Cheat DetectionHighPublished

Red Engine FiveM cheat detection & forensic artifacts

Red Engine is a FiveM-targeted cheat distributed as Chaga.exe. It writes imgui.ini to the GTA V folder, drops distinctive configuration files named settings.cock and settings.cook in its loader directory, and triggers a Windows Defender detection on the binary. Its C2 domain falcon.redengine.eu is observable in DNS cache but was not observed in LSASS or FiveM process memory in this build.

CR
Clubhouse AC Research
June 1, 2026 9 min read

Summary

  • imgui.ini written to the GTA V installation directory — same as TZ Project, this Dear ImGui artifact is not produced by any legitimate GTA V component and persists after session cleanup.
  • Distinctive configuration files settings.cock and settings.cook written by the loader — searchable via Everything or Journal Trace.
  • INSTRUCTIONS.txt present in the loader directory alongside settings.cook — finding either confirms a Red Engine installation.
  • Windows Defender flags the binary — a threat history entry for Chaga.exe or the loader directory is a reliable standalone indicator.

Overview

Red Engine is a commercially distributed FiveM cheat. Its primary executable is named Chaga.exe and weighs approximately 15.2 MB. It communicates with falcon.redengine.eu for license validation and service delivery. The cheat is distributed as a zip archive containing the main binary and a loader component.

Red Engine leaves several file-system artifacts that are straightforward to locate during a screenshare: an imgui.ini file in the GTA V directory, configuration files with the unusual extensions .cock and .cook in the loader folder, and an INSTRUCTIONS.txt file alongside the loader. Windows Defender also detects the binary and generates a threat history entry that survives unless the user explicitly clears security history.

Notably, C2 domain strings were not observed in LSASS or FiveM process memory in this build. The DNS cache remains the primary memory-resident artifact.

Sample metadata (IOC)

The following file was recovered and added to the research corpus. All hash values are provided for cross-platform matching.

Chaga.exe — file indicatorsIOC
Name        Chaga.exe
Size        15,946,752 bytes (15.2 MB)

SHA-256     01066036116668a6142ed373b0aaa0290c1e8cab9bd2b610f1d844b26607b9f5
SHA-1       d513e9400820de2d8d26195eb880855e00d765f8
MD5         b6194b41ad52079249154818c8131183

First seen  2025-04-27  09:38:40 UTC  (DPS timestamp)
PcaSVC      0x2418000

C2 domain   falcon.redengine.eu
  → Observed in: DNS cache only
    (lsass.exe and FiveM process C2 strings not observed in this build)

The DPS timestamp of 2025-04-27 09:38:40 is written by the Windows Program Compatibility Assistant service at first execution. It cannot be cleared by the same routines that wipe Prefetch or browser history.

Behavioral indicators

imgui.ini in the GTA V folder

Like TZ Project, Red Engine uses the Dear ImGui library for its in-game overlay and writes an imgui.ini file to the GTA V installation directory. This file is not created by GTA V, FiveM, or any legitimate mod framework. Its presence in the GTA V folder is a reliable standalone indicator of ImGui-based cheat usage and persists after the cheat exits.

settings.cock and settings.cook files

Red Engine writes configuration files with two distinctive filenames: settings.cock and settings.cook. The .cock file stores in-game settings; settings.cook appears in the loader folder alongside INSTRUCTIONS.txt. These extensions are not used by any legitimate application and can be found immediately via an Everything search or Journal Trace query.

INSTRUCTIONS.txt in the loader folder

The loader directory contains a file named INSTRUCTIONS.txt alongside settings.cook. Finding either of these files in an unusual directory confirms a Red Engine installation. The INSTRUCTIONS.txt file is created by the cheat distributor and is not associated with any Windows system component.

Windows Defender detection

Windows Defender flags Red Engine with a detection on the binary. A Defender quarantine or threat history entry for Chaga.exe or an executable from the loader's directory is a reliable indicator. The threat history record persists in Windows Security history unless explicitly cleared by the user.

Memory artifacts

In this build of Red Engine, C2 domain strings were not observed in LSASS or FiveM process memory. The DNS cache remains the primary memory-resident artifact available during a live screenshare.

DNS cache

Running ipconfig /displaydns or inspecting the DNS section in System Informer will show falcon.redengine.eu as a recently resolved entry during or after an active session.

Loader distribution

Red Engine is distributed as a zip archive containing Chaga.exe and loader components. The zip typically includes INSTRUCTIONS.txt and settings.cook in the extracted directory. Evidence of this zip file in the download history or on disk confirms acquisition of the cheat package.

Screenshare check guide

Work through these steps in order. Steps 1 and 4 (imgui.ini and Defender history) are the fastest and most persistent. Steps 5–7 cover session-dependent and journal-based artifacts.

1

imgui.ini in the GTA V folder

  • Navigate to the GTA V installation directory (typically C:\Program Files\Rockstar Games\Grand Theft Auto V\).
  • Check for the presence of imgui.ini. This file is not created by GTA V, FiveM, or any legitimate mod framework. Its presence is a standalone indicator of ImGui-based cheat usage.
2

settings.cock search in Everything

  • Open Everything or a Journal Trace tool and search for settings.cock or settings.cook.
  • These extensions are not used by any legitimate application. Any match on a user's system is a direct indicator of Red Engine presence.
3

INSTRUCTIONS.txt in the loader folder

  • If settings.cook is found, check the same directory for INSTRUCTIONS.txt.
  • Finding both files in the same directory confirms the presence of the Red Engine loader package as distributed.
4

Windows Defender threat history

  • Open Windows Security and navigate to Virus & threat protection → Protection history.
  • Look for any detection referencing Chaga.exe or a file in the loader's directory. The history entry persists unless the user has explicitly cleared the security history.
5

DNS cache

  • Run ipconfig /displaydns or check System Informer's DNS section.
  • Search for falcon.redengine.eu. A cache hit confirms a connection was made during the current or a recent session.
6

DPS / PcaSVC timestamp

  • Use a DFIR tool to inspect PcaSVC and DPS log entries for Chaga.exe.
  • The DPS timestamp of 2025-04-27 09:38:40 corresponds to the known build. Any PcaSVC entry for Chaga.exe is definitive evidence of execution.
7

Journal Trace

  • Run a Journal Trace search for Chaga, redengine, settings.cock, or settings.cook.
  • Journal entries for file creation in the loader directory confirm when the cheat was first installed, independent of other cleanup.

Detection summary

Artifact matrix — Red Engine / Chaga.exeSummary
Artifact                          Survives cleanup?       Check location
──────────────────────────────────────────────────────────────────────────────
PcaSVC / DPS timestamp            Yes                     AppCompat / DPS log
imgui.ini in GTA V folder         Yes                     GTA V install directory
settings.cock / settings.cook     Yes                     Loader directory / Everything search
INSTRUCTIONS.txt                  Yes                     Loader directory
Defender threat history           Yes (if not cleared)    Windows Security history
DNS cache (falcon.redengine.eu)   Session-length          ipconfig /displaydns
Prefetch (Chaga.exe)              Usually                 C:\Windows\Prefetch

The most immediately actionable indicators are the settings.cock / settings.cook files (searchable with a single Everything query), the imgui.ini in the GTA V folder, and the Windows Defender threat history entry. All three persist after the cheat exits and require no specialised tooling to locate.

Defensive material

All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop.