FGDump is a legitimate penetration-testing utility that security professionals use to extract password hashes from Windows systems. When antivirus software flags HackTool:Win32/FGDump, it's detecting either the authentic tool being misused by an attacker or malware disguised to look like it. While FGDump itself serves a legitimate purpose in authorized security audits, its presence on a home or business computer without your knowledge indicates either a compromise by an intruder harvesting credentials or infection by malware masquerading under this name to evade suspicion.

HackTool:Win32/FGDump — cybersecurity illustration
Photo by Anete Lusina on Pexels

The detection doesn't automatically mean you're under active attack — some IT administrators download penetration-testing tools for legitimate work — but unauthorized presence of credential-dumping utilities represents a critical security risk. An attacker with extracted password hashes can crack them offline to gain administrative access, pivot to other systems on your network, or steal sensitive data. Because this tool operates at the kernel level and targets the most sensitive area of Windows security (the SAM database and LSASS process), its unauthorized use or impersonation demands immediate investigation.

Think you're infected right now? Disconnect your computer from the network immediately (unplug ethernet, disable Wi-Fi). Do not enter passwords or access financial accounts until the system is cleaned. This threat targets your credentials — assume any passwords entered on this machine may be compromised. Call Computer Repair Roswell at (770) 856-1577 or bring your system to our shop at 1960 Vaughn Road, Suite 100, Kennesaw, GA 30144. We offer same-day diagnostics and can determine if you're dealing with the legitimate tool misused by an intruder or malware impersonation.

Threat Profile

Attribute Details
Family HackTool / Credential Access Tool / Mimikatz-class Utility
Aliases HackTool:Win32/FgDump, Tool.FGDump, PUA:Win32/FGDump, HackTool.FGDump
Platform Windows XP through Windows 11 (32-bit and 64-bit)
Legitimate Use Authorized penetration testing, security audits, password policy assessment
Malicious Context Credential theft, lateral movement preparation, post-exploitation harvesting
Typical Distribution Manual deployment by attackers post-compromise; occasionally bundled with exploit kits or dropped by trojans
Privileges Required Administrator/SYSTEM (must run elevated to access SAM and LSASS)
Primary Targets SAM database, LSASS process memory, cached domain credentials, LSA secrets
Output Artifacts Password hash dump files (typically *.pwdump format), log files in working directory
Persistence None (designed as on-demand tool); attackers may schedule execution or pair with backdoor
Network Behavior None inherent to tool itself; extracted credentials used in subsequent attacks
Detection Difficulty Moderate — legitimate tool triggers heuristics; skilled attackers may disable AV first
Removal Complexity Low for the tool itself; high for determining compromise scope and credential security

How It Spreads

FGDump doesn't spread like traditional malware — it doesn't self-replicate or propagate through networks. Instead, attackers manually introduce it to systems they've already compromised through other means. The tool serves as a second-stage payload in multi-phase attacks, appearing after the initial breach has already granted the attacker administrative access. Understanding this delivery pattern is crucial: if you find FGDump on your system without intentionally downloading it, you're dealing with the aftermath of a successful intrusion, not the initial infection vector.

The tool reaches victim systems through several common pathways. Attackers who've gained remote access via exploited vulnerabilities, stolen credentials, or social engineering will upload their toolkit — including FGDump or similar utilities — directly to the compromised machine. Remote Desktop Protocol (RDP) sessions with weak passwords remain a favorite entry point, allowing attackers to simply copy the tool over and execute it with the credentials they've already stolen or guessed. In corporate environments, attackers often use legitimate system administration tools like PsExec to deploy the utility across multiple machines once they've established a foothold on the domain.

Common distribution scenarios include:

  • Post-exploitation frameworks: Attackers using Metasploit, Cobalt Strike, or similar platforms deploy FGDump as a module after establishing initial access through unpatched vulnerabilities or phishing campaigns
  • Trojan droppers: Some banking trojans and RATs (Remote Access Trojans) download credential-dumping tools as secondary payloads once they detect valuable targets or privileged accounts
  • Compromised administrator accounts: Attackers with stolen domain admin credentials push the tool through Group Policy, logon scripts, or other management mechanisms to harvest credentials en masse
  • USB-based attacks: During physical access scenarios, attackers boot to alternate operating systems or use USB-resident tools that include FGDump for offline credential extraction
  • Supply chain compromise: Rarely, the tool appears pre-installed on systems with compromised disk images or in environments where rogue IT personnel planted backdoors
  • Malware impersonation: Generic malware mimics FGDump's file structure and naming to confuse analysis while actually performing different malicious activities

What It Does On Your Machine

When executed with administrative privileges, FGDump performs a series of highly invasive operations targeting the core authentication mechanisms of Windows. The tool first attempts to disable antivirus services and monitoring processes that might interfere with its operation — a behavior that immediately distinguishes malicious use from legitimate security auditing, where defenders typically whitelist such tools rather than letting them disable protections. It then injects code into the Local Security Authority Subsystem Service (LSASS), the critical Windows process responsible for enforcing security policy and managing user authentication.

From within LSASS's memory space, FGDump extracts password hashes for all local accounts stored in the Security Account Manager (SAM) database. These hashes represent one-way cryptographic transformations of user passwords — but critically, older NTLM hashes can be cracked with modern GPU-accelerated tools in minutes to hours depending on password complexity. The tool also retrieves LSA secrets, which may contain cached domain credentials, service account passwords, and other authentication material. On domain-joined machines, it captures cached logon information for the last 10-50 domain users (depending on configuration), allowing attackers to target those accounts even when disconnected from the network.

The extracted data gets written to output files in the working directory, typically with names like 127.0.0.1.pwdump for local hashes and 127.0.0.1.cachedump for cached credentials. These files contain username:hash pairs in plaintext format, ready for offline cracking with tools like Hashcat or John the Ripper. Because the tool operates entirely in memory and through legitimate Windows APIs (albeit in ways typical users never access), behavioral detection proves challenging unless endpoint protection specifically monitors for credential access patterns.

After execution completes — usually in seconds — FGDump typically re-enables any services it disabled, though this restoration doesn't always succeed if the tool crashes or gets forcibly terminated. The real damage persists in those exported credential files, which attackers exfiltrate for offline processing. Even if you detect and remove FGDump immediately, the attacker may have already copied these files off-system, giving them persistent unauthorized access until you change all affected passwords.

Typical Artifacts (Varies by attacker OpSec)
C:\Users\[Username]\Downloads\fgdump.exe C:\Users\[Username]\Downloads\127.0.0.1.pwdump C:\Users\[Username]\Downloads\127.0.0.1.cachedump C:\Windows\Temp\pwdump.tmp ; Registry modifications (if persistence added by attacker) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ "SecurityUpdate" = "C:\ProgramData\svchost\fgdump.exe -q" ; Scheduled tasks (attacker-dependent) schtasks /query /tn "\Microsoft\Windows\Maintenance\SecurityScan" Task may run fgdump weekly to refresh stolen credentials ; Windows Event Log entries (if auditing enabled) Event ID 4673: Sensitive privilege use (SeDebugPrivilege for LSASS injection) Event ID 4688: Process creation for fgdump.exe with SYSTEM token

Manual Removal — Step by Step

01

Isolate the System Immediately

Disconnect the computer from all networks before taking any other action. Unplug the ethernet cable and disable Wi-Fi through the hardware switch or by turning off the adapter in Network Connections. If this is a business computer connected to a domain, notify your IT security team immediately — the attacker may have already moved laterally to other systems. Do not reconnect until credential resets are complete and you've verified the system is clean.

02

Boot Into Safe Mode with Networking

Restart the computer and enter Safe Mode to prevent most startup programs and services from loading, including any backdoors the attacker may have installed alongside FGDump. On Windows 10/11, hold Shift while clicking Restart, then navigate to Troubleshoot > Advanced Options > Startup Settings > Restart, and press F5 for Safe Mode with Networking. You'll need networking enabled to download security updates and scanning tools in later steps.

03

Identify and Terminate Suspicious Processes

Open Task Manager (Ctrl+Shift+Esc) and examine running processes for fgdump.exe, pwdump variants, or unfamiliar executables running with SYSTEM privileges. Check the "Details" tab and sort by "User name" to spot processes running as SYSTEM that shouldn't be. Right-click any suspicious process and choose "End Process Tree" to terminate it and any child processes. Document the file location shown in the "Command line" column before terminating — you'll need this information for file removal.

04

Remove Persistence Mechanisms

Check common persistence locations where attackers plant startup entries. Open Registry Editor (regedit.exe) and navigate to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run — delete any entries pointing to suspicious executables you don't recognize. Open Task Scheduler and review the Task Scheduler Library for recently created tasks, especially those running with SYSTEM privileges or hidden from the task list. Delete any suspicious scheduled tasks after noting their configuration for investigation purposes.

05

Delete the Tool and Associated Files

Navigate to the folder where FGDump and its output files were found (typically Downloads, Temp, or ProgramData subdirectories). Delete fgdump.exe and all associated files including .pwdump, .cachedump, and log files. Check for multiple copies — attackers often place the tool in several locations. Empty the Recycle Bin immediately to prevent recovery. If you encounter "access denied" errors, take ownership of the files through Properties > Security > Advanced > Change Owner, then try deletion again.

06

Scan with Multiple Security Tools

Download and run Malwarebytes (free version sufficient) for a comprehensive scan — it excels at detecting both the legitimate FGDump utility and malware that may have delivered it. Follow up with Microsoft Defender Offline Scan (built into Windows Security) to check for rootkits or boot-sector infections that regular scans miss. Consider a third opinion from Kaspersky Virus Removal Tool or Emsisoft Emergency Kit. Quarantine or delete all detections, but save the scan logs — they document the scope of compromise.

07

Change All Passwords from a Clean Device

This is critical: assume every password entered on this computer has been compromised. From a different, known-clean device (smartphone, tablet, or another computer), immediately change passwords for all accounts — especially email, banking, work VPN, and cloud services. Enable multi-factor authentication everywhere it's available. For local Windows accounts on the infected machine, change those passwords from Safe Mode after scanning is complete. If this was a domain-joined work computer, coordinate with IT to reset domain passwords and revoke active sessions.

08

Review System and Security Logs

Open Event Viewer (eventvwr.msc) and examine Windows Logs > Security for unusual activity. Look for Event ID 4624 (successful logons) from unexpected IP addresses, Event ID 4672 (special privileges assigned) around the time of compromise, and Event ID 4688 (process creation) entries for fgdump.exe. Check the timeline to determine when the compromise occurred and what other systems the attacker may have accessed using stolen credentials. Export relevant log sections for documentation before they rotate out.

09

Update and Patch Everything

Run Windows Update and install all available security patches — attackers likely exploited an unpatched vulnerability to gain initial access. Update all installed applications, especially browsers, PDF readers, Java, and other common exploit targets. Check the Windows Security settings and ensure Real-time Protection, Cloud-delivered Protection, and Tamper Protection are all enabled — attackers sometimes disable these permanently. Restart after updates complete.

10

Verify and Monitor

Reboot into normal mode and observe system behavior for several days. Monitor Task Manager for suspicious processes, watch for unexpected network activity in Resource Monitor, and review Windows Security scan results daily. Check browser extensions and installed programs for anything unfamiliar — attackers often install additional payloads for persistent access. If you notice any recurrence of suspicious activity, the compromise may be deeper than tool-level removal can address, and professional forensic analysis or complete system reinstallation may be necessary.

Prevention

  1. Enforce strong, unique passwords across all accounts. Use a password manager to generate and store complex passwords that can't be cracked even if hashed versions are stolen. Never reuse passwords between personal and work accounts, and change default administrator passwords immediately on all systems.
  2. Enable and require multi-factor authentication everywhere possible. Even if an attacker steals your password hash and cracks it, MFA prevents them from using those credentials for remote access. This single measure blocks the majority of credential-based attacks that tools like FGDump support.
  3. Restrict administrative privileges ruthlessly. Users should operate with standard accounts for daily tasks — reserve administrator rights for intentional system changes only. Enable User Account Control (UAC) at maximum settings to prompt for elevation, making it harder for malware to gain the SYSTEM privileges FGDump requires.
  4. Deploy and maintain endpoint detection and response (EDR) tools. Modern security software doesn't just scan files — it monitors behavior patterns like LSASS injection and credential access that characterize tools like FGDump. For business environments, enterprise-grade EDR solutions from CrowdStrike, SentinelOne, or Microsoft Defender for Endpoint provide real-time alerts for these techniques.
  5. Keep all software patched and current. Attackers typically deploy credential-dumping tools after exploiting unpatched vulnerabilities for initial access. Enable automatic updates for Windows and all applications, and prioritize security patches as soon as they're released.
  6. Segment your network and limit lateral movement opportunities. For businesses, implement network segmentation so that compromise of one system doesn't grant access to all systems. Use separate VLANs for different departments, restrict RDP and SMB access to necessary systems only, and monitor for unusual internal connection patterns.
  7. Monitor and log credential access events. Enable Windows Advanced Audit Policy to log sensitive privilege use, LSASS process access, and security system extension. Configure Security Information and Event Management (SIEM) systems to alert on patterns consistent with credential dumping — even in small business environments, basic log aggregation to a separate system helps detect breaches.
  8. Educate users about social engineering and phishing. Most credential-theft chains begin with phished credentials or malicious attachments that establish the initial foothold. Regular security awareness training that includes realistic examples and simulated phishing exercises dramatically reduces successful initial compromises, preventing attackers from ever reaching the credential-dumping phase.
Our Commitment to You: When Computer Repair Roswell removes malware from your system, we back our work with a 90-day warranty. If the same infection returns within that period through no fault of your own, we'll re-clean your system at no additional charge. We also provide written documentation of what we found, what we removed, and specific recommendations for preventing reinfection — including which passwords you should prioritize changing based on the compromise timeline.

Bring It In

Credential-dumping tools like FGDump represent the kind of sophisticated threat that demands professional assessment, not just automated removal. When we examine your system at Computer Repair Roswell, we don't stop at deleting the obvious files — we investigate the full scope of the compromise, determine how the attacker gained access initially, identify what information was exposed, and verify that no backdoors remain for future exploitation. Our diagnostics include forensic-level examination of system logs, registry analysis for persistence mechanisms, and memory inspection for rootkits that standard antivirus misses. We'll provide you with a clear timeline of the attack and specific guidance on which passwords and accounts require immediate attention based on what credentials were accessible during the compromise window.

Don't gamble with your security after detecting credential-theft tools on your system. Call us at (770) 856-1577 or visit our Kennesaw location at 1960 Vaughn Road, Suite 100, Kennesaw, GA 30144. We offer same-day diagnostics for urgent security incidents, and we can typically complete comprehensive malware removal and security hardening within 24-48 hours. For business clients, we provide after-hours and emergency service to minimize downtime, along with detailed incident reports suitable for compliance documentation and insurance claims. Your credentials — and everything they protect — are too important to trust to automated cleanup alone. Let our experienced technicians ensure your system is genuinely secure before you reconnect it to your network and resume normal operations.