I had Coming soon/maintenance mode active, so the first problem could be because of that
Yes, you are correct.
The malware scanner in the plugin relies in a remote API service to collect information in your public website to determine if there is an infection in the code. This service [1] has some rules that will immediately stop the scan if no relevant data can be found during the first request, one of those rules was triggered by the text referring tot he maintenance mode that you activated.
Consequently, the service cached the result of the scan, and because it was unsuccessful the subsequent scans returned the same error message even if the website as not in maintenance mode anymore. The cache is automatically reset after 48 hours unless someone manually request a fresh scan from the official API.
Just installed wordpress, with all default settings/themes. What is modified
It’s hard to tell. I know that some hosting providers like to offer a custom version of the WordPress installer which includes either additional features designed by them, or less features to reduce the interference with their own system. I cannot say much about this specific question because I don’t know how your website was installed, but surely something in your server was modified in order to trigger the warnings in the integrity checker.
There is an option in the settings page, under the scanner section, to allow you to see what were the changes on each flagged file. Feel free to enable that option and click each file in the WordPress integrity table, you will see a box with red/green color showing what was the original content and what is the new one, respectively.
[1] https://sitecheck.sucuri.net/
