Couldn't finding the malicious executable help if it's disassembled? The private key must be somewhere in there I would think, unless the program connects to the malicious server to get the key and keeps it in volatile memory while doing the encryption...