These files are not malicious, they are written by the Brute-Force Login patch installed by my plugin. These are essentially log files that record all the failed login attempts. As you can see from the info you have decoded, those files store a timestamp and method in a serialized array.
I don’t want to use the database to store that info because the whole point of my Brute-Force patch is to preempt the WordPress boot-loader so as to prevent attacks from having a DDoS effect on your server.
I am working on a better way to do this though, one that does not require writing to files or using a session.