This is about … .
DrWatson
Drwtsn32.log, traps a crashing program. It can create a file User.dmp. 100% prove that the program was executed.
WER
📂 C:\Program Data\Microsoft\Windows\WER
📂 %UserProfile%\AppData\Local\Microsoft\Windows\WER (%UserProfile% = Default, Public, All)
🛠️ KAPE
This folder will contain the WER reports that might give a clue or a lead in the investigation. It contains the following info
🐾 timestamps ⏰ 🐾 report type 🐾 hash 🔥 🐾 application name 🐾 loaded modules