First step I would have taken would be to power down, pull the drive to a forensics machine and make an image of the drive with DD. Then I would invest a large amount of time doing at least a basic analysis that backed up my position, asa precursor to making the image of the compromised VM available to sec research community.
What I would not have done is tweeted “this happened” and then re-installed, erasing any hope of understanding how this happened and fixing the alleged vulnerability for everyone else in the world.