and 18.104.22.168 (Online SAS, France)  . The payload isn't clear, but some of the URLquery reports indicate Neutrino.
In the case I saw, the victim was directed to the EK from a compromised site at greetingstext.com. I cannot reproduce the problem with URLquery or any other tool, but log files do not lie.
I would recommend that you block these following IPs and domains as a precaution: