Detects an automated FTP session performing credential probing, directory discovery, ASCII mode configuration, passive transfer negotiation, and staged upload of a photo_scr payload. This pattern is consistent with scripted web shell or content-stager deployment via compromised FTP credentials.