APC is used for the quick system scan and for certain on-execute events. That HIDDENEXT detection is designed to catch those spammed malware samples (fake invoice/bills etc.). They often disguise their .EXE extension with having a 2nd, harmless extension. Like "Amazon invoice 2014-02-24.pdf.exe". Very old trick, but still widely used by malware.