Executing this function via rundll32.exe leads to loading of mscoreei.dll from one of the default .NET directories.

However…

The RunDll32ShimW function takes into account the value of the environmental variable COMPlus_InstallRoot when it searches for the mscoreei.dll file.

So…

If we change the value of the COMPlus_InstallRoot variable to point to a directory of our choice, place the payload in a subdirectory associated with the .NET version installed on the system, we can sideload our payload like this:

set COMPLUS_InstallRoot=c:\test\
rundll32.exe mscoree.dll, RunDll32ShimW