Please help me understand how this file got into my application directory so I can close that door.
Did you run the scan tool that I mentioned in my previous comment? Start with that.
Sounds like you have enabled some file upload or publishing function within IIS and haven't secured it. Maybe WebDaV? Or FTP/SFTP/SSH? Do you have directory browsing enabled?
Is your web site set up for anonymous access or do you authenticate users? What are the permissions on the site's root folder? Do you have security permissions set to allow update access for any of these accounts?
Everyone
Users
IUSR
IIS_IUSRS
Since you have a virtual server, do you have a network based firewall or are you relying on the Windows Defender firewall to block access to ports like RDP and SMB? Do you have strong passwords on your accounts? Do you change them periodically?
Did you have the Windows Defender run a full system scan to look for Malware?
Nmap is good tool that you can use to scan your VPS to look for open ports.
The OWASP Foundation has tools that you can use to scan your web site.
https://owasp.org/www-project-web-security-testing-guide/stable/6-Appendix/A-Testing_Tools_Resource
The bottom line is that we can't tell you what door to close because we have no idea what door you have open.