I am from Greece. The ip is pointing to Russian and Honk Kong, it depends from where do you look.91.240.118.111 -- The IP that you provided is pointing to Russia. Also, I believe you are from Russia too as you are using the Russian language.
Something is not right --- i can see that NinjaFirewall+ is also highlighting the theme files -- seems like the attacker is aware of the themes and plugins you are using on your site --- should have ran some online test. eg., wpthemedetector.com
I feel like the attacker is trying to directly access the plugin and theme files and the NinjaFirewall+ is blocking those requests.
You better test the file integrity of your site's plugins and theme by comparing them to its downloaded package to know your site is already compromised?
My site is in greek language and my ip is greek. Don't trust the tests because anyone can block the infos.
In the last picture you can see that when i blocked the ip then immediately look for the specific plugin because its his source to regain access but... Also this started from the day i installed this plugin. 2 on 2 its not coincidence but its fact at least for me.
The attacker when gain access to my site then installed a theme and various files across several positions thats why you see these.
Also you can see the plugin filebird pro which is from here also. And the flatsome theme is from here. But still i believe that the rankmath did this.