Identifying an evasive malicious object based on a behavior delta

What is claimed is: 1. A security device, comprising: one or more processors to: receive actual behavior information associated with an object, from a user device, the actual behavior information identifying a first set of behaviors associated with executing the object in a live environment at the user device; receive a memory snapshot associated with executing the object in the live environment, the memory snapshot corresponding to a memory space associated with executing the object in the live environment; perform an analysis of the object based on the memory snapshot, the analysis being performed such that the memory space is re-established within a test environment at the security device, and the analysis being associated with identifying whether the object is an evasive malicious object; determine test behavior information associated with the object, the test behavior information identifying a second set of behaviors associated with testing the object in the test environment, and the test environment including a sandbox environment; compare the first set of behaviors and the second set of behaviors to determine a difference between the first set of behaviors and the second set of behaviors; identify whether the object is the evasive malicious object based on the difference between the first set of behaviors and the second set of behaviors, the object being identified as the evasive malicious object based on: the first set of behaviors including a malicious behavior, and the second set of behaviors not including the malicious behavior; and provide an indication that the object is the evasive malicious object based on identifying the object as the evasive malicious object. 2. The security device of claim 1 , where the one or more processors are further to: receive the object; execute the object within the test environment to determine the test behavior information; and store the test behavior information; and where the one or more processors, when determining the test behavior information associated with the object, are to: determine the test behavior information based on the stored test behavior information. 3. The security device of claim 2 , where the one or more processors are further to: provide the object to the user device, the object being provided to the user device to allow the user device to execute the object in the live environment to determine the actual behavior information. 4. The security device of claim 1 , where the analysis is a first analysis; and where the one or more processors are further to: receive information associated with a user action associated with executing the object in the live environment; and perform a second analysis of the object based on the information associated with the user action, the second analysis being performed such that the user action is re-created in the test environment, and the second analysis being associated with identifying whether the object is the evasive malicious object. 5. The security device of claim 1 , where the test environment includes an emulated environment associated with the security device. 6. A non-transitory computer-readable medium storing instructions, the instructions comprising: one or more instructions that, when executed by one or more processors, cause the one or more processors to: obtain actual behavior information associated with an object, the actual behavior information identifying an actual set of behaviors exhibited from executing or installing the object in a live environment at a user device; receive a memory snapshot associated with executing or installing the object in the live environment, the memory snapshot corresponding to a memory space associated with executing or installing the object in the live environment; perform an analysis of the object based on the memory snapshot, the analysis being performed such that the memory space is re-established within a test environment at a security device, and the analysis being associated with identifying whether the object is an evasive malicious object; determine test behavior information associated with the object, the test behavior information identifying a test set of behaviors associated with testing the object in the test environment; compare the actual set of behaviors and the test set of behaviors to determine a difference between the actual set of behaviors and the test set of behaviors; determine whether the object is the evasive malicious object based on the difference between the actual set of behaviors and the test set of behaviors, the object being determined as the evasive malicious object based on: the actual set of behaviors including a malicious behavior, and the test set of behaviors not including the malicious behavior; and provide information indicating that the object is the evasive malicious object based on determining the object as the evasive malicious object. 7. The non-transitory computer-readable medium of claim 6 , where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to: receive the object; execute or install the object within the test environment to determine the test behavior information; and store the test behavior information; and where the one or more instructions, that cause the one or more processors to determine the test behavior information associated with the object, cause the one or more processors to: determine the test behavior information based on the stored test behavior information. 8. The non-transitory computer-readable medium of claim 6 , where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to: provide the object to the user device, the object being provided to the user device to allow the user device to execute or install the object in the live environment to determine the actual behavior information. 9. The non-transitory computer-readable medium of claim 6 , where the analysis is a first analysis; and where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to: receive information associated with a user action associated with executing or installing the object in the live environment; and perform a second analysis of the object based on the information associated with the user action, the second analysis being performed such that the user action is re-created in the test environment, and the second analysis being associated with determining whether the object is the evasive malicious object. 10. The non-transitory computer-readable medium of claim 6 , where the analysis is a first analysis; and where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to: perform a second analysis of the object based on the memory snapshot, the second analysis being a static analysis associated with the memory snapshot, and the second analysis being associated with determining whether the object is the evasive malicious object. 11. The non-transitory computer-readable medium of claim 6 , where the test environment includes a sandbox environment associated with the security device. 12. A method, comprising: receiving, by a security device, actual behavior information, associated with an object, from a user device, the actual behavior information identifying a first group of behaviors associated with executing the object on the user device; receiving, by the security device, a memory snapshot associated with executing th