I didn't have that File Manager plugin, however, I did install Wordfence and Sucuri post-hack. With Sucuri I use the hardening settings to disable plug-in writing. But after some more research, I think the
aeR4Choc_start code was injected via a Laravel Debug exploit...