Summary
- imgui.ini written to the GTA V installation directory — same as TZ Project, this Dear ImGui artifact is not produced by any legitimate GTA V component and persists after session cleanup.
- Distinctive configuration files settings.cock and settings.cook written by the loader — searchable via Everything or Journal Trace.
- INSTRUCTIONS.txt present in the loader directory alongside settings.cook — finding either confirms a Red Engine installation.
- Windows Defender flags the binary — a threat history entry for Chaga.exe or the loader directory is a reliable standalone indicator.
Overview
Red Engine is a commercially distributed FiveM cheat. Its primary executable is named Chaga.exe and weighs approximately 15.2 MB. It communicates with falcon.redengine.eu for license validation and service delivery. The cheat is distributed as a zip archive containing the main binary and a loader component.
Red Engine leaves several file-system artifacts that are straightforward to locate during a screenshare: an imgui.ini file in the GTA V directory, configuration files with the unusual extensions .cock and .cook in the loader folder, and an INSTRUCTIONS.txt file alongside the loader. Windows Defender also detects the binary and generates a threat history entry that survives unless the user explicitly clears security history.
Notably, C2 domain strings were not observed in LSASS or FiveM process memory in this build. The DNS cache remains the primary memory-resident artifact.
Sample metadata (IOC)
The following file was recovered and added to the research corpus. All hash values are provided for cross-platform matching.
Name Chaga.exe
Size 15,946,752 bytes (15.2 MB)
SHA-256 01066036116668a6142ed373b0aaa0290c1e8cab9bd2b610f1d844b26607b9f5
SHA-1 d513e9400820de2d8d26195eb880855e00d765f8
MD5 b6194b41ad52079249154818c8131183
First seen 2025-04-27 09:38:40 UTC (DPS timestamp)
PcaSVC 0x2418000
C2 domain falcon.redengine.eu
→ Observed in: DNS cache only
(lsass.exe and FiveM process C2 strings not observed in this build)The DPS timestamp of 2025-04-27 09:38:40 is written by the Windows Program Compatibility Assistant service at first execution. It cannot be cleared by the same routines that wipe Prefetch or browser history.
Behavioral indicators
imgui.ini in the GTA V folder
Like TZ Project, Red Engine uses the Dear ImGui library for its in-game overlay and writes an imgui.ini file to the GTA V installation directory. This file is not created by GTA V, FiveM, or any legitimate mod framework. Its presence in the GTA V folder is a reliable standalone indicator of ImGui-based cheat usage and persists after the cheat exits.
settings.cock and settings.cook files
Red Engine writes configuration files with two distinctive filenames: settings.cock and settings.cook. The .cock file stores in-game settings; settings.cook appears in the loader folder alongside INSTRUCTIONS.txt. These extensions are not used by any legitimate application and can be found immediately via an Everything search or Journal Trace query.
INSTRUCTIONS.txt in the loader folder
The loader directory contains a file named INSTRUCTIONS.txt alongside settings.cook. Finding either of these files in an unusual directory confirms a Red Engine installation. The INSTRUCTIONS.txt file is created by the cheat distributor and is not associated with any Windows system component.
Windows Defender detection
Windows Defender flags Red Engine with a detection on the binary. A Defender quarantine or threat history entry for Chaga.exe or an executable from the loader's directory is a reliable indicator. The threat history record persists in Windows Security history unless explicitly cleared by the user.
Memory artifacts
In this build of Red Engine, C2 domain strings were not observed in LSASS or FiveM process memory. The DNS cache remains the primary memory-resident artifact available during a live screenshare.
DNS cache
Running ipconfig /displaydns or inspecting the DNS section in System Informer will show falcon.redengine.eu as a recently resolved entry during or after an active session.
Loader distribution
Red Engine is distributed as a zip archive containing Chaga.exe and loader components. The zip typically includes INSTRUCTIONS.txt and settings.cook in the extracted directory. Evidence of this zip file in the download history or on disk confirms acquisition of the cheat package.
Screenshare check guide
Work through these steps in order. Steps 1 and 4 (imgui.ini and Defender history) are the fastest and most persistent. Steps 5–7 cover session-dependent and journal-based artifacts.
imgui.ini in the GTA V folder
- Navigate to the GTA V installation directory (typically C:\Program Files\Rockstar Games\Grand Theft Auto V\).
- Check for the presence of imgui.ini. This file is not created by GTA V, FiveM, or any legitimate mod framework. Its presence is a standalone indicator of ImGui-based cheat usage.
settings.cock search in Everything
- Open Everything or a Journal Trace tool and search for settings.cock or settings.cook.
- These extensions are not used by any legitimate application. Any match on a user's system is a direct indicator of Red Engine presence.
INSTRUCTIONS.txt in the loader folder
- If settings.cook is found, check the same directory for INSTRUCTIONS.txt.
- Finding both files in the same directory confirms the presence of the Red Engine loader package as distributed.
Windows Defender threat history
- Open Windows Security and navigate to Virus & threat protection → Protection history.
- Look for any detection referencing Chaga.exe or a file in the loader's directory. The history entry persists unless the user has explicitly cleared the security history.
DNS cache
- Run ipconfig /displaydns or check System Informer's DNS section.
- Search for falcon.redengine.eu. A cache hit confirms a connection was made during the current or a recent session.
DPS / PcaSVC timestamp
- Use a DFIR tool to inspect PcaSVC and DPS log entries for Chaga.exe.
- The DPS timestamp of 2025-04-27 09:38:40 corresponds to the known build. Any PcaSVC entry for Chaga.exe is definitive evidence of execution.
Journal Trace
- Run a Journal Trace search for Chaga, redengine, settings.cock, or settings.cook.
- Journal entries for file creation in the loader directory confirm when the cheat was first installed, independent of other cleanup.
Detection summary
Artifact Survives cleanup? Check location ────────────────────────────────────────────────────────────────────────────── PcaSVC / DPS timestamp Yes AppCompat / DPS log imgui.ini in GTA V folder Yes GTA V install directory settings.cock / settings.cook Yes Loader directory / Everything search INSTRUCTIONS.txt Yes Loader directory Defender threat history Yes (if not cleared) Windows Security history DNS cache (falcon.redengine.eu) Session-length ipconfig /displaydns Prefetch (Chaga.exe) Usually C:\Windows\Prefetch
The most immediately actionable indicators are the settings.cock / settings.cook files (searchable with a single Everything query), the imgui.ini in the GTA V folder, and the Windows Defender threat history entry. All three persist after the cheat exits and require no specialised tooling to locate.
Defensive material
All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop.