I downloaded a cracked install from tpb (haxnode). It was a loader exe that loaded the original exe and supposedly removed the drm in RAM. It required admin permissions, I didn't trust it, but i ran in a vm and nothing happened.
Then i told myself "i have microsoft defender and windows firewall control, they will warn me" and I ran it in my main laptop, and still nothing happened. Like, literally nothing happened. The original program would not start. It would simply exit. Nothing. The other 6 almost identical torrents from the same uploader but with a different program version had a similar result. I gave up.
Then i reboot, and firstly i notice a couple DOS prompts flashing on the screen, and windows firewall control asking me if "aspnet_compiler.exe" is allowed to access the internet or not.
Suspicious, i go to check that "aspnet_compiler.exe" and it's located in the .net system folder, i scan it with microsoft defender and it doesn't report as a virus. I do not pay attention to the fact that it doesn't have a valid Microsoft signature, and i tell myself "probably just a windows update" and i whitelist it on the firewall.
After a few hours I realize "wait a minute: it's impossible that an official windows exe isn't signed by microsoft!" I go back to scan it, not infected... or it looks like, defender says "ignored because in whitelist". What? The "loader" put c:* in the whitelist!
The "crack loader" wasn't a virus per se. It dropped an obfuscated batch in startup, which had a base64 encoded attachment of the actual malware, that was copied in the .net framework directory with unassuming names...
And this for a $60 perpetual license program that i should buy anyway because it's for work
I guess in theory you're right. If you're executing code, you're executing code. But usually when executing EXE files it tends to target Windows machines, but yeah, there's no way of telling if it'll recognize it's in a linux environment and do it's thing there as well.
Especially because OP mentioned he just clicked "Yes"/"Allow" to all the super user prompts.
Now personally I don't run an Arch system and only install software from my distro + flatpak; So I feel pretty secure for now. But I can see that trend buckling as the AUR is already under attack.
Programs running on Wine still have access to all of the files that you do. They won't be able to mess with system files unless they can find some sort of privilege escalation exploit in Wine though.