Legitimate scripts usually reside in protected admin folders. If you find rdp.txt in %TEMP% or C:\Users\Public\ , it is likely malicious.
Multi-factor authentication effectively nullifies the value of a stolen password in a text file. RDP.txt
The file may contain plaintext logins and passwords harvested from unsuspecting IT staff. DTIC.mil (AD1201693) How to Protect Yourself Legitimate scripts usually reside in protected admin folders
Criminal groups, including the notorious collective, utilize automated scanners to find open RDP ports. These scanners often output their "hits"—the IP addresses of vulnerable servers—into text files for later exploitation. Akamai Blog including the notorious collective