diff --git a/CHANGES b/CHANGES
index 893e7ca7f0..4a6422d808 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,9 @@
+7.2.0-dev.140 | 2025-02-03 18:34:00 -0700
+
+  * Add note to Traces/README about possible malware in pe/pe.trace (Tim Wojtulewicz, Corelight)
+
+  * Fix formatting of Traces/README entry for modbus-eit.trace (Tim Wojtulewicz, Corelight)
+
 7.2.0-dev.137 | 2025-02-03 16:53:04 -0800
 
   * Remove unused SupervisedNode::InitCluster declaration (Christian Kreibich, Corelight)
diff --git a/VERSION b/VERSION
index 64895365ea..8e8441acfe 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-7.2.0-dev.137
+7.2.0-dev.140
diff --git a/testing/btest/Traces/README b/testing/btest/Traces/README
index f5b1e4fb51..ca555b15aa 100644
--- a/testing/btest/Traces/README
+++ b/testing/btest/Traces/README
@@ -6,8 +6,9 @@ depend on them for tests.
 
 Trace Index/Sources:
 
-- modbus/modbus-eit.trace: Sourced from https://www.netresec.com/?page=PCAP4SICS, credit to https://cs3sthlm.se/. The packets in this trace were pulled from the 4SICS-GeekLounge-151021.pcap file.
-
+- modbus/modbus-eit.trace:
+  Sourced from https://www.netresec.com/?page=PCAP4SICS, credit to https://cs3sthlm.se/.
+  The packets in this trace were pulled from the 4SICS-GeekLounge-151021.pcap file.
 - [ldap/simpleauth.pcap](https://github.com/arkime/arkime/blob/main/tests/pcap/ldap-simpleauth.pcap)
 - ldap/simpleauth-diff-port.pcap: made with
   `tcprewrite -r 3268:32681 -i simpleauth.pcap -o simpleauth-diff-port.pcap`
@@ -41,3 +42,7 @@ Trace Index/Sources:
 - quic/merlinc2_Zeek_example.pcapng
   Provided by Faan Rossouw on #4198
   https://github.com/zeek/zeek/issues/4198
+- pe/pe.trace
+  VirusTotal reports that this file contains malware. The PE analyzer was originally added
+  to decode info for malware, so this is expected. See
+  https://zeekorg.slack.com/archives/CSZBXF6TH/p1738261449655049