I'm confused about the ntlm hashes - so it sounds like there is some service that contacts the auto-generated guid domain and sends legit SMB traffic to it? That seems really odd? I'd be curious to hear more about that.
Well, history has shown that you can't expect a non existing TLD to keep not existing. The design industry got burned using .xxx as a placeholder in designs, when that suddenly started resolving people's placeholders all linked to porn.