Cheat DetectionHighPublished

TZX Project FiveM cheat detection & forensic artifacts

TZX Project is a FiveM-targeted cheat loader distributed under the name taskthow.exe. It shares C2 infrastructure with TZ Project, communicating with api.tzproject.com, but is a distinct binary with its own hash profile. Its most distinctive artifact is packages.json dropped into C:\Windows\System32\ — a file not created by any legitimate Windows component.

CR
Clubhouse AC Research
June 1, 2026 8 min read

Summary

  • packages.json dropped into C:\Windows\System32\ — the most distinctive and persistent artifact of TZX Project, not created by any legitimate Windows component.
  • Shares C2 domain api.tzproject.com with TZ Project but is a separate binary — distinguish by executable name (taskthow.exe vs firefox.exe).
  • C2 domain observed in DNS cache, LSASS memory, and FiveM_GTAProcess.exe simultaneously.
  • DPS first-seen timestamp (2025-03-15 14:38:02) and PcaSVC entry survive independently of user-side cleanup.

Overview

TZX Project is a commercially distributed FiveM cheat loader. Its primary executable is named taskthow.exe and weighs approximately 7.1 MB. It connects to api.tzproject.com — the same C2 domain used by TZ Project — for license validation and payload delivery.

Despite sharing C2 infrastructure with TZ Project, TZX Project is an entirely separate binary with its own hash profile and distinct behavioral footprint. The two cheats should not be conflated: the executable name is the primary distinguishing factor during a process-list inspection. TZX Project's most unique artifact is a file named packages.json written directly into C:\Windows\System32\, which is trivially located via a Journal Trace search and has no legitimate counterpart.

Sample metadata (IOC)

The following file was recovered and added to the research corpus. All hash values are provided for cross-platform matching.

taskthow.exe — file indicatorsIOC
Name        taskthow.exe
Size        7,434,240 bytes (7.1 MB)

SHA-256     e0669f468852c41db8d60323777b3226fcaf3ac64b9d07e35955de834ab2d2a0
SHA-1       fdaf1a8441f50f05f5174147ee47f1094fc6c2ef
MD5         1935197a8b7a8b6bccb48eb9da254cd5

First seen  2025-03-15  14:38:02 UTC  (DPS timestamp)
PcaSVC      0xf19000

C2 domain   api.tzproject.com / tzproject.com
  → Observed in: DNS cache, lsass.exe, FiveM_GTAProcess.exe

The DPS timestamp of 2025-03-15 14:38:02 is written by the Windows Program Compatibility Assistant service at first execution and cannot be cleared by the same cleanup routines that wipe Prefetch or browser history.

Behavioral indicators

packages.json in System32

TZX Project drops a file named packages.json into C:\Windows\System32\. This file is not created by any legitimate Windows component, application runtime, or Node.js installation at that path. It is visible in a Journal Trace search filtered for packages and will appear as a creation event under the System32 directory.

This is the most distinctive and actionable artifact of TZX Project. Its presence in System32 is immediately anomalous and requires no additional context to flag during a screenshare.

Shared C2 infrastructure with TZ Project

TZX Project uses the same C2 domain (api.tzproject.com) as TZ Project but is a separate binary with different hashes. The two should not be confused during an investigation. Check the executable name: taskthow.exe is TZX Project, while firefox.exe is TZ Project. The same C2 domain appearing in DNS, LSASS, or the FiveM process does not on its own distinguish which variant is present — the process name and file hash are the definitive differentiators.

Memory artifacts

During an active TZX Project session, the C2 domain api.tzproject.com appears across three independent artifact sources simultaneously: the system DNS cache, LSASS process memory, and the FiveM game process working set.

DNS cache

Running ipconfig /displaydns or inspecting the DNS section in System Informer will show api.tzproject.com as a recently resolved entry, confirming an outbound connection was made during the session.

lsass.exe memory

The C2 domain string appears in lsass.exe process memory as a residual artifact from injection or inter-process communication performed by the loader. This is consistent with behavior observed in TZ Project and other cheats sharing this C2 infrastructure.

FiveM game process

The C2 domain is also present within the FiveM_GTAProcess.exe working set, confirming that TZX Project injects into or communicates directly with the game process.

Prefetch record

A Prefetch entry for taskthow.exe will appear in C:\Windows\Prefetch following execution. The Prefetch file records the full path of the executable, providing a persistent record of loader execution that survives basic cleanup attempts.

Screenshare check guide

Work through these steps in order. Step 1 is the fastest and most unique to TZX Project. Steps 2–7 cover memory, persistence, and cleanup-resistant artifacts.

1

packages.json Journal Trace

  • Open a Journal Trace tool and search for packages.
  • Look for a creation event under C:\Windows\System32\packages.json. This file has no legitimate origin in that path and is TZX Project's most distinctive persistent artifact.
  • If the file still exists, navigate to System32 directly and confirm its presence.
2

DNS cache

  • Run ipconfig /displaydns or check System Informer's DNS section.
  • Search for api.tzproject.com. A cache hit confirms an outbound connection was made during the current or a recent session.
3

Process list — taskthow.exe

  • Open Task Manager or System Informer and look for any running instance of taskthow.exe.
  • If found, confirm the executable path. The binary is not associated with any legitimate Windows or third-party software component.
4

lsass.exe and FiveM process memory scan

  • If FiveM is currently running, perform a string scan in System Informer for tzproject.com.
  • Hits in lsass.exe or FiveM_GTAProcess.exe confirm active C2 communication and injection.
5

DPS / PcaSVC timestamp

  • Use a DFIR tool to inspect PcaSVC and DPS log entries for taskthow.exe.
  • The DPS timestamp of 2025-03-15 14:38:02 corresponds to the known build. Any PcaSVC entry for taskthow.exe is definitive evidence of execution.
6

Browser and Discord

  • Check browser history and downloads for traffic to tzproject.com.
  • In Discord, check User Settings → Authorized Apps for any TZX Project or TZ Project related authorisation.
7

Prefetch — taskthow.exe

  • Check the Prefetch folder (C:\Windows\Prefetch) for a TASKTHOW.EXE-*.pf entry.
  • A Prefetch entry for this filename is unambiguous — there is no legitimate process named taskthow.exe in any standard Windows or application installation.

Detection summary

Artifact matrix — TZX Project / taskthow.exeSummary
Artifact                          Survives cleanup?   Check location
──────────────────────────────────────────────────────────────────────────
PcaSVC / DPS timestamp            Yes                 AppCompat / DPS log
packages.json in System32         Yes                 C:\Windows\System32 journal trace
Prefetch (taskthow.exe)           Usually             C:\Windows\Prefetch
DNS cache (api.tzproject.com)     Session-length      ipconfig /displaydns
C2 strings in lsass.exe           Only while running  Memory string scan
C2 strings in FiveM process       Only while running  Memory string scan

The most immediately actionable indicator is the packages.json file in C:\Windows\System32, located via Journal Trace. It persists after the cheat exits, requires no specialised tooling beyond a journal search, and has no legitimate counterpart. The DPS timestamp provides a reliable historical first-seen marker that cannot be cleared without registry editing.

Defensive material

All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop.