tapi32d.exe is an unknown component of the Agent.BTZ malware used by Turla.
http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html?m=0
``` The original thread will then attempt to start 2 processes: tapi32d.exe and typecli.exe – these attempts are logged. Whenever Agent.btz detects a newly connected removable disk, it will also log the device details into the same log file %system%\mswmpdat.tlb.
The contents of this log file is encrypted the same way – here is the decrypted fragment of it:
18:44:45 29.11.2008 Log begin: 18:44:45 Creating ps C:\WINDOWS\system32\tapi32d.exe (2) 18:44:45 Creating ps C:\WINDOWS\system32\typecli.exe (2) 18:44:45 Log end. 19:02:48 29.11.2008 Log begin: 19:02:49 Media arrived: “D:” Label:"" FS:FAT SN:00000000 19:02:49 Log end.
It is not clear what these 2 files are: tapi32d.exe and typecli.exe - the analyzed code does not create them. It is possible however that the missing link is in the unknown code it injects into Internet Explorer which can potentially download those files. ```