The PE header contains information that specifies when the binary was compiled; examining this field can give an idea of when the malware was first created. This information can be useful in building a timeline of the attack campaign. It is also possible that an attacker modifies the timestamp to prevent an analyst from knowing the actual timestamp. A compile timestamp can sometimes be used to classify suspicious samples. The following example shows a malware binary whose timestamp was modified to a future date in 2020. In this case, even though the actual compilation timestamp could not be detected, such characteristics can help you identify anomalous behavior: