Meanwhile I checked the RDP logs on my system in
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx
It shows some entries on Dec 4th which do not exactly match the time of the hack. But there are also messages going back six months. The setting of RDP is turned off
They may have connected before the hack and just been sitting waiting though if there is entry for the 4th I would assume that indeed was the attackers connecting unless you use RDP yourself.
I think the RDP logs only show the initial connection from the peer to host.
edit : after thought possibly they connected with RDP first them infected you with some other type or RAT or malware from the RDP connection. Is also highly possible.