The cheapest and fastest way to figure out what's wrong at this early stage is to test the anomalous software with the wrong MD5 hash code.
Cryptographic hash functions, like MD5, or SHA-1, or SHA-256, are strictly one-way operations.
For example, if you want to crack a system password stored as an MD5 hash code, you'll need to produce an MD5 hash of every possible password you think you know and then compare each of those hash codes you have against the stored password hash code.
Stevens, who is a scientific staff member in the cryptology group at CWI, analysed the rogue Microsoft certificate used by Flame's authors and determined that they used a different MD5 collision attack than the one devised by him and his colleagues in 2008.
Furthermore, the fact that Flame's creators used an MD5 collision attack different than the one developed by Stevens and his colleagues, suggests that the two variants might have been designed in parallel.