From c2d007f2b2f3da183d9760471e2c77cf83bc6c24 Mon Sep 17 00:00:00 2001
From: doomedraven <doommedraven@gmail.com>
Date: Mon, 9 Feb 2026 10:55:46 +0100
Subject: [PATCH] fixes

---
 modules/processing/behavior.py |  2 +-
 modules/processing/network.py  | 12 ++++++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/modules/processing/behavior.py b/modules/processing/behavior.py
index be600fce5e5..942fd2bced5 100644
--- a/modules/processing/behavior.py
+++ b/modules/processing/behavior.py
@@ -1285,7 +1285,7 @@ def event_apicall(self, call, process):
                         _add_http_host(self.http_host_map, host2, pinfo, sock=sock)
 
             if api in ("internetconnectw", "internetconnecta", "winhttpconnect"):
-                server_name = _get_arg_any(args_map, "ServerName", "lpszServerName", "szServerName", "pszServerName")
+                server_name = _get_arg_any(args_map, "ServerName", "lpszServerName", "szServerName", "pszServerName", "pswzServerName")
                 if server_name:
                     _add_http_host(self.http_host_map, server_name, pinfo, sock=sock)
 
diff --git a/modules/processing/network.py b/modules/processing/network.py
index 7d3346aa39a..f402a77148e 100644
--- a/modules/processing/network.py
+++ b/modules/processing/network.py
@@ -1254,6 +1254,9 @@ def _process_map(self, network: Dict):
             if flow.get("dst") and flow.get("dport") is not None:
                 proc = self._pick_best(endpoint_map.get((flow["dst"], int(flow["dport"])), []))
 
+            if not proc and flow.get("dst"):
+                proc = self._pick_best(http_host_map.get(flow["dst"], []))
+
             self._set_proc_fields(flow, proc)
 
         dns_events_rel = self._build_dns_events_rel(network, dns_intents, max_skew_seconds=10.0)
@@ -1270,6 +1273,9 @@ def _process_map(self, network: Dict):
             if dst and dport is not None:
                 proc = self._pick_best(endpoint_map.get((dst, int(dport)), []))
 
+            if not proc and dst:
+                proc = self._pick_best(http_host_map.get(dst, []))
+
             if not proc and (dport == 53 or sport == 53):
                 t_rel = flow.get("time")
                 proc = self._nearest_dns_process_by_rel_time(dns_events_rel, t_rel, max_skew=5.0)
@@ -1320,6 +1326,12 @@ def _process_map(self, network: Dict):
                 else:
                     host["process_name"] = ", ".join(f"{name} ({pid})" for pid, name in procs.items())
                     host["process_id"] = None
+            else:
+                # Fallback: check http_host_map for this IP
+                proc = self._pick_best(http_host_map.get(host["ip"], []))
+                if proc:
+                    host["process_id"] = proc.get("process_id")
+                    host["process_name"] = proc.get("process_name")
 
     def _merge_behavior_network(self, results):
         """