Today I found my CPU at 50%. It was at this level for over 24hrs (so before I found out that PPOM Pro was deactivated). I found it was a process called XMRig. Researched and saw that this was potentially linked to cyrptomining. https://www.wordfence.com/blog/2017/12/massive-cryptomining-campaign-wordpress/
Ran ImunifyAV through Plesk panel and found a file /wp-content/uploads/ppom_files/default.php. They were able to upload this via “POST /wp-admin/admin-ajax.php”.
I also found a folder in the domain root that was named xmrig-6.12.1 and it included a few files apparently to run the XMRig process.