Get Victim Profile - VantaPrism API

Retrieve the full infection profile for a single victim — malware family and version, host metadata (OS, computer name, hardware identifiers), installed software/browsers/antivirus products, and infection timestamp. This is the central “drill-in” endpoint: most search endpoints return a victim_id you can pass here to get the complete picture of that infection.

Request

GET /v1/victims/{victim_id} · Required scope: search:stealer (all tiers)

Parameter	Type	Required	Default	Description
`victim_id`	string (path)	Yes	—	SHA-256 `victim_id` (64 lowercase hex chars) or a `log_victim_id` from a previous search result. Both forms are resolved automatically
`include_processes`	boolean (query)	No	`false`	Include the running-process list captured at infection time

Example request

curl -X GET "https://api.vantaprism.me/v1/victims/a3f1c9e8b2d4567890abcdef1234567890abcdef1234567890abcdef123456?include_processes=true" \
  -H "api-key: $VANTAPRISM_API_KEY"

Response

200 OK — a single VictimProfile object.

{
  "data": {
    "victim_id": "a3f1c9e8b2d4567890abcdef1234567890abcdef1234567890abcdef123456",
    "log_victim_id": "RL-2026-AC91F3",
    "stealer_family": "RedLine",
    "stealer_version": "1.4",
    "ip": "203.0.x.x",
    "country": "US",
    "os": "Windows 11 Pro",
    "computer_name": "DE*************",
    "user_name": "jd**",
    "hwid": "A1*************",
    "machine_id": "8F*************",
    "log_date": "2026-05-02T14:22:31Z",
    "malware_location": "C:\\***",
    "timezone": "America/New_York",
    "cpu_name": "Intel Core i7-12700",
    "ram_total_bytes": 17179869184,
    "anti_viruses": ["Windows Defender"],
    "installed_browsers": ["Chrome", "Edge"],
    "installed_software": ["Microsoft Office", "Zoom", "Slack"],
    "has_system_password": true,
    "processes": []
  },
  "meta": {
    "request_id": "req_01HZXK3Q7N8YV6F3M2P9JABCDE",
    "took_ms": 18.4,
    "tier": "free",
    "masked_fields": ["ip", "computer_name", "user_name", "hwid", "machine_id", "malware_location"]
  }
}

Field	Description
`victim_id`	SHA-256 victim ID
`log_victim_id`	Original ID assigned by the stealer log
`stealer_family` / `stealer_version`	Malware identification
`ip`	Masked via `subnet_mask` on free tier
`country`	ISO 3166-1 alpha-2
`os`	Operating system
`computer_name` / `user_name` / `hwid` / `machine_id`	Masked via `partial_identifier` on free tier
`log_date`	When the log was captured
`malware_location`	Masked via `partial_filepath` on free tier
`timezone`
`cpu_name`
`ram_total_bytes`	Total RAM in bytes
`anti_viruses`	Detected AV products
`installed_browsers`
`installed_software`
`has_system_password`	Boolean-flag substitute for the raw `system_password` field on free/pro tiers
`processes`	Running process list at infection time. Only populated when `include_processes=true`

Not paginated

This endpoint returns a single object — cursor/limit/sort_direction do not apply.

Errors

Status	`code`	Cause
404	`NOT_FOUND`	`victim_id` could not be resolved (unknown SHA-256 or `log_victim_id`)
403	`FORBIDDEN_SCOPE`	Key lacks `search:stealer`

See Errors for the full catalog.

Tier notes

ip, computer_name, user_name, hwid, machine_id, and malware_location are masked per the standard free-tier rules in Data Masking. has_system_password is always a boolean — the raw system_password value is never returned by this endpoint on free or pro tiers.

Next steps

To retrieve the credentials, cookies, files, or other data categories associated with this victim, use Victim Sub-resources.

​Request

​Example request

​Response

​Not paginated

​Errors

​Tier notes

​Next steps