Raccoon Stealer v2 used OpenProcessToken and AdjustTokenPrivileges to detect if malware is running as SYSTEM or not, which is an interesting point to observe!
In Raccoon Stealer v2, the Windows APIs OpenProcessToken is not the main method of their exploit but a programming logic to decide which functionality of their malware should continue. However, it seems that it's not common for many programs or executables to use these two APIs. In my opinion, it may be a suspicious point if some program use these APIs, especially the ones you already doubt it.
Here is the Source.
Raccoon Stealer v2 used OpenProcessToken and AdjustTokenPrivileges to detect if malware is running as SYSTEM or not, which is an interesting point to observe! In Raccoon Stealer v2, the Windows APIs OpenProcessToken is not the main method of their exploit but a programming logic to decide which functionality of their malware should continue. However, it seems that it's not common for many programs or executables to use these two APIs. In my opinion, it may be a suspicious point if some program use these APIs, especially the ones you already doubt it. Here is the Source.