The stock stringsmatch.json has a fuzzing value regex .*(curl|wget).*. For large strings (thousands of characters) without a match this will result in a lot of backtracking as Python tries to greedily match .* and backtracks when it fails.

Ben Federickson has a good write-up on this.

Using (curl|wget) alone would be enough to flag a possible connection. To maintain some context of where the match was made, the match could use (.{,10})(curl|wget)(.{,10}) to provide up to 10 characters of around the match, but there will still be a significant overhead in many cases.