Okay - Vamsoft is busy!
Can you stop the Simple Mail Transport Service service, then wait for 5 minutes, then restart the service.
Reason for this is to give the server a chance to breathe and to allow Vamsoft to start monitoring again and to kill any existing open connections.
Once restarted, any new attempt to send via your server will be logged by Vamsoft and the very first new entry in th elogs can be used to cross-reference your security event log. From there, you should be able to identify the breached account.
Once identified, reset the password, restart Simple Mail Transfer Protocol service and then monitor Vamsoft again. Hopefully that should be then end of the spam. If it is, then tme to clean up using whatever method you prefer although Sunny's suggestion of aqadmcli is probably the quickest (I must update my article).
