Cheat DetectionHighPublished

TZ Project FiveM cheat detection & forensic artifacts

TZ Project is a FiveM-targeted cheat loader that disguises its primary executable as firefox.exe to blend in with legitimate browser processes. It communicates with api.tzproject.com, writes an imgui.ini configuration file into the GTA V game folder, and leaves reliable traces in DNS cache, LSASS memory, and the Windows Program Compatibility Assistant log.

CR
Clubhouse AC Research
June 1, 2026 9 min read

Summary

  • Loader masquerades as firefox.exe — a deliberate process-name spoof to avoid casual process-list inspection.
  • C2 domain api.tzproject.com observed in DNS cache, LSASS memory, and the FiveM game process simultaneously.
  • imgui.ini written to the GTA V game folder — a persistent Dear ImGui configuration artifact that survives session cleanup.
  • DPS first-seen timestamp (2025-01-14 11:41:43) and PcaSVC entry survive independently of any user-side cleanup.

Overview

TZ Project is a commercially distributed FiveM cheat loader. Its primary executable is named firefox.exe — a deliberate choice to impersonate Mozilla Firefox and avoid detection in a basic process listing. The binary weighs approximately 5.2 MB and connects to api.tzproject.com for license validation and payload delivery.

Unlike Susano, TZ Project does not appear to run a dedicated stealth mode that purges Prefetch or USN Journal entries. Instead it relies on the process-name masquerade and the relatively small footprint of its loader to avoid raising immediate suspicion. However, it leaves several distinctive artifacts — most notably the imgui.ini file in the GTA V directory — that are straightforward to locate during a screenshare.

Sample metadata (IOC)

The following file was recovered and added to the research corpus. All four hash values are provided for cross-platform matching.

firefox.exe — file indicatorsIOC
Name        firefox.exe
Size        5,494,272 bytes (5.2 MB)

SHA-256     2bebd0687e7f0c941a7eeefc27cba39520ae631e16b21b61179d1f989c212cfb
SHA-1       874ce0252e8b5866f429bd726a65add81b62aa87
SHA-512     e80ef20dcebe56b54fe18b460f847132a2d90434e38ccbfc5132e46f440b
            13f191092549ad747c4f728fd95e8972b1fee2639e1496851ba46dca2a73ba2d2e4e
MD5         b3bf72f8ccf4f32301418951af5513e6

First seen  2025-01-14  11:41:43 UTC  (DPS timestamp)
PcaSVC      0x944000

C2 domain   api.tzproject.com / tzproject.com
  → Observed in: DNS cache, lsass.exe, FiveM_GTAProcess.exe

The DPS timestamp of 2025-01-14 11:41:43 is written by the Windows Program Compatibility Assistant service at first execution and is not accessible through standard file-time APIs, meaning it cannot be cleared by the same cleanup routines that wipe Prefetch or browser history.

Behavioral indicators

Process name masquerade — firefox.exe

TZ Project names its loader firefox.exe to blend in with the legitimate Mozilla Firefox browser process. In a basic process listing this looks unremarkable. The masquerade is exposed by checking the executable path — a genuine Firefox process runs from C:\Program Files\Mozilla Firefox\, while the TZ Project binary will be located in a different, user-writable path. Any firefox.exe outside the Mozilla installation directory should be treated as suspicious.

imgui.ini in the GTA V folder

TZ Project uses Dear ImGui for its in-game overlay UI. ImGui automatically writes a imgui.ini file to the working directory of the host process when the UI is first opened — in this case, the GTA V game folder. This file persists after the cheat exits and is not removed by a standard session cleanup.

The presence of imgui.ini inside the GTA V directory is not produced by any legitimate component of GTA V, FiveM, or their dependencies and is a reliable standalone indicator of ImGui-based cheat usage.

Memory artifacts

During an active TZ Project session, the C2 domain api.tzproject.com and the root domain tzproject.com appear across three independent artifact sources simultaneously: the system DNS cache, LSASS process memory, and the FiveM game process working set.

DNS cache

The DNS resolver cache retains successful lookups for the duration of the TTL set by the authoritative server. Running ipconfig /displaydns or inspecting the cache through System Informer will show api.tzproject.com and tzproject.com as recently resolved entries.

lsass.exe memory

As with Susano, the C2 domain string appears in lsass.exe process memory — a system process that is not a deliberate target of the cheat but whose memory space contains residual string artifacts from the injection or inter-process communication performed by the loader.

FiveM game process

The C2 domain is also present within the FiveM_GTAProcess.exe working set, confirming that TZ Project injects into or communicates directly with the game process rather than operating purely as an external overlay.

Loader UI

TZ Project ships a graphical loader interface used to authenticate the user and launch the cheat. Screenshots of this loader are useful reference points during a screenshare — if a subject has the loader installed and not yet cleaned up, its window title, branding, or executable path will be visible in taskbar history, recent files, or jump lists.

The loader UI is distinct enough that it will not be confused with any legitimate application. Its presence in taskbar thumbnails, ATS/window history, or the Prefetch record for firefox.exe is conclusive evidence of TZ Project usage.

Screenshare check guide

Work through these steps in order. Steps 1 and 2 are the fastest and will catch most active or recently-used installs. Steps 3–6 cover machines where the user has attempted a manual cleanup.

1

Process list — verify firefox.exe path

  • Open Task Manager or System Informer and look for any running instance of firefox.exe.
  • If found, check the full executable path. A legitimate Firefox process runs from C:\Program Files\Mozilla Firefox\firefox.exe. Any other location — particularly user-writable paths like %AppData%, %Temp%, or the Desktop — is the TZ Project loader.
2

GTA V folder — imgui.ini

  • Navigate to the GTA V installation directory (typically C:\Program Files\Rockstar Games\Grand Theft Auto V\).
  • Check for the presence of imgui.ini. This file is not created by GTA V, FiveM, or any legitimate mod framework. Its presence is a standalone indicator of ImGui-based cheat usage.
  • Open the file and inspect its contents — ImGui saves window positions and sizes, and the section names often correspond directly to the cheat's menu tab names.
3

DNS cache

  • Run ipconfig /displaydns in Command Prompt, or use System Informer's DNS section.
  • Search the output for tzproject.com or api.tzproject.com. A cache hit confirms an outbound connection was made during the current or a recent session.
4

Browser & Discord

  • Check browser history and downloads for any traffic to or files downloaded from tzproject.com.
  • In Discord, check User Settings → Authorized Apps for any TZ Project or related application authorisation.
5

DPS / PcaSVC timestamp

  • Use a DFIR tool (e.g., AppCompatCacheParser, PECmd with --pca) to inspect the PcaSVC and DPS log entries.
  • Look for firefox.exe entries with paths outside Program Files\Mozilla Firefox. The DPS timestamp of 2025-01-14 11:41:43 corresponds to the known build but any anomalous firefox.exe PcaSVC entry warrants investigation.
6

Memory string scan (if process is running)

  • If firefox.exe or FiveM is currently running, perform a string scan in System Informer for tzproject.com.
  • Hits in lsass.exe or FiveM_GTAProcess.exe confirm active injection and C2 communication.
7

Prefetch — firefox.exe

  • Check the Prefetch folder (C:\Windows\Prefetch) for a FIREFOX.EXE-*.pf entry.
  • Compare the path recorded inside the Prefetch file against the known legitimate Firefox install path. A Prefetch entry pointing to an unusual directory confirms loader execution.

Detection summary

Artifact matrix — TZ Project / firefox.exeSummary
Artifact                       Survives cleanup?   Check location
───────────────────────────────────────────────────────────────────────
PcaSVC / DPS timestamp         Yes                 AppCompat / DPS log
imgui.ini in GTA V folder      Yes                 GTA V install directory
Prefetch (firefox.exe path)    Usually             C:WindowsPrefetch
DNS cache (tzproject.com)      Session-length      ipconfig /displaydns
Browser history                Partial             Browser + Informer
Discord Authorized Apps        Partial             Discord settings
C2 strings in lsass.exe        Only while running  Memory string scan
C2 strings in FiveM process    Only while running  Memory string scan

The most immediately actionable indicators are the imgui.ini file in the GTA V folder and the firefox.exe path mismatch in the process list or Prefetch record. Both are present after cleanup and require no specialised tooling to find. The DPS timestamp provides a reliable historical first-seen marker that cannot be cleared without registry editing.

Defensive material

All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop.