Hello, I was testing ST and just out of curiosity I ran the sublime_text.exe file on VirusTotal. The weird thing is VT says that the exe contacts a domain x1.c.lencr.org.
Upon searching this domain on the internet, it says that it is used to hijack browsers and load adware and bloatware on them. My question is, why VirusTotal says that Sublime contacts such a domain? My pc is not infected as I tested more exe files and they seem to be ok.

Edit: I added the photo of the VirusTotal JujuBox analysis.

Here’s virus total report of official ST 4112:

https://www.virustotal.com/gui/file/dd6d6ece9a33f3be29b00cbe6b433d56dacddb64cfe698b3b9e8f541d35d8063/detection

The only two connections sublime_text.exe establishes today are:

• 45.55.255.55 = license.sublimehq.com
• 45.55.41.223 = sublimetext.com

… and those from plugin_host which calls out for Package Control updates.

Why is ‘license.sublimehq.com’ missing in your list?

Maybe you got a tempered binary or something else redirects license check requests?

Okay, sorry for answering from another account. I forgot to save the other one’s password. But this is binary from the sublime text website. It is the portable version but it should also check the license as you said. So there shouldn’t be any temperament going on with it. I have no idea, it should be a clean download from official website. Maybe virus total saw it as a different binary? Maybe there is something going on with my computer and it only infected sublime text binary I have no idea, I will do clean format and check again to see if my binary still says that it contacts such a domain.
Thank you for checking out deathaxe.

Edit: Okay I literally clean installed Windows 10 on my machine and the first thing I did was to download the portable version of Sublime Text and scan it again through VirusTotal and it shows the same thing!! I don’t know how but it is the same thing. My sublime text is not cracked or bypassed, I would not be wasting my and your time knowing that the binaries are changed in some way. It would just mean that whoever cracked it tried to pull a sneaky on me. This is not the case though. I can’t really find an answer for this but I think it would be safe to not run sublime_text.exe on my computer.

Note that lencr.org is owned by letsencrypt: https://letsencrypt.org/docs/lencr.org/ and that URL hosts a certificate revocation list. We use letsencrypt for secure connections to our website, so my guess is that it’s simply fetching the revocation list to make sure the connection is secure.

@deathaxe a connection to the license server would be missing if they don’t have a license.

Ahhh that makes sense. The google searches threw me off completely, they wanted some clicks I guess. It does host a .crl file but honestly I had no idea what is was used for. Thank you @bschaaf for clearing the question I had, I was still thinking for a reason