diff --git a/modules/signatures/windows/creates_doc.py b/modules/signatures/windows/creates_doc.py
index e08e25b61..1005154e7 100644
--- a/modules/signatures/windows/creates_doc.py
+++ b/modules/signatures/windows/creates_doc.py
@@ -2,6 +2,9 @@
 # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
 # See the file 'docs/LICENSE' for copying permission.
 
+import ntpath
+import logging
+
 from lib.cuckoo.common.abstracts import Signature
 
 class CreatesDocument(Signature):
@@ -15,7 +18,18 @@ class CreatesDocument(Signature):
     pattern = ".*\\.(doc|docm|dotm|docx|ppt|pptm|pptx|potm|ppam|ppsm|xls|xlsm|xlsx|pdf)$"
 
     def on_complete(self):
+        log = logging.getLogger(__name__)
+        for fileopened in self.check_file(pattern=self.pattern, actions=["file_opened"], regex=True, all=True):
+            opened_dirpath, opened_files = ntpath.split(fileopened)
         for filepath in self.check_file(pattern=self.pattern, actions=["file_written"], regex=True, all=True):
-            self.mark_ioc("file", filepath)
-
+            file_dirpath, filepath_files = ntpath.split(filepath)
+            if opened_dirpath == file_dirpath and filepath_files[2:] in opened_files and filepath_files[0:2] == "~$":
+                if opened_dirpath == file_dirpath:
+                    log.debug("Parameter 1 of 3: {} is equal to {}...Passed...".format(opened_dirpath, file_dirpath))
+                    if filepath_files[2:] in opened_files:
+                        log.debug("Parameter 2 of 3: {} is in {}...Passed...".format(filepath_files[2:], opened_files))
+                        if filepath_files[0:2] == "~$":
+                            log.debug("Parameter 3 of 3: {} is equal to ~$...Passed...Whitelisted...".format(filepath_files[0:2])) 
+            else:
+                self.mark_ioc("file", filepath)
         return self.has_marks()
diff --git a/modules/signatures/windows/memdump_urls.py b/modules/signatures/windows/memdump_urls.py
index 309d97a60..9b2056d1a 100644
--- a/modules/signatures/windows/memdump_urls.py
+++ b/modules/signatures/windows/memdump_urls.py
@@ -8,6 +8,8 @@
     import re
 
 from lib.cuckoo.common.abstracts import Signature
+from cuckoo.misc import cwd
+from urlparse import urlsplit
 
 class ProcMemDumpURLs(Signature):
     name = "memdump_urls"
@@ -17,10 +19,26 @@ class ProcMemDumpURLs(Signature):
     authors = ["Cuckoo Technologies"]
     minimum = "2.0"
 
+    whitelist_file = cwd("whitelist", "domain.txt")
+    whitelist = open(whitelist_file, "r")
+
+
     def on_complete(self):
         for procmem in self.get_results("procmemory", []):
             for url in procmem.get("urls", []):
-                self.mark_ioc("url", url)
+                #Extract top level domain from Procmem results
+                parts = urlsplit(url)
+                if parts[1]:
+                    url = parts[1]
+                else:
+                    pass
+                is_whitelisted = False
+                for white in ProcMemDumpURLs.whitelist:
+                    if re.match(white, url, re.IGNORECASE):
+                        is_whitelisted = True
+                        break
+                if not is_whitelisted:
+                    self.mark_ioc("url", url)
 
         return self.has_marks()
 
@@ -60,7 +78,6 @@ def on_complete(self):
             ".vivavtpaymaster.com",
             ".fraspartypay.com",
         ]
-
         for procmem in self.get_results("procmemory", []):
             for url in procmem.get("urls", []):
                 for indicator in indicators: