We have same Problem with same Hacker
Change Permission File AdminLoginController.php to 440
Change Admin Folder Name and Admin Pass
Change MySQL Pass
Delete in Root server wp-content Folder, t.php, Xmw.php, 222.php, by.htm, mw.htm, home.bak.php, css.php, in Module Folder delete h2w.php
Done.