How can penetration testers use Volume Shadow Copy to create a fileless process?

Penetration testers can create a fileless process by first using `vshadow.exe` to create a Volume Shadow Copy of a drive, then executing a malicious binary from inside that shadow copy via a symbolic link (created with `mklink /d`). After deleting both the symbolic link and the shadow copy, the executable continues running without its source file existing on disk, achieving fileless execution.