described here. Here is a typical IP flagged by VirusTotal and a failed resolution by URLquery which frankly gives enough information to make it suspicious.
However, the key thing is the registrant details which have been used in many malware attacks before.
CustName: Private Customer
Address: Private Residence
I can see the following .pw domains active in this range:
All those domains are flagged by Google as malicious and I recommend that you block them along with 18.104.22.168/28.
(Hat tip to my source, you know who you are!)