Re: (Help!) Blockchain.info - Transaction change moved to unknown address
First of all, sorry for my bad english 
Let's summarize the question, whenever I want to spend my funds from the cold wallet, I import them into the blockchain info, which goes to the standard wallet, and after sending how much I want somewhere, I create another cold wallet in bitaddress and send these funds back, just using the blockchain info to 'spend' them.
I always import the public key of the address created to view my balance as Watch-Address, this time being 1AXXCct4QATf2UdX92piw1AA2As8AoZaoM, then I noticed the PK field below the public address as in the picture below, and the same exists in the GitHub project, is not a malware or something else:
https://i.stack.imgur.com/A76xC.png
Then I inserted the exchange address: 1PjcZKMFR8wkFjoMAE2aoVfSeB5xHwVLdu, and I sent a portion of the balance, imagining that the change would go back either to 1AXXCct4QATf2UdX92piw1AA2As8AoZaoM or to the main blockchain wallet.
I believe that the outputs generated at the change address 1KfTVrLG376B7SYb1bA6NnY7KyK825T72B should be at 141rWhPaeSpTqn2YH1fw2WFnwhojQTERyp that is part of the HD wallet.
In fact this 1KfTVrLG376B7SYb1bA6NnY7KyK825T72B does not exist in the following paths: m/44'/0'/0'/0 (External Default Wallet), m/44'/0'/0'/1 (Internal Default Wallet).
Last internal address with funds (141rWhPaeSpTqn2YH1fw2WFnwhojQTERyp):
https://imageshack.com/a/img924/4746/mXx5Gw.png
Last external address with funds (1LsLpbPNS2w98WnKbQ2MmubkQBWhxbPvrz):
https://imageshack.com/a/img924/4808/WnYgFt.png
This address 1KfTVrLG376B7SYb1bA6NnY7KyK825T72B was imported by blockchain as WatchOnly without your private key, I'm thinking of doing a brute force on the seed and looking for it until I understand how they generate a change address.
Let's summarize the question, whenever I want to spend my funds from the cold wallet, I import them into the blockchain info, which goes to the standard wallet, and after sending how much I want somewhere, I create another cold wallet in bitaddress and send these funds back, just using the blockchain info to 'spend' them.
I always import the public key of the address created to view my balance as Watch-Address, this time being 1AXXCct4QATf2UdX92piw1AA2As8AoZaoM, then I noticed the PK field below the public address as in the picture below, and the same exists in the GitHub project, is not a malware or something else:
https://i.stack.imgur.com/A76xC.png
Then I inserted the exchange address: 1PjcZKMFR8wkFjoMAE2aoVfSeB5xHwVLdu, and I sent a portion of the balance, imagining that the change would go back either to 1AXXCct4QATf2UdX92piw1AA2As8AoZaoM or to the main blockchain wallet.
I believe that the outputs generated at the change address 1KfTVrLG376B7SYb1bA6NnY7KyK825T72B should be at 141rWhPaeSpTqn2YH1fw2WFnwhojQTERyp that is part of the HD wallet.
In fact this 1KfTVrLG376B7SYb1bA6NnY7KyK825T72B does not exist in the following paths: m/44'/0'/0'/0 (External Default Wallet), m/44'/0'/0'/1 (Internal Default Wallet).
Last internal address with funds (141rWhPaeSpTqn2YH1fw2WFnwhojQTERyp):
https://imageshack.com/a/img924/4746/mXx5Gw.png
Last external address with funds (1LsLpbPNS2w98WnKbQ2MmubkQBWhxbPvrz):
https://imageshack.com/a/img924/4808/WnYgFt.png
This address 1KfTVrLG376B7SYb1bA6NnY7KyK825T72B was imported by blockchain as WatchOnly without your private key, I'm thinking of doing a brute force on the seed and looking for it until I understand how they generate a change address.