Interesting LIME RAT/Keylogger Sample

Found an ISO file that executes VBS > MSHTA (downloaded from cdn.discord[.]com) then launching powershell. The Powershell script contains 2 Windows PE files (1 Base64 encoded, the other Base10 charcode).
Sample: Hash:d4cc124021b66445b5a8d1203d36e899
Next part of execution: Hash: a1987242a319ad25836ba3c211a13ba7
The executed powershell script encodings are decoded in the following images:

The Base64 executable (Google Chrome.dll) is found here:

The Charcode executable (1118.exe) Lime Keylogger is found here:

The 1118.exe executable C2 is top[.]killwhenabusing1[.]xyz

Honestly, not too much at this point surprised me, however, the tactic of using aspnet_compiler.exe to run the malware from the powershell file was new to me. To me, some simple rules to write would include looking for suspicious parent processes launching aspnet_comipler.exe or seeing aspnet_compiler.exe attempting network connections.

I'll put together some YARA rules and OpenIOC rules later.