vault-process

SUSPICIOUS: the core vault-processing behavior is internally consistent and local-only, but the optional execution of an unverified external command (vault-qmd) is not well supported by the evidence and creates disproportionate install/execution trust risk. No clear credential theft or exfiltration is present, so this is not confirmed malware.