Depends on what process is opening those connections, unfortunately too many use the admin account so you would have to resort to examining traffic on port 5038 on /dev/ something like wireshark or
it will dump to the console any traffic on the ‘local’ (127.0.0.1) interface on port 5038 (AMI) you will see textual strings mixed in with hex control that should identify the ‘requests’ being made, these should help identify the actual client making those connections