Ransomware: TeslaCrypt - Stuck at Last Question

Has anyone figured out the final question of the Ransomware: TeslaCrypt lab?

"What is the domain of the first DNS request made after executing the malware?"

• No correct answers via Ghidra
• No answers via ProcMon (suggested in the briefing)
• I checked the activity in x32dbg - nothing

Any ideas? Is the lab broken? As always I might be looking too far...