After the attacker has nibbled on the breadcrumbs and followed along on the trail of deception, s/he gets to work on executing code. In the decoy (or honeypot) server, you can watch as information is gathered by the malicious actor.
What you see here from the bottom to the top:
The lowest one - the attacker runs wget, a command that lets him download an external file to the compromised server.
The middle one - takes the downloaded file and changes it to be executable
The top one - command runs the downloaded backdoor