18.104.22.168 [VirusTotal report]
22.214.171.124 [VirusTotal report]
126.96.36.199 [VirusTotal report]
188.8.131.52 [VirusTotal report]
The following domains are being exploited (although there will probably be more soon).
Subdomains in use start with one of qwe. or asd. or zxc. (see examples here [pastebin]).
Crissic Solutions LLC operates 184.108.40.206/19 which does have some legitimate sites in it, but since I have previously recommended blocking 220.127.116.11/24 and 18.104.22.168/24 and now with multiple servers on 22.214.171.124/24 also compromised then I suspect that temporarily blocking the entire /19 is the way to go.