And so, as I feared and you guys guessed, the bastard broke into my system via RDP.

Logs show that he tried for few days, at different time of the day, starting from Feb 7th . System would reject his attempts, returning in the logs a "Remote DD security layer error, connection dropped for %ATTACKER-IP%." (wording of the error string not accurate).
The guy tried from 4 different IPs, but mainly and mostly from one specific one.

At some point, the night of the attack, I see he manages to login using a "tempAdministrator" user the server did not have originally.

I am still searching, but clearly the guy must have succeeded in creating this "tempAdminsitrator" user at some point that night, and used it to break in.

It would seem it all happened via RDP protocol and some bug in it.

I'll keep digging.