Windows supports two parallel sets of APIs: one for ANSI strings, and the other for Unicode strings. Many functions that take a string as an argument include an A or W at the end of their names, such as CreateFileA. In other words, the trailing character can give you an idea of what type of string (ANSI or Unicode) is passed to the function. In the preceding example, the malware calls CreateFileA to create a file; the trailing character A specifies that the CreateFile function takes an ANSI string as input. You will also see malware using APIs such as CreateFileW; the W at the end specifies that the function takes a Unicode string as input. During malware analysis, when you come across a function such as CreateFileA or CreateFileW, just remove the trailing A and W characters and use CreateFile to search MSDN for the function documentation.