Flag: blue certificate, Malicious file on system

[Danielxd13]

Hello, I need help regarding the Blue Certificate flag
Malicious file on system, where I don't fully understand the steps or maybe I'm missing something, I've tried various ways to see if by chance it would give me the correct flag, but it did not. I understand that I have to create a file in c:/user/public where after creating it take its sha256 and paste it in a folder called malicious_files.txt and then pass an incident response operation and it is response, so that it automatically deletes the malicious file for me, in this case it does delete the malicious file for me, but it does not give me the flag as completed. What am I missing?