Summary
- Loader masquerades as firefox.exe — a deliberate process-name spoof to avoid casual process-list inspection.
- C2 domain api.tzproject.com observed in DNS cache, LSASS memory, and the FiveM game process simultaneously.
- imgui.ini written to the GTA V game folder — a persistent Dear ImGui configuration artifact that survives session cleanup.
- DPS first-seen timestamp (2025-01-14 11:41:43) and PcaSVC entry survive independently of any user-side cleanup.
Overview
TZ Project is a commercially distributed FiveM cheat loader. Its primary executable is named firefox.exe — a deliberate choice to impersonate Mozilla Firefox and avoid detection in a basic process listing. The binary weighs approximately 5.2 MB and connects to api.tzproject.com for license validation and payload delivery.
Unlike Susano, TZ Project does not appear to run a dedicated stealth mode that purges Prefetch or USN Journal entries. Instead it relies on the process-name masquerade and the relatively small footprint of its loader to avoid raising immediate suspicion. However, it leaves several distinctive artifacts — most notably the imgui.ini file in the GTA V directory — that are straightforward to locate during a screenshare.
Sample metadata (IOC)
The following file was recovered and added to the research corpus. All four hash values are provided for cross-platform matching.
Name firefox.exe
Size 5,494,272 bytes (5.2 MB)
SHA-256 2bebd0687e7f0c941a7eeefc27cba39520ae631e16b21b61179d1f989c212cfb
SHA-1 874ce0252e8b5866f429bd726a65add81b62aa87
SHA-512 e80ef20dcebe56b54fe18b460f847132a2d90434e38ccbfc5132e46f440b
13f191092549ad747c4f728fd95e8972b1fee2639e1496851ba46dca2a73ba2d2e4e
MD5 b3bf72f8ccf4f32301418951af5513e6
First seen 2025-01-14 11:41:43 UTC (DPS timestamp)
PcaSVC 0x944000
C2 domain api.tzproject.com / tzproject.com
→ Observed in: DNS cache, lsass.exe, FiveM_GTAProcess.exeThe DPS timestamp of 2025-01-14 11:41:43 is written by the Windows Program Compatibility Assistant service at first execution and is not accessible through standard file-time APIs, meaning it cannot be cleared by the same cleanup routines that wipe Prefetch or browser history.
Behavioral indicators
Process name masquerade — firefox.exe
TZ Project names its loader firefox.exe to blend in with the legitimate Mozilla Firefox browser process. In a basic process listing this looks unremarkable. The masquerade is exposed by checking the executable path — a genuine Firefox process runs from C:\Program Files\Mozilla Firefox\, while the TZ Project binary will be located in a different, user-writable path. Any firefox.exe outside the Mozilla installation directory should be treated as suspicious.
imgui.ini in the GTA V folder
TZ Project uses Dear ImGui for its in-game overlay UI. ImGui automatically writes a imgui.ini file to the working directory of the host process when the UI is first opened — in this case, the GTA V game folder. This file persists after the cheat exits and is not removed by a standard session cleanup.
The presence of imgui.ini inside the GTA V directory is not produced by any legitimate component of GTA V, FiveM, or their dependencies and is a reliable standalone indicator of ImGui-based cheat usage.
Memory artifacts
During an active TZ Project session, the C2 domain api.tzproject.com and the root domain tzproject.com appear across three independent artifact sources simultaneously: the system DNS cache, LSASS process memory, and the FiveM game process working set.
DNS cache
The DNS resolver cache retains successful lookups for the duration of the TTL set by the authoritative server. Running ipconfig /displaydns or inspecting the cache through System Informer will show api.tzproject.com and tzproject.com as recently resolved entries.
lsass.exe memory
As with Susano, the C2 domain string appears in lsass.exe process memory — a system process that is not a deliberate target of the cheat but whose memory space contains residual string artifacts from the injection or inter-process communication performed by the loader.
FiveM game process
The C2 domain is also present within the FiveM_GTAProcess.exe working set, confirming that TZ Project injects into or communicates directly with the game process rather than operating purely as an external overlay.
Loader UI
TZ Project ships a graphical loader interface used to authenticate the user and launch the cheat. Screenshots of this loader are useful reference points during a screenshare — if a subject has the loader installed and not yet cleaned up, its window title, branding, or executable path will be visible in taskbar history, recent files, or jump lists.
The loader UI is distinct enough that it will not be confused with any legitimate application. Its presence in taskbar thumbnails, ATS/window history, or the Prefetch record for firefox.exe is conclusive evidence of TZ Project usage.
Screenshare check guide
Work through these steps in order. Steps 1 and 2 are the fastest and will catch most active or recently-used installs. Steps 3–6 cover machines where the user has attempted a manual cleanup.
Process list — verify firefox.exe path
- Open Task Manager or System Informer and look for any running instance of firefox.exe.
- If found, check the full executable path. A legitimate Firefox process runs from C:\Program Files\Mozilla Firefox\firefox.exe. Any other location — particularly user-writable paths like %AppData%, %Temp%, or the Desktop — is the TZ Project loader.
GTA V folder — imgui.ini
- Navigate to the GTA V installation directory (typically C:\Program Files\Rockstar Games\Grand Theft Auto V\).
- Check for the presence of imgui.ini. This file is not created by GTA V, FiveM, or any legitimate mod framework. Its presence is a standalone indicator of ImGui-based cheat usage.
- Open the file and inspect its contents — ImGui saves window positions and sizes, and the section names often correspond directly to the cheat's menu tab names.
DNS cache
- Run ipconfig /displaydns in Command Prompt, or use System Informer's DNS section.
- Search the output for tzproject.com or api.tzproject.com. A cache hit confirms an outbound connection was made during the current or a recent session.
Browser & Discord
- Check browser history and downloads for any traffic to or files downloaded from tzproject.com.
- In Discord, check User Settings → Authorized Apps for any TZ Project or related application authorisation.
DPS / PcaSVC timestamp
- Use a DFIR tool (e.g., AppCompatCacheParser, PECmd with --pca) to inspect the PcaSVC and DPS log entries.
- Look for firefox.exe entries with paths outside Program Files\Mozilla Firefox. The DPS timestamp of 2025-01-14 11:41:43 corresponds to the known build but any anomalous firefox.exe PcaSVC entry warrants investigation.
Memory string scan (if process is running)
- If firefox.exe or FiveM is currently running, perform a string scan in System Informer for tzproject.com.
- Hits in lsass.exe or FiveM_GTAProcess.exe confirm active injection and C2 communication.
Prefetch — firefox.exe
- Check the Prefetch folder (C:\Windows\Prefetch) for a FIREFOX.EXE-*.pf entry.
- Compare the path recorded inside the Prefetch file against the known legitimate Firefox install path. A Prefetch entry pointing to an unusual directory confirms loader execution.
Detection summary
Artifact Survives cleanup? Check location ─────────────────────────────────────────────────────────────────────── PcaSVC / DPS timestamp Yes AppCompat / DPS log imgui.ini in GTA V folder Yes GTA V install directory Prefetch (firefox.exe path) Usually C:WindowsPrefetch DNS cache (tzproject.com) Session-length ipconfig /displaydns Browser history Partial Browser + Informer Discord Authorized Apps Partial Discord settings C2 strings in lsass.exe Only while running Memory string scan C2 strings in FiveM process Only while running Memory string scan
The most immediately actionable indicators are the imgui.ini file in the GTA V folder and the firefox.exe path mismatch in the process list or Prefetch record. Both are present after cleanup and require no specialised tooling to find. The DPS timestamp provides a reliable historical first-seen marker that cannot be cleared without registry editing.
Defensive material
All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop.