If there is any “smart” device, facing the internet, chances are that it will get compromised at some point of time.
The odds are higher if the device is not patched, firmware of the device updated regularly. Intrusion is even more likely, if there is not enabled any software countermeasure like antivirus.
On the picture above, there is what happens next. The compromised device might start to act as a so called robot, or zombie if controlled command and control server. And scan for other vulnerable devices on the internet.
Once such vulnerable device is found, attempt to drop a file usually happens (Kill chain phase: Installation) in order to install demanded code on the victim.
In particular, there is 20 000 different files drop attempts on 200 000 devices within 24 hours on the picture.