edit : after thought possibly they connected with RDP first them infected you with some other type or RAT or malware from the RDP connection. Is also highly possible.
hm yes - if that is the case then my system is still open like anything - at least meanwhile I installed
https://www.spyshelter.com to see if anything dubious is going on - but probably I will have to change to a newly setup system - at least remaining cryptos are on a ledger now and 2FA backup codes are on paper only