Looks up external IP address via web service

Uses a legitimate IP lookup service to find the infected system's external IP.

Uses Tor communications

Malware can proxy its traffic through Tor for more anonymity.

Enumerates physical storage devices

Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

Suspicious use of SetThreadContext