Look for arguments like --dump lsass or --output .\extracted\ . If the output folder is a temp directory ( C:\Users\Public\ ), treat it as hostile until proven otherwise.
: Because it is a tool used for bypassing security (cracking), many antivirus programs flag it as a "hacktool" or "riskware" even if it does not contain a malicious payload. Malware Disguise dmp2mkeyexe verified