This detection rule identifies the execution of unsigned versions of the thor scanner binary on Windows systems. The rule looks specifically for processes ending with 'thor.exe' or 'thor64.exe' and cross-references this with information about the images being loaded. If the execution is detected and the process lacks a valid signature from Nextron Systems GmbH, it raises a high-level alert. This becomes especially significant as malicious actors may use unsigned binaries to evade detection. The rule is crafted to minimize false positives by filtering out legitimate uses of signed binaries from Nextron Systems, but there remains the possibility of legitimate instances of other binaries sharing the name. It is helpful for identifying potential misuse of the thor scanner tool in scenarios where it might be leveraged for malicious purposes by threat actors.