In general, a compromised system may be running any software the attacker might find useful, including, but not limited to:

• keyloggers to find passwords that are in use in the company
• software to copy sensitive files to a remote server
• software to encrypt the system itself or (if the computer has access to other machines on the network) other computers
• produce documents (think, mail) that purport to have been created by the user of the corrupted machine.