get https://www.virustotal.com/api/v3/feeds/file_behaviours//evtx
Each JSON object contained in the file behaviour feed packages include a link to this API endpoint to download the extracted EVTX from the file's Windows sandbox execution. The available in the feed link already includes the download token required by this endpoint. The following snippet represents the JSON structure in the file behaviour feed that takes to the link:
{
"context_attributes": {
"evtx": "https://www.virustotal.com/api/v3/feeds/file_behaviours/<TOKEN>/evtx"
}
}
The link only works during the feed's lifetime. Check /feeds/file_behaviours/{time} for more information.