone_malloc_should_clear + 422 (libsystem_malloc.dylib) [0x7fff5f33b403] 2 get_tiny_free_size + 60 (libsystem_malloc.dylib) [0x7fff5f33d631] 1 tiny_malloc_from_free_list + 151 (libsystem_malloc.dylib) [0x7fff5f33c26c] 2 invalidate_window_surface_region + 197 (SkyLight) [0x7fff592016d8] 2 CGRegionRelease + 6 (CoreGraphics) [0x7fff37c09dd2] 2 WSRemoveAllPortDataHandlersForPort + 138 (SkyLight) [0x7fff5931330b] 1 CGXPackagesNoteModificationActivityForConnection + 1 (SkyLight) [0x7fff59184933] 1 CGXWindowPluginLayerInvalidate + 1 (SkyLight) [0x7fff591a46ea] 9 CGXBeginSurfaceLayerUpdate + 7791 (SkyLight) [0x7fff5920702c] 2 _CFRelease + 300 (CoreFoundation) [0x7fff378b7ccc] 2 region_finalize + 40 (CoreGraphics) [0x7fff37c09e75] 1 free_tiny + 62 (libsystem_malloc.dylib) [0x7fff5f35301e] 1 free_tiny + 128 (libsystem_malloc.dylib) [0x7fff5f353060] 2 _CFRelease + 769 (CoreFoundation) [0x7fff378b7ea1] 2 _CFRelease + 361 (CoreFoundation) [0x7fff378b7d09] 1 _CFRelease + 1088 (CoreFoundation) [0x7fff378b7fe0] 1 default_zone_free + 16 (libsystem_malloc.dylib) [0x7fff5f34b32a] 1 _CFRelease + 666 (CoreFoundation) [0x7fff378b7e3a] 1 _CFRelease + 207 (CoreFoundation) [0x7fff378b7c6f] 7 CGXBeginSurfaceLayerUpdate + 2075 (SkyLight) [0x7fff592059d8] 7 CARenderUpdateAddContext2 + 48 (QuartzCore) [0x7fff42a2136c] 3 CA::Render::Update::add_context(CA::Render::Context*, CA::Render::Layer*, CA::Transform const*) + 1439 (QuartzCore) [0x7fff42954b49] 3 CA::Render::Updater::prepare_layer0(CA::Render::Updater::GlobalState&, CA::Render::LayerNode*, CA::Render::Layer*, CA::Render::Updater::LocalState0&, unsigned long long) + 9716 (QuartzCore) [0x7fff42a1bd83] 2 CA::Render::Updater::prepare_sublayer0(CA::Render::Updater::GlobalState&, CA::Render::Updater::LocalState0&, CA::Render::Layer*) + 45 (QuartzCore) [0x7fff42a1957f] 2 CA::Render::Updater::layer_node(CA::Render::Layer*, CA::Render::Updater::GlobalState const&, CA::Render::Updater::LocalState0 const&, bool&) + 251 (QuartzCore) [0x7fff42a19383] 1 CA::Render::Updater::prepare_sublayer0(CA::Render::Updater::GlobalState&, CA::Render::Updater::LocalState0&, CA::Render::Layer*) + 489 (QuartzCore) [0x7fff42a1973b] 2 x_heap_malloc_small_ + 1 (QuartzCore) [0x7fff4292d4dd] 1 CA::Render::Update::add_context(CA::Render::Context*, CA::Render::Layer*, CA::Transform const*) + 180 (QuartzCore) [0x7fff4295465e] 1 CA::Render::Update::add_context(CA::Render::Context*, CA::Render::Layer*, CA::Transform const*) + 2068 (QuartzCore) [0x7fff42954dbe] 1 5 CGXBeginSurfaceLayerUpdate + 346 (SkyLight) [0x7fff59205317] 2 CGColorSpaceRetain + 32 (CoreGraphics) [0x7fff37bfebd4] 2 CGXGetDisplaysWithRect + 74 (CoreDisplay) [0x7fff3772b8c8] 1 CGRectIntersectsRect + 1 (CoreGraphics) [0x7fff37bfebd5] 3 CGXBeginSurfaceLayerUpdate + 88 (SkyLight) [0x7fff59205215] 3 CGXBeginSurfaceLayerUpdate + 7485 (SkyLight) [0x7fff59206efa] 1 CGXBeginSurfaceLayerUpdate + 6929 (SkyLight) [0x7fff59206cce] 1 CGRegionCreateByTransformingRegion + 1270 (CoreGraphics) [0x7fff37c0d04a] 1 region_create_with_shape + 37 (CoreGraphics) [0x7fff37bfe04a] 1 CGTypeCreateInstance + 46 (CoreGraphics) [0x7fff37bfd083] 1 _CFRuntimeCreateInstance + 596 (CoreFoundation) [0x7fff377632e4] 1 CGXBeginSurfaceLayerUpdate + 3250 (SkyLight) [0x7fff59205e6f] 1 WSSurfaceCopyRemoteRegionContextIDs + 119 (SkyLight) [0x7fff5926c00b] 1 std::__1::vector >::reserve(unsigned long) + 6 (SkyLight) [0x7fff591e7716] 1 CGXBeginSurfaceLayerUpdate + 7023 (SkyLight) [0x7fff59206d2c] 1 CGRegionEqualToRegion + 39 (CoreGraphics) [0x7fff37c0c07d] 1 assert_check_shape + 15 (CoreGraphics) [0x7fff37c092ea] 1 CGXBeginSurfaceLayerUpdate + 6979 (SkyLight) [0x7fff59206d00] 1 _CFRelease + 300 (CoreFoundation) [0x7fff378b7ccc] 1 region_finalize + 40 (CoreGraphics) [0x7fff37c09e75] 1 szone_size + 96 (libsystem_malloc.dylib) [0x7fff5f33c8c9] 1 CGXBeginSurfaceLayerUpdate + 292 (SkyLight) [0x7fff592052e1] 1 CGRegionGetBoundingBox + 67 (CoreGraphics) [0x7fff37c099e6] 1 assert_check_shape + 1 (CoreGraphics) [0x7fff37c092dc] 2 prepare_CoreAnimation_update_state(CGXConnection*, CGXWindowSubArray, bool, bool) + 579 (SkyLight) [0x7fff592a19de] 2 malloc + 24 (libsystem_malloc.dylib) [0x7fff5f33a50b] 2 malloc_zone_malloc + 103 (libsystem_malloc.dylib) [0x7fff5f33b201] 1 szone_malloc_should_clear + 422 (libsystem_malloc.dylib) [0x7fff5f33b403] 1 tiny_malloc_from_free_list + 151 (libsystem_malloc.dylib) [0x7fff5f33c26c] 1 szone_malloc_should_clear + 1288 (libsystem_malloc.dylib) [0x7fff5f33b765] 2 prepare_CoreAnimation_update_state(CGXConnection*, CGXWindowSubArray, bool, bool) + 558 (SkyLight) [0x7fff592a19c9] 1 prepare_CoreAnimation_update_state(CGXConnection*, CGXWindowSubArray, bool, bool) + 566 (SkyLight) [0x7fff592a19d1] 1 CGXUpdateDisplay + 725 (SkyLight) [0x7fff5929d48e] 1 finalize_CoreAnimation_update_state(CGXCoreAnimationUpdateState*) + 84 (SkyLight) [0x7fff592a6468] 1 x_list_free_b + 31 (SkyLight) [0x7fff5924f10f] 1 CGXFinishSurfaceLayerUpdate + 164 (SkyLight) [0x7fff59207994] 1 WSCALayerBacking::FinishUpdate() + 33 (SkyLight) [0x7fff59279227] 1 CARenderUpdateFinish + 22 (QuartzCore) [0x7fff42a21f32] 1 CA::Render::Update::~Update() + 646 (QuartzCore) [0x7fff4298a69e] 1 CA::Render::BackdropGroup::sweep_buffers(unsigned int) + 119 (QuartzCore) [0x7fff4298a94f] 1 2 CGXRunOneServicesPass + 460 (SkyLight) [0x7fff593137d3] 2 run_one_server_pass + 337 (SkyLight) [0x7fff59313999] 2 mach_msg_trap + 10 (libsystem_kernel.dylib) [0x7fff5f2d97c2] 2 30 22 Binary Images: 0x1026af000 - 0x1026affff WindowServer (312.23.4) /System/Library/PrivateFrameworks/SkyLight.framework/Resources/WindowServer 0x7fff37693000 - 0x7fff3775ffff com.apple.CoreDisplay 1.0 (81.7) /System/Library/Frameworks/CoreDisplay.framework/Versions/A/CoreDisplay 0x7fff37760000 - 0x7fff37bf9fff com.apple.CoreFoundation 6.9 (1451) <739D6558-3DF3-3181-AA07-BBE3882D3B7F> /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation 0x7fff37bfb000 - 0x7fff38226ff7 com.apple.CoreGraphics 2.0 (1129.5) /System/Library/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics 0x7fff4291e000 - 0x7fff42b66fff com.apple.QuartzCore 1.11 (584.8.102) <4479AF33-E6EA-3037-A2C1-3C6F12B1260A> /System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore 0x7fff590c9000 - 0x7fff59363fff com.apple.SkyLight 1.600.0 <455CE6F6-CD58-3E08-8300-CA8BDD3377FC> /System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/SkyLight 0x7fff5f1e1000 - 0x7fff5f1e1fff libsystem_blocks.dylib (67) /usr/lib/system/libsystem_blocks.dylib 0x7fff5f2c7000 - 0x7fff5f2ecff7 libsystem_kernel.dylib (4570.41.2) <5155A4C3-825B-3178-AC51-0D2D2F2A6618> /usr/lib/system/libsystem_kernel.dylib 0x7fff5f339000 - 0x7fff5f358fff libsystem_malloc.dylib (140.40.1) <36B22C99-D772-3039-9A4C-AA31389965E1> /usr/lib/system/libsystem_malloc.dylib Powerstats for: CiscoVideoGuardM UUID: 26970BC3-D274-3FC8-A666-24BF4BD7531B Start time: 2018-02-28 13:23:50 +0000 End time: 2018-02-28 13:28:11 +0000 Microstackshots: 16 samples (11%) Primary state: 12 samples Non-Frontmost App, Kernel mode, Effective Thread QoS Default, Requested Thread QoS Default, Override Thread QoS Unspecified User Activity: 16 samples Idle, 0 samples Active Power Source: 0 samples on Battery, 16 samples on AC 16 _pthread_start + 357 (libsystem_pthread.dylib) [0xa782c3b2] 16 _pthread_body + 347 (libsystem_pthread.dylib) [0xa782c50d] 16 ??? (CiscoVideoGuardMonitor + 2525622) [0x30c9b6] 16 ??? (CiscoVideoGuardMonitor + 263818) [0xe468a] 16 ??? (CiscoVideoGuardMonitor + 262612) [0xe41d4] 14 ??? (CiscoVideoGuardMonitor + 345957) [0xf8765] 12 ??? (CiscoVideoGuardMonitor + 346807) [0xf8ab7] 12 pthread_cond_timedwait$UNIX2003 + 52 (libsystem_pthread.dylib) [0xa7832535] 12 __psynch_cvwait + 10 (libsystem_kernel.dylib) [0xa76fdd26] 2 ??? (CiscoVideoGuardMonitor + 99937) [0xbc661] 2 2 ??? (CiscoVideoGuardMonitor + 345007) [0xf83af] 2 ??? (CiscoVideoGuardMonitor + 116197) [0xc05e5] 2 ??? (CiscoVideoGuardMonitor + 117105) [0xc0971] 2 gmtime_r + 22 (libsystem_c.dylib) [0xa7646910] 2 gmtsub + 29 (libsystem_c.dylib) [0xa76462cd] 2 notify_check_tz + 29 (libsystem_c.dylib) [0xa76450bd] 2 notify_check + 87 (libsystem_notify.dylib) [0xa781faad] 2 registration_node_find + 53 (libsystem_notify.dylib) [0xa781e814] 2 _nc_table_find_n + 22 (libsystem_notify.dylib) [0xa7821436] 2 _nc_table_find_64 + 29 (libsystem_notify.dylib) [0xa78213ed] 2 Binary Images: 0xa4000 - 0x3b7ff3 com.cisco.videoguardmonitor 1.0 (1.0) <26970BC3-D274-3FC8-A666-24BF4BD7531B> /Users/USER/Library/Cisco/*/VideoGuardMonitor.bundle/Contents/MacOS/CiscoVideoGuardMonitor 0xa75f3000 - 0xa767ffff libsystem_c.dylib (1244.30.3) <8BCBF89D-5CE7-3950-884A-86E37DBF2660> /usr/lib/system/libsystem_c.dylib 0xa76e1000 - 0xa7704ff7 libsystem_kernel.dylib (4570.41.2) <649BB7E7-6378-3D2C-BBC6-ED2577E551B9> /usr/lib/system/libsystem_kernel.dylib 0xa7819000 - 0xa7821ff3 libsystem_notify.dylib (172) <63E3CF8C-4F15-3D45-84A6-1218352031E9> /usr/lib/system/libsystem_notify.dylib 0xa7829000 - 0xa7833ff3 libsystem_pthread.dylib (301.30.1) <7409C1E5-F3BA-3AB3-ADC1-9DCD356C6C13> /usr/lib/system/libsystem_pthread.dylib