This detection rule identifies potential DLL sideloading attempts involving the Windows application 'KeyScrambler.exe' and its corresponding Dynamic Link Library (DLL), 'KeyScramblerIE.dll'. Attackers have been known to exploit this mechanism by masquerading 'KeyScramblerIE.dll' and loading it via 'KeyScrambler.exe'. The rule is designed to monitor specific image loading events, allowing security teams to respond proactively to potential threats. It requires the image path to end with specific executables indicative of KeyScrambler activity, while also ensuring that the loaded DLL does not originate from a verified legitimate installation path. Furthermore, it includes a filter to check for a valid signature from 'QFX Software Corporation', thus enhancing the accuracy of detection by minimizing false positives. In environments where security is a high priority, such as those corresponding to known malware campaigns, this rule serves as an essential part of the detection strategy.