It would be trivial to add a “please click ‘yes’ to the UAC prompt to allow verification” screen, so that isn’t really going to stop anyone.
I’ve seen a bit of office malware in the past that did that, where it had a bunch of images instructing you to enable macros and that.
Or, session cookies. They don’t need special privilege to access, and if you grab all of someone’s cookies, you can probably get some valid session cookies for logged in accounts just by checking for some common domains in one/by keyword.
From there, it would be trivial to get into email, social media, and other accounts to do other things with.