126.96.36.199 belongs to Query Foundry LLC in Wyoming, however they suballocated it to a customer:
NetRange: 188.8.131.52 - 184.108.40.206707 Wilshire Boulevard is a massive office block but I suspect that this is just an accommodation address, so there's no real lead on who this customer is.
Parent: QUERYFOUNDRY-06 (NET-104-152-212-0-1)
Customer: Shanghe Yang (C05354145)
CustName: Shanghe Yang
Address: 707 Wilshire Blvd
City: Los Angeles
A look at the contents of the /25 is puzzling, because I can see almost 1500 sites [csv] on a number of active IPs [txt], almost none of which have any kind of discernible web presence or reputation.
Drilling down into the domains and registrants [csv] shows a list of either Chinese or US registrants, but in the vast majority of cases they look to be fake. The key indicator is that the email addresses listed are all of a similar format and bear no relationship whatsoever to the name of the registrant.
The random structure of most of the domains is an indicator of possible maliciousness. The few domains that don't meet these pattern seem to be .fr domains which look like they have been hijacked or re-registered.. and oddly they are all registered to different (often obviously fake) people at the same address in France:
address: 13, rue de rohrwiller bischwiller,67240 Bas-Rhin, France 139 a
address: 67240 Bischwiller
It isn't a big place according to Google. I doubt if there is a Assad Sfdsadsfw, Yfdsjshfk Ynagkjhk, Qewqewq Sfwad or Poiug Pppobflgk living in that location.
Although there is not much data about the range, there are a couple of domains that are also flagged a malicious:
sxzav.xyz [Google diagnostics]
klioz.xyz [Google diagnostics]
Quite why they are flagged as malicious is a puzzle.
My personal opinion is that there is enough evidence to treat 220.127.116.11/25 as a suspect network. It does not appear to have any legitimate sites, the sites that do exist are of an unknown purpose and often have apparently fake WHOIS details for the domains.
Blocking or monitoring for traffic to and from that /25 is the easiest way of doing it, alternatively these are the domains being used in this network block: