Analysis: Shared but uncommon addresses in refused
If a lot of clients try to connect to the same IP/port, it is likely a known service that is down. If only very few connect try to connect to it, it's likely some kind of configuration error or private server.
However, malwares are known to have multiple potential command centre addresses, which not all of them are available at the same time. Assuming that having the malware would be uncommon, attempts to IP/port shared within few clients might correlate with this.