zoek is simular as ComboFix. Zoek perform such system actions so AV simply target thouse tools as suspicious. It’s heuristic detection.
Later on, If any AV products on VirusTotal detect file as suspicious, it’s been send a file copy to all other AV vendors.
Other AV Products without further file-analysis just add the signature and there you go FP detection