Detects an automated FTP session performing credential probing, directory discovery, ASCII mode configuration, passive transfer negotiation, and staged upload of a photo_scr payload. This pattern is consistent with scripted web shell or content-stager deployment via compromised FTP credentials.

FTP session where the client uploads files named Photo.scr and Photo.lnk using STOR after entering passive mode.